Changeset 195496 in webkit

Timestamp:

Jan 22, 2016 5:04:59 PM (8 years ago)

Author:

Chris Dumez

Message:

Document.open / Document.write should be prevented while the document is being unloaded
​https://bugs.webkit.org/show_bug.cgi?id=153255
<rdar://problem/22741293>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Document.open / Document.write should be prevented while the document
is being unloaded, as per the HTML specification:

• ​https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-open (step 6)
• ​https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-write (step 3)

This patch is aligning our behavior with the specification and Firefox.
Calling Document.open / Document.write during the document was being
unloaded would cause us to crash as this was unexpected.

Tests: fast/frames/page-hide-document-open.html

fast/frames/page-unload-document-open.html

• WebCore.xcodeproj/project.pbxproj:

Add new IgnoreOpensDuringUnloadCountIncrementer.h header.

• dom/Document.cpp:

(WebCore::Document::open):
Abort if the document's ignore-opens-during-unload counter is greater
than zero, as per:
​https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-open (step 6)

(WebCore::Document::write):
Abort if the insertion point is undefined and the document's
ignore-opens-during-unload counter is greater than zero, as per:
​https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-write (step 3)

• dom/Document.h:

Add data member to maintain the document's ignore-opens-during-unload counter:
​https://html.spec.whatwg.org/multipage/webappapis.html#ignore-opens-during-unload-counter

• dom/IgnoreOpensDuringUnloadCountIncrementer.h: Added.

Add utility class to increment / decrement a document's
ignore-opens-during-unload counter.

• history/CachedFrame.cpp:

(WebCore::CachedFrame::CachedFrame):
When a page goes into PageCache, we don't end up calling
FrameLoader::detachChildren() so we need to increment the document's
ignore-opens-during-unload counter before calling stopLoading() on each
subframe.

• loader/FrameLoader.cpp:

(WebCore::FrameLoader::detachChildren):
detachChildren() will end up firing the pagehide / unload events in each
child frame so we increment the parent frame's document's
ignore-opens-during-unload counter. This behavior matches the text of:
​https://html.spec.whatwg.org/multipage/browsers.html#unload-a-document

As per the spec, the document's ignore-opens-during-unload counter should
be incremented before firing the pagehide / unload events at the document's
Window object. It should be decremented only after firing the pagehide /
unload events in each subframe. This is needed in case a subframe tries to
call document.open / document.write on a parent frame's document, from its
pagehide or unload handler.

(WebCore::FrameLoader::dispatchUnloadEvents):
Increment the document's ignore-opens-during-unload counter before firing
the pagehide / unload events and decrement it after. As per the spec, we
are not supposed to decrement this early. We actually supposed to wait
until the pagehide / unload events have been fired in all the subframes.
For this reason, we take care of re-incrementing the document's
ignore-opens-during-unload in detachChildren(), which will take care of
firing the pagehide / unload in the subframes.

LayoutTests:

Add layout tests that cover calling Document.open / Document.write from
unload and pagehide handlers.

