Changeset 167851 in webkit
- Timestamp:
- Apr 26, 2014 9:09:45 PM (10 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r167850 r167851 1 2014-04-26 Darin Adler <darin@apple.com> 2 3 Frame and page lifetime fixes in WebCore::createWindow 4 https://bugs.webkit.org/show_bug.cgi?id=132089 5 6 Reviewed by Sam Weinig. 7 8 Speculative fix because I was unable to reproduce the crash that was 9 reported with the test case attached to this bug. 10 11 * loader/FrameLoader.cpp: 12 (WebCore::createWindow): Changed code to remove the assumption that calls 13 out will not destroy the page or frame. Use RefPtr for the frame, and 14 added early exits if frame->page() becomes null at any point before we 15 use a page pointer. 16 1 17 2014-04-26 Alexey Proskuryakov <ap@apple.com> 2 18 -
trunk/Source/WebCore/loader/FrameLoader.cpp
r167791 r167851 3427 3427 ASSERT(!features.dialog || request.frameName().isEmpty()); 3428 3428 3429 created = false; 3430 3429 3431 if (!request.frameName().isEmpty() && request.frameName() != "_blank") { 3430 if ( Frame*frame = lookupFrame->loader().findFrameForNavigation(request.frameName(), openerFrame->document())) {3432 if (RefPtr<Frame> frame = lookupFrame->loader().findFrameForNavigation(request.frameName(), openerFrame->document())) { 3431 3433 if (request.frameName() != "_self") { 3432 3434 if (Page* page = frame->page()) 3433 3435 page->chrome().focus(); 3434 3436 } 3435 created = false; 3436 return frame; 3437 return frame.release(); 3437 3438 } 3438 3439 } … … 3442 3443 // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists. 3443 3444 openerFrame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Blocked opening '" + request.resourceRequest().url().stringCenterEllipsizedToLength() + "' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set."); 3444 return 0;3445 return nullptr; 3445 3446 } 3446 3447 … … 3454 3455 Page* oldPage = openerFrame->page(); 3455 3456 if (!oldPage) 3456 return 0; 3457 3458 NavigationAction action(requestWithReferrer.resourceRequest()); 3459 Page* page = oldPage->chrome().createWindow(openerFrame, requestWithReferrer, features, action); 3457 return nullptr; 3458 3459 Page* page = oldPage->chrome().createWindow(openerFrame, requestWithReferrer, features, NavigationAction(requestWithReferrer.resourceRequest())); 3460 3460 if (!page) 3461 return 0; 3462 3463 page->mainFrame().loader().forceSandboxFlags(openerFrame->document()->sandboxFlags()); 3461 return nullptr; 3462 3463 RefPtr<Frame> frame = &page->mainFrame(); 3464 3465 frame->loader().forceSandboxFlags(openerFrame->document()->sandboxFlags()); 3464 3466 3465 3467 if (request.frameName() != "_blank") 3466 page->mainFrame().tree().setName(request.frameName());3468 frame->tree().setName(request.frameName()); 3467 3469 3468 3470 page->chrome().setToolbarsVisible(features.toolBarVisible || features.locationBarVisible); 3471 3472 if (!frame->page()) 3473 return nullptr; 3469 3474 page->chrome().setStatusbarVisible(features.statusBarVisible); 3475 3476 if (!frame->page()) 3477 return nullptr; 3470 3478 page->chrome().setScrollbarsVisible(features.scrollbarsVisible); 3479 3480 if (!frame->page()) 3481 return nullptr; 3471 3482 page->chrome().setMenubarVisible(features.menuBarVisible); 3483 3484 if (!frame->page()) 3485 return nullptr; 3472 3486 page->chrome().setResizable(features.resizable); 3473 3487 … … 3476 3490 // for the difference between the window size and the viewport size. 3477 3491 3478 // FIXME: We should reconcile the initialization of viewport arguments between iOS and OpenSource.3492 // FIXME: We should reconcile the initialization of viewport arguments between iOS and non-IOS. 3479 3493 #if !PLATFORM(IOS) 3480 3494 FloatSize viewportSize = page->chrome().pageRect().size(); … … 3493 3507 FloatRect newWindowRect = DOMWindow::adjustWindowRect(page, windowRect); 3494 3508 3509 if (!frame->page()) 3510 return nullptr; 3495 3511 page->chrome().setWindowRect(newWindowRect); 3496 3512 #else … … 3502 3518 if (features.heightSet && features.height) 3503 3519 arguments.height = features.height; 3504 page->mainFrame().setViewportArguments(arguments);3520 frame->setViewportArguments(arguments); 3505 3521 #endif 3506 3522 3523 if (!frame->page()) 3524 return nullptr; 3507 3525 page->chrome().show(); 3508 3526 3509 3527 created = true; 3510 return &page->mainFrame();3528 return frame.release(); 3511 3529 } 3512 3530 -
