Changeset 192844 in webkit
- Timestamp:
- Nov 30, 2015 4:33:47 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r192843 r192844 1 2015-11-30 Jiewen Tan <jiewen_tan@apple.com> 2 3 Null dereference loading Blink layout test http/tests/misc/detach-during-notifyDone.html 4 https://bugs.webkit.org/show_bug.cgi?id=149309 5 <rdar://problem/22748363> 6 7 Reviewed by Brent Fulgham. 8 9 The test case is from Blink r175601: 10 https://codereview.chromium.org/317513002 11 The test case will generate a set of weird ordering events that affects the documentLoader: 12 1. The subframe finishes loading, and since the frame’s testRunner is not set to wait until 13 done, WebKitTestRunner stops the load (by calling WKBundlePageStopLoading()). 14 2. This causes the in-progress XHR to be aborted, which causes its readyState to become DONE 15 (this bug doesn’t always reproduce because sometimes the XHR has already finished before the 16 frame finishes loading). 17 3. The onreadystatechange callback is executed, which sets innerHTML on the parent frame. 18 4. Setting innerHTML disconnects the subframe, nulling out its DocumentLoader. 19 5. We return to WebFrameLoaderClient::dispatchDidFinishLoad() from step #1, but now the 20 FrameLoader’s DocumentLoader is null. And WebKit crashes here. 21 22 Note that steps 2-4 happen synchronously inside WebFrameLoaderClient::dispatchDidFinishLoad(). 23 24 * http/tests/misc/detach-during-notifyDone-expected.txt: Added. 25 * http/tests/misc/detach-during-notifyDone.html: Added. 26 * http/tests/misc/resources/detached-frame.html: Added. 27 1 28 2015-11-30 Commit Queue <commit-queue@webkit.org> 2 29 -
trunk/Source/WebCore/ChangeLog
r192843 r192844 1 2015-11-30 Jiewen Tan <jiewen_tan@apple.com> 2 3 Null dereference loading Blink layout test http/tests/misc/detach-during-notifyDone.html 4 https://bugs.webkit.org/show_bug.cgi?id=149309 5 <rdar://problem/22748363> 6 7 Reviewed by Brent Fulgham. 8 9 A weird order of event execution introduced by the test case will kill the webpage in a 10 subframe of the page while executing its |frame.loader().checkLoadCompleteForThisFrame()|. 11 Therefore, any frames comes after the failing subframe will have no page. Check it before 12 calling to those frames' |frame.loader().checkLoadCompleteForThisFrame()|, otherwise the 13 assertion in |frame.loader().checkLoadCompleteForThisFrame()| will fail. 14 15 Test: http/tests/misc/detach-during-notifyDone.html 16 17 * loader/FrameLoader.cpp: 18 (WebCore::FrameLoader::checkLoadComplete): 19 1 20 2015-11-30 Commit Queue <commit-queue@webkit.org> 2 21 -
trunk/Source/WebCore/loader/FrameLoader.cpp
r192711 r192844 2432 2432 2433 2433 // To process children before their parents, iterate the vector backwards. 2434 for (unsigned i = frames.size(); i; --i) 2435 frames[i - 1]->loader().checkLoadCompleteForThisFrame(); 2434 for (auto frame = frames.rbegin(); frame != frames.rend(); ++frame) { 2435 if ((*frame)->page()) 2436 (*frame)->loader().checkLoadCompleteForThisFrame(); 2437 } 2436 2438 } 2437 2439 -
trunk/Source/WebKit/mac/ChangeLog
r192725 r192844 1 2015-11-30 Jiewen Tan <jiewen_tan@apple.com> 2 3 Null dereference loading Blink layout test http/tests/misc/detach-during-notifyDone.html 4 https://bugs.webkit.org/show_bug.cgi?id=149309 5 <rdar://problem/22748363> 6 7 Reviewed by Brent Fulgham. 8 9 * WebView/WebDataSource.mm: 10 (WebDataSourcePrivate::~WebDataSourcePrivate): 11 Refine the assertion to treat <rdar://problem/9673866>. 12 1 13 == Rolled over to ChangeLog-2015-11-21 == -
trunk/Source/WebKit/mac/WebView/WebDataSource.mm
r184853 r192844 93 93 { 94 94 if (loader) { 95 ASSERT(!loader->isLoading()); 95 // We might run in to infinite recursion if we're stopping loading as the result of detaching from the frame. 96 // Therefore, DocumentLoader::detachFromFrame() did some smart things to stop the recursion. 97 // As a result of breaking the resursion, DocumentLoader::m_subresourceLoader 98 // and DocumentLoader::m_plugInStreamLoaders might not be empty at this time. 99 // See <rdar://problem/9673866> for more details. 100 ASSERT(!loader->isLoading() || loader->isStopping()); 96 101 loader->detachDataSource(); 97 102 } -