• fast/frames/page-hide-document-open-expected.txt: Added.
• fast/frames/page-hide-document-open.html: Added.
• fast/frames/page-unload-document-open-expected.txt: Added.
• fast/frames/page-unload-document-open.html: Added.
• fast/frames/resources/finish-test.html: Added.
• fast/frames/resources/page-hide-document-open-frame.html: Added.
• fast/frames/resources/page-hide-document-open-win.html: Added.
• fast/frames/resources/page-unload-document-open-frame.html: Added.
• fast/frames/resources/page-unload-document-open-win.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/frames/page-hide-document-open-expected.txt (added)
• LayoutTests/fast/frames/page-hide-document-open.html (added)
• LayoutTests/fast/frames/page-unload-document-open-expected.txt (added)
• LayoutTests/fast/frames/page-unload-document-open.html (added)
• LayoutTests/fast/frames/resources/finish-test.html (added)
• LayoutTests/fast/frames/resources/page-hide-document-open-frame.html (added)
• LayoutTests/fast/frames/resources/page-hide-document-open-win.html (added)
• LayoutTests/fast/frames/resources/page-unload-document-open-frame.html (added)
• LayoutTests/fast/frames/resources/page-unload-document-open-win.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/WebCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/WebCore/dom/Document.cpp (modified) (3 diffs)
• Source/WebCore/dom/Document.h (modified) (2 diffs)
• Source/WebCore/dom/IgnoreOpensDuringUnloadCountIncrementer.h (added)
• Source/WebCore/history/CachedFrame.cpp (modified) (2 diffs)
• Source/WebCore/loader/FrameLoader.cpp (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-01-22  Chris Dumez  <cdumez@apple.com>
+
+        Document.open / Document.write should be prevented while the document is being unloaded
+        https://bugs.webkit.org/show_bug.cgi?id=153255
+        <rdar://problem/22741293>
+
+        Reviewed by Ryosuke Niwa.
+
+        Add layout tests that cover calling Document.open / Document.write from
+        unload and pagehide handlers.
+
+        * fast/frames/page-hide-document-open-expected.txt: Added.
+        * fast/frames/page-hide-document-open.html: Added.
+        * fast/frames/page-unload-document-open-expected.txt: Added.
+        * fast/frames/page-unload-document-open.html: Added.
+        * fast/frames/resources/finish-test.html: Added.
+        * fast/frames/resources/page-hide-document-open-frame.html: Added.
+        * fast/frames/resources/page-hide-document-open-win.html: Added.
+        * fast/frames/resources/page-unload-document-open-frame.html: Added.
+        * fast/frames/resources/page-unload-document-open-win.html: Added.
+
 2016-01-22  Brady Eidson  <beidson@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-01-22  Chris Dumez  <cdumez@apple.com>
+
+        Document.open / Document.write should be prevented while the document is being unloaded
+        https://bugs.webkit.org/show_bug.cgi?id=153255
+        <rdar://problem/22741293>
+
+        Reviewed by Ryosuke Niwa.
+
+        Document.open / Document.write should be prevented while the document
+        is being unloaded, as per the HTML specification:
+        - https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-open (step 6)
+        - https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-write (step 3)
+
+        This patch is aligning our behavior with the specification and Firefox.
+        Calling Document.open / Document.write during the document was being
+        unloaded would cause us to crash as this was unexpected.
+
+        Tests: fast/frames/page-hide-document-open.html
+               fast/frames/page-unload-document-open.html
+
+        * WebCore.xcodeproj/project.pbxproj:
+        Add new IgnoreOpensDuringUnloadCountIncrementer.h header.
+
+        * dom/Document.cpp:
+        (WebCore::Document::open):
+        Abort if the document's ignore-opens-during-unload counter is greater
+        than zero, as per:
+        https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-open (step 6)
+
+        (WebCore::Document::write):
+        Abort if the insertion point is undefined and the document's
+        ignore-opens-during-unload counter is greater than zero, as per:
+        https://html.spec.whatwg.org/multipage/webappapis.html#dom-document-write (step 3)
+
+        * dom/Document.h:
+        Add data member to maintain the document's ignore-opens-during-unload counter:
+        https://html.spec.whatwg.org/multipage/webappapis.html#ignore-opens-during-unload-counter
+
+        * dom/IgnoreOpensDuringUnloadCountIncrementer.h: Added.
+        Add utility class to increment / decrement a document's
+        ignore-opens-during-unload counter.
+
+        * history/CachedFrame.cpp:
+        (WebCore::CachedFrame::CachedFrame):
+        When a page goes into PageCache, we don't end up calling
+        FrameLoader::detachChildren() so we need to increment the document's
+        ignore-opens-during-unload counter before calling stopLoading() on each
+        subframe.
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::detachChildren):
+        detachChildren() will end up firing the pagehide / unload events in each
+        child frame so we increment the parent frame's document's
+        ignore-opens-during-unload counter. This behavior matches the text of:
+        https://html.spec.whatwg.org/multipage/browsers.html#unload-a-document
+
+        As per the spec, the document's ignore-opens-during-unload counter should
+        be incremented before firing the pagehide / unload events at the document's
+        Window object. It should be decremented only after firing the pagehide /
+        unload events in each subframe. This is needed in case a subframe tries to
+        call document.open / document.write on a parent frame's document, from its
+        pagehide or unload handler.
+
+        (WebCore::FrameLoader::dispatchUnloadEvents):
+        Increment the document's ignore-opens-during-unload counter before firing
+        the pagehide / unload events and decrement it after. As per the spec, we
+        are not supposed to decrement this early. We actually supposed to wait
+        until the pagehide / unload events have been fired in all the subframes.
+        For this reason, we take care of re-incrementing the document's
+        ignore-opens-during-unload in detachChildren(), which will take care of
+        firing the pagehide / unload in the subframes.
+
 2016-01-22  Brady Eidson  <beidson@apple.com>
 

