Changeset 192947 in webkit

Timestamp:

Dec 2, 2015 11:04:07 AM (8 years ago)

Author:

jiewen_tan@apple.com

Message:

Null dereference loading Blink layout test fast/loader/unload-mutation-crash.html
​https://bugs.webkit.org/show_bug.cgi?id=149305
<rdar://problem/22747892>

Reviewed by Brent Fulgham.

Source/WebCore:

Add an extra guard to replaceDocument() against rude JS in unload event handlers.

Test: fast/loader/unload-mutation-crash.html

• loader/DocumentWriter.cpp:

(WebCore::DocumentWriter::replaceDocument):
(WebCore::DocumentWriter::begin):

LayoutTests:

This test case is from Blink r180918:
​https://codereview.chromium.org/495743003

• fast/loader/unload-mutation-crash-expected.txt: Added.
• fast/loader/unload-mutation-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/loader/unload-mutation-crash-expected.txt (added)
• LayoutTests/fast/loader/unload-mutation-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/DocumentWriter.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-12-02  Jiewen Tan  <jiewen_tan@apple.com>
+
+        Null dereference loading Blink layout test fast/loader/unload-mutation-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=149305
+        <rdar://problem/22747892>
+
+        Reviewed by Brent Fulgham.
+
+        This test case is from Blink r180918:
+        https://codereview.chromium.org/495743003
+
+        * fast/loader/unload-mutation-crash-expected.txt: Added.
+        * fast/loader/unload-mutation-crash.html: Added.
+
 2015-12-02  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2015-12-02  Jiewen Tan  <jiewen_tan@apple.com>
+
+        Null dereference loading Blink layout test fast/loader/unload-mutation-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=149305
+        <rdar://problem/22747892>
+
+        Reviewed by Brent Fulgham.
+
+        Add an extra guard to replaceDocument() against rude JS in unload event handlers.
+
+        Test: fast/loader/unload-mutation-crash.html
+
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::replaceDocument):
+        (WebCore::DocumentWriter::begin):
+
 2015-12-02  Per Arne Vollan  <peavo@outlook.com>
 

trunk/Source/WebCore/loader/DocumentWriter.cpp

@@ -74 +74 @@
     begin(m_frame->document()->url(), true, ownerDocument);
 
+    // begin() might fire an unload event, which will result in a situation where no new document has been attached,
+    // and the old document has been detached. Therefore, bail out if no document is attached.
+    if (!m_frame->document())
+        return;
+
     if (!source.isNull()) {
         if (!m_hasReceivedSomeData) {
@@ -141 +146 @@
     m_frame->loader().clear(document.ptr(), !shouldReuseDefaultView, !shouldReuseDefaultView);
     clear();
+
+    // m_frame->loader().clear() might fire unload event which could remove the view of the document.
+    // Bail out if document has no view.
+    if (!document->view())
+        return;
 
     if (!shouldReuseDefaultView)