trunk/Source/WebCore/loader/SubframeLoader.cpp
r167598 r167851 323 323 Frame* SubframeLoader::loadOrRedirectSubframe(HTMLFrameOwnerElement& ownerElement, const URL& url, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList) 324 324 { 325 if (!url.isValid()) 326 return nullptr; 327 325 328 Frame* frame = ownerElement.contentFrame(); 326 329 if (frame) -
trunk/Source/WebCore/page/DOMWindow.cpp
r167594 r167851 1892 1892 1893 1893 URL completedURL = firstFrame->document()->completeURL(urlString); 1894 if ( completedURL.isNull())1894 if (!completedURL.isValid()) 1895 1895 return; 1896 1896 1897 1897 if (isInsecureScriptAccess(activeWindow, completedURL)) 1898 return; 1899 1900 Frame* referrerFrame = activeDocument->frame(); 1901 if (!referrerFrame) 1898 1902 return; 1899 1903 … … 1901 1905 LockHistory lockHistory = (locking != LockHistoryBasedOnGestureState || !ScriptController::processingUserGesture()) ? LockHistory::Yes : LockHistory::No; 1902 1906 LockBackForwardList lockBackForwardList = (locking != LockHistoryBasedOnGestureState) ? LockBackForwardList::Yes : LockBackForwardList::No; 1903 m_frame->navigationScheduler().scheduleLocationChange(activeDocument->securityOrigin(), 1904 // FIXME: What if activeDocument()->frame() is 0? 1905 completedURL, activeDocument->frame()->loader().outgoingReferrer(), 1906 lockHistory, lockBackForwardList); 1907 m_frame->navigationScheduler().scheduleLocationChange(activeDocument->securityOrigin(), completedURL, referrerFrame->loader().outgoingReferrer(), lockHistory, lockBackForwardList); 1907 1908 } 1908 1909 … … 1989 1990 // Don't expose client code to invalid URLs. 1990 1991 activeWindow.printErrorMessage("Unable to open a window with invalid URL '" + completedURL.string() + "'.\n"); 1991 return 0;1992 return nullptr; 1992 1993 } 1993 1994 … … 2004 2005 RefPtr<Frame> newFrame = WebCore::createWindow(activeFrame, openerFrame, frameRequest, windowFeatures, created); 2005 2006 if (!newFrame) 2006 return 0;2007 return nullptr; 2007 2008 2008 2009 newFrame->loader().setOpener(openerFrame); … … 2033 2034 { 2034 2035 if (!isCurrentlyDisplayedInFrame()) 2035 return 0;2036 return nullptr; 2036 2037 Document* activeDocument = activeWindow.document(); 2037 2038 if (!activeDocument) 2038 return 0;2039 return nullptr; 2039 2040 Frame* firstFrame = firstWindow.frame(); 2040 2041 if (!firstFrame) 2041 return 0;2042 return nullptr; 2042 2043 2043 2044 if (!firstWindow.allowPopUp()) { … … 2045 2046 // Otherwise, illegitimate window.open() calls with no name will pass right through the popup blocker. 2046 2047 if (frameName.isEmpty() || !m_frame->tree().find(frameName)) 2047 return 0;2048 return nullptr; 2048 2049 } 2049 2050 2050 2051 // Get the target frame for the special cases of _top and _parent. 2051 2052 // In those cases, we schedule a location change right now and return early. 2052 Frame* targetFrame = 0;2053 Frame* targetFrame = nullptr; 2053 2054 if (frameName == "_top") 2054 2055 targetFrame = &m_frame->tree().top(); … … 2061 2062 if (targetFrame) { 2062 2063 if (!activeDocument->canNavigate(targetFrame)) 2063 return 0;2064 return nullptr; 2064 2065 2065 2066 URL completedURL = firstFrame->document()->completeURL(urlString); 2067 if (!completedURL.isValid()) 2068 return nullptr; 2066 2069 2067 2070 if (targetFrame->document()->domWindow()->isInsecureScriptAccess(activeWindow, completedURL)) … … 2081 2084 WindowFeatures windowFeatures(windowFeaturesString); 2082 2085 RefPtr<Frame> result = createWindow(urlString, frameName, windowFeatures, activeWindow, firstFrame, m_frame); 2083 return result ? result->document()->domWindow() : 0;2086 return result ? result->document()->domWindow() : nullptr; 2084 2087 } 2085 2088
Note: See TracChangeset
for help on using the changeset viewer.