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -1701 +1701 @@
                 463EB6231B8789E00096ED51 /* TagCollection.h in Headers */ = {isa = PBXBuildFile; fileRef = 463EB6211B8789CB0096ED51 /* TagCollection.h */; };
                 4669B2871B852A0B000F905F /* JSDOMNamedFlowCollectionCustom.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 46F2768E1B85297F005C2556 /* JSDOMNamedFlowCollectionCustom.cpp */; };
+                467302021C4EFE7800BCB357 /* IgnoreOpensDuringUnloadCountIncrementer.h in Headers */ = {isa = PBXBuildFile; fileRef = 467302011C4EFE6600BCB357 /* IgnoreOpensDuringUnloadCountIncrementer.h */; };
                 4689F1AF1267BAE100E8D380 /* FileMetadata.h in Headers */ = {isa = PBXBuildFile; fileRef = 4689F1AE1267BAE100E8D380 /* FileMetadata.h */; };
                 46C83EFD1A9BBE2900A79A41 /* GeoNotifier.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 46C83EFB1A9BBE2900A79A41 /* GeoNotifier.cpp */; };
@@ -9121 +9122 @@
                 463EB6201B8789CB0096ED51 /* TagCollection.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TagCollection.cpp; sourceTree = "<group>"; };
                 463EB6211B8789CB0096ED51 /* TagCollection.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TagCollection.h; sourceTree = "<group>"; };
+                467302011C4EFE6600BCB357 /* IgnoreOpensDuringUnloadCountIncrementer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IgnoreOpensDuringUnloadCountIncrementer.h; sourceTree = "<group>"; };
                 4689F1AE1267BAE100E8D380 /* FileMetadata.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FileMetadata.h; sourceTree = "<group>"; };
                 46C83EFB1A9BBE2900A79A41 /* GeoNotifier.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = GeoNotifier.cpp; sourceTree = "<group>"; };
@@ -24005 +24007 @@
                                 C3CF17A315B0063F00276D39 /* IdTargetObserverRegistry.h */,
                                 8AB4BC76126FDB7100DEB727 /* IgnoreDestructiveWriteCountIncrementer.h */,
+                                467302011C4EFE6600BCB357 /* IgnoreOpensDuringUnloadCountIncrementer.h */,
                                 AA4C3A740B2B1679002334A2 /* InlineStyleSheetOwner.cpp */,
                                 AA4C3A750B2B1679002334A2 /* InlineStyleSheetOwner.h */,
@@ -25625 +25628 @@
                                 2E75841E12779ADA0062628B /* FileReaderLoader.h in Headers */,
                                 2E75841F12779ADA0062628B /* FileReaderLoaderClient.h in Headers */,
+                                467302021C4EFE7800BCB357 /* IgnoreOpensDuringUnloadCountIncrementer.h in Headers */,
                                 2EDF369D122C94B4002F7D4E /* FileReaderSync.h in Headers */,
                                 2EF1BFEB121C9F4200C27627 /* FileStream.h in Headers */,

trunk/Source/WebCore/dom/Document.cpp

@@ -476 +476 @@
     , m_frameElementsShouldIgnoreScrolling(false)
     , m_updateFocusAppearanceRestoresSelection(SelectionRestorationMode::SetDefault)
-    , m_ignoreDestructiveWriteCount(0)
     , m_markers(std::make_unique<DocumentMarkerController>(*this))
     , m_updateFocusAppearanceTimer(*this, &Document::updateFocusAppearanceTimerFired)
@@ -2498 +2497 @@
 void Document::open(Document* ownerDocument)
 {
+    if (m_ignoreOpensDuringUnloadCount)
+        return;
+
     if (ownerDocument) {
         setURL(ownerDocument->url());
@@ -2846 +2848 @@
 
