Changeset 184846 in webkit
- Timestamp:
- May 24, 2015 4:22:06 PM (9 years ago)
- Location:
- trunk
- Files:
-
- 13 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r184845 r184846 1 2015-05-24 Sam Weinig <sam@webkit.org> 2 3 Crash when using a removed ScriptMessageHandler 4 <rdar://problem/20888499> 5 https://bugs.webkit.org/show_bug.cgi?id=145359 6 7 Reviewed by Dan Bernstein. 8 9 Added tests: 10 WKUserContentController.ScriptMessageHandlerBasicRemove 11 WKUserContentController.ScriptMessageHandlerCallRemovedHandler 12 13 * page/UserMessageHandler.cpp: 14 (WebCore::UserMessageHandler::~UserMessageHandler): 15 (WebCore::UserMessageHandler::postMessage): 16 (WebCore::UserMessageHandler::name): 17 * page/UserMessageHandler.h: 18 (WebCore::UserMessageHandler::create): 19 * page/UserMessageHandler.idl: 20 * page/UserMessageHandlerDescriptor.cpp: 21 (WebCore::UserMessageHandlerDescriptor::UserMessageHandlerDescriptor): 22 * page/UserMessageHandlerDescriptor.h: 23 (WebCore::UserMessageHandlerDescriptor::client): 24 (WebCore::UserMessageHandlerDescriptor::invalidateClient): 25 Add support for invalidating the descriptor and throw an exception if someone tries 26 to post a message using an invalidated descriptor. 27 28 * page/UserMessageHandlersNamespace.cpp: 29 (WebCore::UserMessageHandlersNamespace::handler): 30 Add logic to remove message handlers if their descriptor has been invalidated. 31 1 32 2015-05-23 Dan Bernstein <mitz@apple.com> 2 33 -
trunk/Source/WebCore/bindings/gobject/WebKitDOMCustom.cpp
r177143 r184846 87 87 88 88 WebCore::JSMainThreadNullState state; 89 handler->postMessage(WebCore::SerializedScriptValue::create(String::fromUTF8(message))); 89 WebCore::ExceptionCode ec = 0; 90 handler->postMessage(WebCore::SerializedScriptValue::create(String::fromUTF8(message)), ec); 91 if (ec) 92 return FALSE; 93 90 94 return TRUE; 91 95 } -
trunk/Source/WebCore/page/UserMessageHandler.cpp
r169023 r184846 29 29 #if ENABLE(USER_MESSAGE_HANDLERS) 30 30 31 #include "ExceptionCode.h" 31 32 #include "Frame.h" 32 33 #include "SerializedScriptValue.h" … … 44 45 } 45 46 46 void UserMessageHandler::postMessage(PassRefPtr<SerializedScriptValue> value )47 void UserMessageHandler::postMessage(PassRefPtr<SerializedScriptValue> value, ExceptionCode& ec) 47 48 { 48 m_descriptor->client().didPostMessage(*this, value.get()); 49 // Check to see if the descriptor has been removed. This can happen if the host application has 50 // removed the named message handler at the WebKit2 API level. 51 if (!m_descriptor->client()) { 52 ec = INVALID_ACCESS_ERR; 53 return; 54 } 55 56 m_descriptor->client()->didPostMessage(*this, value.get()); 49 57 } 50 58 -
trunk/Source/WebCore/page/UserMessageHandler.h
r177259 r184846 35 35 namespace WebCore { 36 36 37 typedef int ExceptionCode; 38 37 39 class UserMessageHandler : public RefCounted<UserMessageHandler>, public FrameDestructionObserver { 38 40 public: … … 43 45 virtual ~UserMessageHandler(); 44 46 45 void postMessage(PassRefPtr<SerializedScriptValue> );47 void postMessage(PassRefPtr<SerializedScriptValue>, ExceptionCode&); 46 48 47 49 const AtomicString& name(); -
trunk/Source/WebCore/page/UserMessageHandler.idl
r169023 r184846 27 27 Conditional=USER_MESSAGE_HANDLERS 28 28 ] interface UserMessageHandler { 29 void postMessage(SerializedScriptValue message);29 [RaisesException] void postMessage(SerializedScriptValue message); 30 30 }; -
trunk/Source/WebCore/page/UserMessageHandlerDescriptor.cpp
r169023 r184846 36 36 : m_name(name) 37 37 , m_world(world) 38 , m_client( client)38 , m_client(&client) 39 39 { 40 40 } -
trunk/Source/WebCore/page/UserMessageHandlerDescriptor.h
