Changeset 264880 in webkit


Ignore:
Timestamp:
Jul 24, 2020, 8:10:18 PM (5 years ago)
Author:
achristensen@apple.com
Message:

Null check frame in Document::dispatchDisabledAdaptationsDidChangeForMainFrame and a few other places
https://bugs.webkit.org/show_bug.cgi?id=214715
<rdar://problem/65467702>

Reviewed by Geoffrey Garen.

Source/WebCore:

Test: security/mutation-observer-frame-detach.html

  • dom/Document.cpp:

(WebCore::Document::didBecomeCurrentDocumentInFrame):
(WebCore::Document::initContentSecurityPolicy):

  • loader/DocumentLoader.cpp:

(WebCore::DocumentLoader::commitData):
Add some null checks and early returns if the frame detaches.

  • loader/SubframeLoader.cpp:

(WebCore::FrameLoader::SubframeLoader::loadSubframe):
Balance the call to incrementLoadEventDelayCount in the early return case or this test never finishes loading.

LayoutTests:

  • security/mutation-observer-frame-detach-expected.txt: Added.
  • security/mutation-observer-frame-detach.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r264878 r264880  
     12020-07-24  Alex Christensen  <achristensen@webkit.org>
     2
     3        Null check frame in Document::dispatchDisabledAdaptationsDidChangeForMainFrame and a few other places
     4        https://bugs.webkit.org/show_bug.cgi?id=214715
     5        <rdar://problem/65467702>
     6
     7        Reviewed by Geoffrey Garen.
     8
     9        * security/mutation-observer-frame-detach-expected.txt: Added.
     10        * security/mutation-observer-frame-detach.html: Added.
     11
    1122020-07-24  Alex Christensen  <achristensen@webkit.org>
    213

  • trunk/Source/WebCore/ChangeLog

    r264878 r264880  
     12020-07-24  Alex Christensen  <achristensen@webkit.org>
     2
     3        Null check frame in Document::dispatchDisabledAdaptationsDidChangeForMainFrame and a few other places
     4        https://bugs.webkit.org/show_bug.cgi?id=214715
     5        <rdar://problem/65467702>
     6
     7        Reviewed by Geoffrey Garen.
     8
     9        Test: security/mutation-observer-frame-detach.html
     10
     11        * dom/Document.cpp:
     12        (WebCore::Document::didBecomeCurrentDocumentInFrame):
     13        (WebCore::Document::initContentSecurityPolicy):
     14        * loader/DocumentLoader.cpp:
     15        (WebCore::DocumentLoader::commitData):
     16        Add some null checks and early returns if the frame detaches.
     17        * loader/SubframeLoader.cpp:
     18        (WebCore::FrameLoader::SubframeLoader::loadSubframe):
     19        Balance the call to incrementLoadEventDelayCount in the early return case or this test never finishes loading.
     20
    1212020-07-24  Alex Christensen  <achristensen@webkit.org>
    222

  • trunk/Source/WebCore/dom/Document.cpp

    r264692 r264880  
    23872387void Document::didBecomeCurrentDocumentInFrame()
    23882388{
    2389     // FIXME: Are there cases where the document can be dislodged from the frame during the event handling below?
    2390     // If so, then m_frame could become 0, and we need to do something about that.
    2391 
    23922389    m_frame->script().updateDocument();
     2390
     2391    // Many of these functions have event handlers which can detach the frame synchronously, so we must check repeatedly in this function.
     2392    if (!m_frame)
     2393        return;
    23932394
    23942395    if (!hasLivingRenderTree())
    23952396        createRenderTree();
     2397    if (!m_frame)
     2398        return;
    23962399
    23972400    dispatchDisabledAdaptationsDidChangeForMainFrame();
     2401    if (!m_frame)
     2402        return;
     2403
    23982404    updateViewportArguments();
     2405    if (!m_frame)
     2406        return;
    23992407
    24002408    // FIXME: Doing this only for the main frame is insufficient.
     
    24072415    if (page() && m_frame->isMainFrame())
    24082416        wheelEventHandlersChanged();
     2417    if (!m_frame)
     2418        return;
    24092419
    24102420    // Ensure that the scheduled task state of the document matches the DOM suspension state of the frame. It can
     
    60996109void Document::initContentSecurityPolicy()
    61006110{
     6111    if (!m_frame)
     6112        return;
    61016113    auto* parentFrame = m_frame->tree().parent();
    61026114    if (parentFrame)

  • trunk/Source/WebCore/loader/DocumentLoader.cpp

    r264586 r264880  
    10881088        m_writer.setDocumentWasLoadedAsPartOfNavigation();
    10891089
    1090         auto& document = *m_frame->document();
     1090        auto* documentOrNull = m_frame ? m_frame->document() : nullptr;
     1091        if (!documentOrNull)
     1092            return;
     1093        auto& document = *documentOrNull;
    10911094
    10921095        if (SecurityPolicy::allowSubstituteDataAccessToLocal() && m_originalSubstituteDataWasValid) {
Note: See TracChangeset for help on using the changeset viewer.