     bool hasInsertionPoint = m_parser && m_parser->hasInsertionPoint();
-    if (!hasInsertionPoint && m_ignoreDestructiveWriteCount)
+    if (!hasInsertionPoint && (m_ignoreOpensDuringUnloadCount || m_ignoreDestructiveWriteCount))
         return;
 

trunk/Source/WebCore/dom/Document.h

@@ -1339 +1339 @@
     friend class Node;
     friend class IgnoreDestructiveWriteCountIncrementer;
+    friend class IgnoreOpensDuringUnloadCountIncrementer;
 
     void updateTitleElement(Element* newTitleElement);
@@ -1529 +1530 @@
     SelectionRestorationMode m_updateFocusAppearanceRestoresSelection;
 
-    // http://www.whatwg.org/specs/web-apps/current-work/#ignore-destructive-writes-counter
-    unsigned m_ignoreDestructiveWriteCount;
+    // https://html.spec.whatwg.org/multipage/webappapis.html#ignore-destructive-writes-counter
+    unsigned m_ignoreDestructiveWriteCount { 0 };
+
+    // https://html.spec.whatwg.org/multipage/webappapis.html#ignore-opens-during-unload-counter
+    unsigned m_ignoreOpensDuringUnloadCount { 0 };
 
     unsigned m_styleRecalcCount { 0 };

trunk/Source/WebCore/history/CachedFrame.cpp

@@ -40 +40 @@
 #include "HistoryController.h"
 #include "HistoryItem.h"
+#include "IgnoreOpensDuringUnloadCountIncrementer.h"
 #include "Logging.h"
 #include "MainFrame.h"
@@ -158 +159 @@
     frame.loader().stopLoading(UnloadEventPolicyUnloadAndPageHide);
 
-    // Create the CachedFrames for all Frames in the FrameTree.
-    for (Frame* child = frame.tree().firstChild(); child; child = child->tree().nextSibling())
-        m_childFrames.append(std::make_unique<CachedFrame>(*child));
+    {
+        // The following will fire the pagehide event in each subframe and the HTML specification states
+        // that the parent document's ignore-opens-during-unload counter should be incremented while the
+        // pagehide event is being fired in its subframes:
+        // https://html.spec.whatwg.org/multipage/browsers.html#unload-a-document
+        IgnoreOpensDuringUnloadCountIncrementer ignoreOpensDuringUnloadCountIncrementer(m_document.get());
+
+        // Create the CachedFrames for all Frames in the FrameTree.
+        for (Frame* child = frame.tree().firstChild(); child; child = child->tree().nextSibling())
+            m_childFrames.append(std::make_unique<CachedFrame>(*child));
+    }
 
     // Active DOM objects must be suspended before we cache the frame script data,

trunk/Source/WebCore/loader/FrameLoader.cpp

@@ -78 +78 @@
 #include "HistoryItem.h"
 #include "IconController.h"
+#include "IgnoreOpensDuringUnloadCountIncrementer.h"
 #include "InspectorController.h"
 #include "InspectorInstrumentation.h"
@@ -2427 +2428 @@
 void FrameLoader::detachChildren()
 {
+    // detachChildren() will fire the unload event in each subframe and the
+    // HTML specification states that the parent document's ignore-opens-during-unload counter while
+    // this event is being fired in its subframes:
+    // https://html.spec.whatwg.org/multipage/browsers.html#unload-a-document
+    IgnoreOpensDuringUnloadCountIncrementer ignoreOpensDuringUnloadCountIncrementer(m_frame.document());
+
     Vector<Ref<Frame>, 16> childrenToDetach;
     childrenToDetach.reserveInitialCapacity(m_frame.tree().childCount());
@@ -2879 +2886 @@
     // We store the frame's page in a local variable because the frame might get detached inside dispatchEvent.
     ForbidPromptsScope forbidPrompts(m_frame.page());
+    IgnoreOpensDuringUnloadCountIncrementer ignoreOpensDuringUnloadCountIncrementer(m_frame.document());
 
     if (m_didCallImplicitClose && !m_wasUnloadEventEmitted) {