trunk/Source/WebKit2/ChangeLog
r192834 r192844 1 2015-11-30 Jiewen Tan <jiewen_tan@apple.com> 2 3 Null dereference loading Blink layout test http/tests/misc/detach-during-notifyDone.html 4 https://bugs.webkit.org/show_bug.cgi?id=149309 5 <rdar://problem/22748363> 6 7 Reviewed by Brent Fulgham. 8 9 Callback of bundle clients could kill the documentloader. Therefore, make a copy 10 of the navigationID before invoking the callback. 11 12 * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp: 13 (WebKit::WebFrameLoaderClient::dispatchDidChangeLocationWithinPage): 14 (WebKit::WebFrameLoaderClient::dispatchDidPushStateWithinPage): 15 (WebKit::WebFrameLoaderClient::dispatchDidReplaceStateWithinPage): 16 (WebKit::WebFrameLoaderClient::dispatchDidPopStateWithinPage): 17 (WebKit::WebFrameLoaderClient::dispatchDidFailLoad): 18 (WebKit::WebFrameLoaderClient::dispatchDidFinishDocumentLoad): 19 (WebKit::WebFrameLoaderClient::dispatchDidFinishLoad): 20 1 21 2015-11-30 Tim Horton <timothy_horton@apple.com> 2 22 -
trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
r192601 r192844 328 328 RefPtr<API::Object> userData; 329 329 330 auto navigationID = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()).navigationID(); 331 330 332 // Notify the bundle client. 331 333 webPage->injectedBundleLoaderClient().didSameDocumentNavigationForFrame(webPage, m_frame, SameDocumentNavigationAnchorNavigation, userData); 332 334 333 335 // Notify the UIProcess. 334 WebDocumentLoader& documentLoader = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()); 335 webPage->send(Messages::WebPageProxy::DidSameDocumentNavigationForFrame(m_frame->frameID(), documentLoader.navigationID(), SameDocumentNavigationAnchorNavigation, m_frame->coreFrame()->document()->url().string(), UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 336 webPage->send(Messages::WebPageProxy::DidSameDocumentNavigationForFrame(m_frame->frameID(), navigationID, SameDocumentNavigationAnchorNavigation, m_frame->coreFrame()->document()->url().string(), UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 336 337 } 337 338 … … 344 345 RefPtr<API::Object> userData; 345 346 347 auto navigationID = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()).navigationID(); 348 346 349 // Notify the bundle client. 347 350 webPage->injectedBundleLoaderClient().didSameDocumentNavigationForFrame(webPage, m_frame, SameDocumentNavigationSessionStatePush, userData); 348 351 349 352 // Notify the UIProcess. 350 WebDocumentLoader& documentLoader = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()); 351 webPage->send(Messages::WebPageProxy::DidSameDocumentNavigationForFrame(m_frame->frameID(), documentLoader.navigationID(), SameDocumentNavigationSessionStatePush, m_frame->coreFrame()->document()->url().string(), UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 353 webPage->send(Messages::WebPageProxy::DidSameDocumentNavigationForFrame(m_frame->frameID(), navigationID, SameDocumentNavigationSessionStatePush, m_frame->coreFrame()->document()->url().string(), UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 352 354 } 353 355 … … 360 362 RefPtr<API::Object> userData; 361 363 364 auto navigationID = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()).navigationID(); 365 362 366 // Notify the bundle client. 363 367 webPage->injectedBundleLoaderClient().didSameDocumentNavigationForFrame(webPage, m_frame, SameDocumentNavigationSessionStateReplace, userData); 364 368 365 369 // Notify the UIProcess. 