r184066 r184846 57 57 const AtomicString& name(); 58 58 DOMWrapperWorld& world(); 59 60 Client& client() const { return m_client; } 59 60 Client* client() const { return m_client; } 61 void invalidateClient() { m_client = nullptr; } 61 62 62 63 private: 63 64 WEBCORE_EXPORT explicit UserMessageHandlerDescriptor(const AtomicString&, DOMWrapperWorld&, Client&); 64 65 65 66 AtomicString m_name; 66 67 Ref<DOMWrapperWorld> m_world; 67 Client &m_client;68 Client* m_client; 68 69 }; 69 70 -
trunk/Source/WebCore/page/UserMessageHandlersNamespace.cpp
r180291 r184846 47 47 UserMessageHandler* UserMessageHandlersNamespace::handler(const AtomicString& name, DOMWrapperWorld& world) 48 48 { 49 // First, check if we have a handler instance already.50 for (auto& handler : m_messageHandlers) {51 if (handler->name() == name && &handler->world() == &world)52 return &handler.get();53 }54 55 // Second, attempt to create a handler instance from a descriptor.56 49 if (!frame()) 57 50 return nullptr; … … 70 63 71 64 RefPtr<UserMessageHandlerDescriptor> descriptor = userMessageHandlerDescriptors->get(std::make_pair(name, &world)); 72 if (!descriptor) 65 if (!descriptor) { 66 m_messageHandlers.removeFirstMatching([&name, &world](Ref<UserMessageHandler>& handler) { 67 return handler->name() == name && &handler->world() == &world; 68 }); 73 69 return nullptr; 70 } 71 72 for (auto& handler : m_messageHandlers) { 73 if (handler->name() == name && &handler->world() == &world) 74 return &handler.get(); 75 } 74 76 75 77 m_messageHandlers.append(UserMessageHandler::create(*frame(), *descriptor)); -
trunk/Source/WebKit2/ChangeLog
r184834 r184846 1 2015-05-24 Sam Weinig <sam@webkit.org> 2 3 Crash when using a removed ScriptMessageHandler 4 <rdar://problem/20888499> 5 https://bugs.webkit.org/show_bug.cgi?id=145359 6 7 Reviewed by Dan Bernstein. 8 9 * WebProcess/UserContent/WebUserContentController.cpp: 10 (WebKit::WebUserMessageHandlerDescriptorProxy::~WebUserMessageHandlerDescriptorProxy): 11 Invalidate the descriptor when the message handler client (as implemented by WebUserMessageHandlerDescriptorProxy) 12 goes away. This will happen if a script message handler is removed at the API level or the WebUserContentController 13 is destroyed (which will happen if all the pages get destroyed). 14 1 15 2015-05-23 Dan Bernstein <mitz@apple.com> 2 16 -
trunk/Source/WebKit2/WebProcess/UserContent/WebUserContentController.cpp
r184066 r184846 118 118 virtual ~WebUserMessageHandlerDescriptorProxy() 119 119 { 120 m_descriptor->invalidateClient(); 120 121 } 121 122 -
trunk/Tools/ChangeLog
r184845 r184846 1 2015-05-24 Sam Weinig <sam@webkit.org> 2 3 Crash when using a removed ScriptMessageHandler 4 <rdar://problem/20888499> 5 https://bugs.webkit.org/show_bug.cgi?id=145359 6 7 Reviewed by Dan Bernstein. 8 9 * TestWebKitAPI/Tests/WebKit2Cocoa/UserContentController.mm: 10 Add tests for removing script message handlers. 11 1 12 2015-05-23 Dan Bernstein <mitz@apple.com> 2 13 -
trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/UserContentController.mm
r177506 r184846 63 63 @end 64 64 65 TEST(WKUserContentController, ScriptMessageHandler Simple)65 TEST(WKUserContentController, ScriptMessageHandlerBasicPost) 66 66 { 67 67 RetainPtr<ScriptMessageHandler> handler = adoptNS([[ScriptMessageHandler alloc] init]); … … 86 86 87 87 EXPECT_WK_STREQ(@"Hello", (NSString *)[lastScriptMessage body]); 88 } 89 90 TEST(WKUserContentController, ScriptMessageHandlerBasicRemove) 91 { 92 RetainPtr<ScriptMessageHandler> handler = adoptNS([[ScriptMessageHandler alloc] init]); 93 RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]); 94 RetainPtr<WKUserContentController> userContentController = [configuration userContentController]; 95 [userContentController addScriptMessageHandler:handler.get() name:@"handlerToRemove"]; 96 [userContentController addScriptMessageHandler:handler.get() name:@"handlerToPost"]; 97 98 RetainPtr<WKWebView> webView = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]); 99 100 RetainPtr<SimpleNavigationDelegate> delegate = adoptNS([[SimpleNavigationDelegate alloc] init]); 101 [webView setNavigationDelegate:delegate.get()]; 102 103 NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"simple" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]]; 104 105 [webView loadRequest:request]; 106 107 TestWebKitAPI::Util::run(&isDoneWithNavigation); 108 109 // Test that handlerToRemove was succesfully added. 