Changeset 97643 in webkit


Ignore:
Timestamp:
Oct 17, 2011, 1:46:29 PM (14 years ago)
Author:
dimich@chromium.org
Message:

window.webkitNotifications uses deallocated NotificationPresenter after live Iframe transfer.
https://bugs.webkit.org/show_bug.cgi?id=70147

Reviewed by David Levin.

I only found a way to test this manually, since Chromium TestShell uses static instance
of NotificationPresenter instead of per-page one so the issue does not reproduce.
Adding manual test that works in full build of Chromium.

  • manual-tests/iframe_notifications/iframe-reparenting-close-window-child.html: Added.
  • manual-tests/iframe_notifications/iframe-reparenting-close-window-iframe.html: Added.
  • manual-tests/iframe_notifications/iframe-reparenting-close-window.html: Added.
  • notifications/NotificationCenter.cpp:

(WebCore::NotificationCenter::disconnectFrame):

  • page/DOMWindow.cpp:

(WebCore::DOMWindow::resetNotifications):

  • page/DOMWindow.h:
  • page/Frame.cpp:

(WebCore::Frame::transferChildFrameToNewDocument): reset webkitNotifications object.

Location:
trunk/Source/WebCore
Files:
4 added
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r97641 r97643  
     12011-10-17  Dmitry Titov  <dimich@chromium.org>
     2
     3        window.webkitNotifications uses deallocated NotificationPresenter after live Iframe transfer.
     4        https://bugs.webkit.org/show_bug.cgi?id=70147
     5
     6        Reviewed by David Levin.
     7
     8        I only found a way to test this manually, since Chromium TestShell uses static instance
     9        of NotificationPresenter instead of per-page one so the issue does not reproduce.
     10        Adding manual test that works in full build of Chromium.
     11
     12        * manual-tests/iframe_notifications/iframe-reparenting-close-window-child.html: Added.
     13        * manual-tests/iframe_notifications/iframe-reparenting-close-window-iframe.html: Added.
     14        * manual-tests/iframe_notifications/iframe-reparenting-close-window.html: Added.
     15        * notifications/NotificationCenter.cpp:
     16        (WebCore::NotificationCenter::disconnectFrame):
     17        * page/DOMWindow.cpp:
     18        (WebCore::DOMWindow::resetNotifications):
     19        * page/DOMWindow.h:
     20        * page/Frame.cpp:
     21        (WebCore::Frame::transferChildFrameToNewDocument): reset webkitNotifications object.
     22
    1232011-10-17  Jeff Miller  <jeffm@apple.com>
    224

  • trunk/Source/WebCore/notifications/NotificationCenter.cpp

    r95901 r97643  
    6262void NotificationCenter::disconnectFrame()
    6363{
    64     // m_notificationPresenter should never be 0. But just to be safe, we check it here.
    65     // Due to the mysterious bug http://code.google.com/p/chromium/issues/detail?id=49323.
    66     ASSERT(m_notificationPresenter);
     64    // Can be 0 if iframe was transferred into another page. In this case
     65    // this method is invoked more then once.
    6766    if (!m_notificationPresenter)
    6867        return;

  • trunk/Source/WebCore/page/DOMWindow.cpp

    r97574 r97643  
    749749    return m_notifications.get();
    750750}
     751
     752void DOMWindow::resetNotifications()
     753{
     754    m_notifications->disconnectFrame();
     755}
    751756#endif
    752757

  • trunk/Source/WebCore/page/DOMWindow.h

    r97574 r97643  
    381381#if ENABLE(NOTIFICATIONS)
    382382        NotificationCenter* webkitNotifications() const;
     383        // Renders webkitNotifications object safely inoperable, disconnects
     384        // if from embedder-provided NotificationPresenter.
     385        void resetNotifications();
    383386#endif
    384387

  • trunk/Source/WebCore/page/Frame.cpp

    r97571 r97643  
    747747        // See https://bugs.webkit.org/show_bug.cgi?id=55577
    748748        // and https://bugs.webkit.org/show_bug.cgi?id=52877
    749         if (m_domWindow)
     749        if (m_domWindow) {
    750750            m_domWindow->resetGeolocation();
     751#if ENABLE(NOTIFICATIONS)
     752            m_domWindow->resetNotifications();
     753#endif
     754        }
    751755
    752756#if ENABLE(MEDIA_STREAM)
Note: See TracChangeset for help on using the changeset viewer.