Changeset 200986 in webkit

Timestamp:

May 16, 2016, 6:09:27 PM (9 years ago)

Author:

Brent Fulgham

Message:

heap use-after-free at WebCore::TimerBase::heapPopMin()
​https://bugs.webkit.org/show_bug.cgi?id=157742
<rdar://problem/26236778>

Source/WebCore:

Reviewed by David Kilzer.

Tested by fast/frames/resources/crash-during-iframe-load-stop.html.

• loader/FrameLoader.cpp:

(WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
being used by the current stack frame.
(WebCore::FrameLoader::frameDetached): Ditto.
(WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.

LayoutTests:

Reviewed by Simon Fraser.

• fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
• fast/frames/crash-during-iframe-load-stop.html: Added.
• fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
• fast/frames/resources/crash-during-iframe-load-stop.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt (added)
• LayoutTests/fast/frames/crash-during-iframe-load-stop.html (added)
• LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html (added)
• LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/FrameLoader.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-05-16  Brent Fulgham  <bfulgham@apple.com>
+
+        heap use-after-free at WebCore::TimerBase::heapPopMin()
+        https://bugs.webkit.org/show_bug.cgi?id=157742
+        <rdar://problem/26236778>
+
+        Reviewed by Simon Fraser.
+
+        * fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
+        * fast/frames/crash-during-iframe-load-stop.html: Added.
+        * fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
+        * fast/frames/resources/crash-during-iframe-load-stop.html: Added.
+
 2016-05-16  Saam barati  <sbarati@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-05-16  Brent Fulgham  <bfulgham@apple.com>
+
+        heap use-after-free at WebCore::TimerBase::heapPopMin()
+        https://bugs.webkit.org/show_bug.cgi?id=157742
+        <rdar://problem/26236778>
+
+        Reviewed by David Kilzer.
+
+        Tested by fast/frames/resources/crash-during-iframe-load-stop.html.
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
+        being used by the current stack frame.
+        (WebCore::FrameLoader::frameDetached): Ditto.
+        (WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.
+
 2016-05-16  Dean Jackson  <dino@apple.com>
 

trunk/Source/WebCore/loader/FrameLoader.cpp

@@ -1633 +1633 @@
 void FrameLoader::stopForUserCancel(bool deferCheckLoadComplete)
 {
+    // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
+    Ref<Frame> protectedFrame(m_frame);
+
     stopAllLoaders();
 
@@ -2492 +2495 @@
 void FrameLoader::frameDetached()
 {
+    // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
+    Ref<Frame> protectedFrame(m_frame);
+
     stopAllLoaders();
     m_frame.document()->stopActiveDOMObjects();
@@ -2790 +2796 @@
     if (!shouldContinue)
         return;
+
+    // Calling stopLoading() on the provisional document loader can cause the underlying
+    // frame to be deallocated.
+    Ref<Frame> protectedFrame(m_frame);
 
     // If we have a provisional request for a different document, a fragment scroll should cancel it.