366 WebDocumentLoader& documentLoader = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()); 367 webPage->send(Messages::WebPageProxy::DidSameDocumentNavigationForFrame(m_frame->frameID(), documentLoader.navigationID(), SameDocumentNavigationSessionStateReplace, m_frame->coreFrame()->document()->url().string(), UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 370 webPage->send(Messages::WebPageProxy::DidSameDocumentNavigationForFrame(m_frame->frameID(), navigationID, SameDocumentNavigationSessionStateReplace, m_frame->coreFrame()->document()->url().string(), UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 368 371 } 369 372 … … 376 379 RefPtr<API::Object> userData; 377 380 381 auto navigationID = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()).navigationID(); 382 378 383 // Notify the bundle client. 379 384 webPage->injectedBundleLoaderClient().didSameDocumentNavigationForFrame(webPage, m_frame, SameDocumentNavigationSessionStatePop, userData); 380 385 381 386 // Notify the UIProcess. 382 WebDocumentLoader& documentLoader = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()); 383 webPage->send(Messages::WebPageProxy::DidSameDocumentNavigationForFrame(m_frame->frameID(), documentLoader.navigationID(), SameDocumentNavigationSessionStatePop, m_frame->coreFrame()->document()->url().string(), UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 387 webPage->send(Messages::WebPageProxy::DidSameDocumentNavigationForFrame(m_frame->frameID(), navigationID, SameDocumentNavigationSessionStatePop, m_frame->coreFrame()->document()->url().string(), UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 384 388 } 385 389 … … 505 509 RefPtr<API::Object> userData; 506 510 511 auto navigationID = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()).navigationID(); 512 507 513 // Notify the bundle client. 508 514 webPage->injectedBundleLoaderClient().didFailLoadWithErrorForFrame(webPage, m_frame, error, userData); 509 515 510 516 // Notify the UIProcess. 511 WebDocumentLoader& documentLoader = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()); 512 webPage->send(Messages::WebPageProxy::DidFailLoadForFrame(m_frame->frameID(), documentLoader.navigationID(), error, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 517 webPage->send(Messages::WebPageProxy::DidFailLoadForFrame(m_frame->frameID(), navigationID, error, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 513 518 514 519 // If we have a load listener, notify it. … … 525 530 RefPtr<API::Object> userData; 526 531 532 auto navigationID = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()).navigationID(); 533 527 534 // Notify the bundle client. 528 535 webPage->injectedBundleLoaderClient().didFinishDocumentLoadForFrame(webPage, m_frame, userData); 529 536 530 WebDocumentLoader& documentLoader = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader());531 532 537 // Notify the UIProcess. 533 webPage->send(Messages::WebPageProxy::DidFinishDocumentLoadForFrame(m_frame->frameID(), documentLoader.navigationID(), UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())));538 webPage->send(Messages::WebPageProxy::DidFinishDocumentLoadForFrame(m_frame->frameID(), navigationID, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 534 539 } 535 540 … … 542 547 RefPtr<API::Object> userData; 543 548 549 auto navigationID = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader()).navigationID(); 550 544 551 // Notify the bundle client. 545 552 webPage->injectedBundleLoaderClient().didFinishLoadForFrame(webPage, m_frame, userData); 546 553 547 WebDocumentLoader& documentLoader = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader());548 549 554 // Notify the UIProcess. 550 webPage->send(Messages::WebPageProxy::DidFinishLoadForFrame(m_frame->frameID(), documentLoader.navigationID(), UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())));555 webPage->send(Messages::WebPageProxy::DidFinishLoadForFrame(m_frame->frameID(), navigationID, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get()))); 551 556 552 557 // If we have a load listener, notify it.
Note: See TracChangeset
for help on using the changeset viewer.