110 [webView evaluateJavaScript: 111 @"if (window.webkit.messageHandlers.handlerToRemove) {" 112 " window.webkit.messageHandlers.handlerToPost.postMessage('PASS');" 113 "} else {" 114 " window.webkit.messageHandlers.handlerToPost.postMessage('FAIL');" 115 "}" completionHandler:nil]; 116 117 TestWebKitAPI::Util::run(&receivedScriptMessage); 118 receivedScriptMessage = false; 119 120 EXPECT_WK_STREQ(@"PASS", (NSString *)[lastScriptMessage body]); 121 122 [userContentController removeScriptMessageHandlerForName:@"handlerToRemove"]; 123 124 // Test that handlerToRemove has been removed. 125 [webView evaluateJavaScript: 126 @"if (window.webkit.messageHandlers.handlerToRemove) {" 127 " window.webkit.messageHandlers.handlerToPost.postMessage('FAIL');" 128 "} else {" 129 " window.webkit.messageHandlers.handlerToPost.postMessage('PASS');" 130 "}" completionHandler:nil]; 131 132 TestWebKitAPI::Util::run(&receivedScriptMessage); 133 receivedScriptMessage = false; 134 135 EXPECT_WK_STREQ(@"PASS", (NSString *)[lastScriptMessage body]); 136 } 137 138 TEST(WKUserContentController, ScriptMessageHandlerCallRemovedHandler) 139 { 140 RetainPtr<ScriptMessageHandler> handler = adoptNS([[ScriptMessageHandler alloc] init]); 141 RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]); 142 RetainPtr<WKUserContentController> userContentController = [configuration userContentController]; 143 [userContentController addScriptMessageHandler:handler.get() name:@"handlerToRemove"]; 144 [userContentController addScriptMessageHandler:handler.get() name:@"handlerToPost"]; 145 146 RetainPtr<WKWebView> webView = adoptNS([[WKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]); 147 148 RetainPtr<SimpleNavigationDelegate> delegate = adoptNS([[SimpleNavigationDelegate alloc] init]); 149 [webView setNavigationDelegate:delegate.get()]; 150 151 NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"simple" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]]; 152 153 [webView loadRequest:request]; 154 155 TestWebKitAPI::Util::run(&isDoneWithNavigation); 156 157 [webView evaluateJavaScript:@"var handlerToRemove = window.webkit.messageHandlers.handlerToRemove;" completionHandler:nil]; 158 159 [userContentController removeScriptMessageHandlerForName:@"handlerToRemove"]; 160 161 // Test that we throw an exception if you try to use a message handler that has been removed. 162 [webView evaluateJavaScript: 163 @"try {" 164 " handlerToRemove.postMessage('FAIL');" 165 "} catch (e) {" 166 " window.webkit.messageHandlers.handlerToPost.postMessage('PASS');" 167 "}" completionHandler:nil]; 168 169 TestWebKitAPI::Util::run(&receivedScriptMessage); 170 receivedScriptMessage = false; 171 172 EXPECT_WK_STREQ(@"PASS", (NSString *)[lastScriptMessage body]); 88 173 } 89 174 -
trunk/Tools/TestWebKitAPI/Tests/WebKit2Gtk/WebExtensionTest.cpp
r183265 r184846 105 105 WebKitDOMUserMessageHandlersNamespace* messageHandlers = webkit_dom_webkit_namespace_get_message_handlers(webkit); 106 106 if (WebKitDOMUserMessageHandler* handler = webkit_dom_user_message_handlers_namespace_get_handler(messageHandlers, "dom")) 107 webkit_dom_user_message_handler_post_message(handler, "DocumentLoaded" );107 webkit_dom_user_message_handler_post_message(handler, "DocumentLoaded", nullptr); 108 108 } 109 109
Note: See TracChangeset
for help on using the changeset viewer.