Changeset 199181 in webkit

Timestamp:

Apr 7, 2016 2:15:34 PM (8 years ago)

Author:

Brent Fulgham

Message:

Wheel event callback removing the window causes crash in WebCore.
​https://bugs.webkit.org/show_bug.cgi?id=150871
<rdar://problem/23418283>

Reviewed by Simon Fraser.

Source/WebCore:

Null check the FrameView before using it, since the iframe may have been removed
from its parent document inside the event handler.

The new test triggered a cross-load side-effect, where wheel event filtering wasn't
reset between page loads. Fix by calling clearLatchedState() in EventHandler::clear(),
which resets the filtering.

Since the Frame destructor invokes EventHandler::clear, which invokes MainFrame methods,
we run the risk of attempting to dereference destroyed MainFrame elements of the current
Frame object. Instead, clear the EventHandler in the MainFrame destructor.

Finally, confirm that the mainFrame member is not being destroyed in the handful of
places that might attempt to access the mainFrame during object destruction (essentially
cleanup methods).

Test: fast/events/wheel-event-destroys-frame.html

• loader/FrameLoader.cpp:

(WebCore::FrameLoader::clear): Protect against accessing mainFrame content during destruction.

• page/EventHandler.cpp:

(WebCore::EventHandler::clear): Call 'clearLatchedState' instead of endFilteringDeltas.
(WebCore::EventHandler::clearLatchedState): Null-check the filter before calling it.

• page/Frame.cpp:

(WebCore::Frame::~Frame): Do not call 'setView' in the destructor for a MainFrame.
(WebCore::Frame::setView): Check for a null event handler before invoking it.
(WebCore::Frame::setMainFrameWasDestroyed): Added. Mark that the MainFrame
member of the Frame is being destroyed (if the current Frame is a MainFrame) and clear
the EventHandler member so that it doesn't attempt to access mainFrame content.
(WebCore::Frame::mainFrame): When accessing the mainFrame member, assert that the
mainFrame is not being destroyed.

• page/MainFrame.cpp:

(WebCore::MainFrame::~MainFrame): Set the m_recentWheelEventDeltaFilter to nullptr to
prevent attempts to access it during object destruction. Call the new 'setMainFrameWasDestroyed'
method to reset eventHandler and mark the MainFrame as being in the process of destruction.

• page/WheelEventDeltaFilter.cpp:

(WebCore::WheelEventDeltaFilter::filteredDelta): Add logging.

• page/mac/EventHandlerMac.mm:

(WebCore::EventHandler::platformCompleteWheelEvent): Add null check.

• rendering/RenderLayer.cpp:

(WebCore::RenderLayer::scrollTo): Add logging.

LayoutTests:

• fast/events/wheel-event-destroys-frame-expected.txt: Added.
• fast/events/wheel-event-destroys-frame.html: Added.
• platform/ios-simulator/TestExpectations: Skip wheel-event test on iOS.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/events/wheel-event-destroys-frame-expected.txt (added)
• LayoutTests/fast/events/wheel-event-destroys-frame.html (added)
• LayoutTests/platform/ios-simulator/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/FrameLoader.cpp (modified) (1 diff)
• Source/WebCore/page/EventHandler.cpp (modified) (3 diffs)
• Source/WebCore/page/Frame.cpp (modified) (4 diffs)
• Source/WebCore/page/Frame.h (modified) (6 diffs)
• Source/WebCore/page/MainFrame.cpp (modified) (2 diffs)
• Source/WebCore/page/WheelEventDeltaFilter.cpp (modified) (3 diffs)
• Source/WebCore/page/mac/EventHandlerMac.mm (modified) (2 diffs)
• Source/WebCore/rendering/RenderLayer.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-04-07  Brent Fulgham  <bfulgham@apple.com>
+
+        Wheel event callback removing the window causes crash in WebCore.
+        https://bugs.webkit.org/show_bug.cgi?id=150871
+        <rdar://problem/23418283>
+
+        Reviewed by Simon Fraser.
+
+        * fast/events/wheel-event-destroys-frame-expected.txt: Added.
+        * fast/events/wheel-event-destroys-frame.html: Added.
+        * platform/ios-simulator/TestExpectations: Skip wheel-event test on iOS.
+
 2016-04-07  Saam barati  <sbarati@apple.com>
 

trunk/LayoutTests/platform/ios-simulator/TestExpectations

@@ -58 +58 @@
 fast/scrolling/iframe-scrollable-after-back.html [ Skip ]
 fast/scrolling/overflow-scrollable-after-back.html [ Skip ]
+fast/events/wheel-event-destroys-frame.html [ Skip ]
 
 # Not supported on iOS

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-04-07  Brent Fulgham  <bfulgham@apple.com>
+
+        Wheel event callback removing the window causes crash in WebCore.
+        https://bugs.webkit.org/show_bug.cgi?id=150871
+        <rdar://problem/23418283>
+
+        Reviewed by Simon Fraser.
+
+        Null check the FrameView before using it, since the iframe may have been removed
+        from its parent document inside the event handler.
+        
+        The new test triggered a cross-load side-effect, where wheel event filtering wasn't
+        reset between page loads. Fix by calling clearLatchedState() in EventHandler::clear(),
+        which resets the filtering.
+
+        Since the Frame destructor invokes EventHandler::clear, which invokes MainFrame methods,
+        we run the risk of attempting to dereference destroyed MainFrame elements of the current
+        Frame object. Instead, clear the EventHandler in the MainFrame destructor.
+
+        Finally, confirm that the mainFrame member is not being destroyed in the handful of
+        places that might attempt to access the mainFrame during object destruction (essentially
+        cleanup methods).
+
+        Test: fast/events/wheel-event-destroys-frame.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::clear): Protect against accessing mainFrame content during destruction.
+        * page/EventHandler.cpp:
+        (WebCore::EventHandler::clear): Call 'clearLatchedState' instead of endFilteringDeltas.
+        (WebCore::EventHandler::clearLatchedState): Null-check the filter before calling it.
+        * page/Frame.cpp:
+        (WebCore::Frame::~Frame): Do not call 'setView' in the destructor for a MainFrame.
+        (WebCore::Frame::setView): Check for a null event handler before invoking it.
+        (WebCore::Frame::setMainFrameWasDestroyed): Added. Mark that the MainFrame
+        member of the Frame is being destroyed (if the current Frame is a MainFrame) and clear
+        the EventHandler member so that it doesn't attempt to access mainFrame content.
+        (WebCore::Frame::mainFrame): When accessing the mainFrame member, assert that the
+        mainFrame is not being destroyed.
+        * page/MainFrame.cpp:
+        (WebCore::MainFrame::~MainFrame): Set the m_recentWheelEventDeltaFilter to nullptr to
+        prevent attempts to access it during object destruction. Call the new 'setMainFrameWasDestroyed'
+        method to reset eventHandler and mark the MainFrame as being in the process of destruction.
+        * page/WheelEventDeltaFilter.cpp:
+        (WebCore::WheelEventDeltaFilter::filteredDelta): Add logging.
+        * page/mac/EventHandlerMac.mm:
+        (WebCore::EventHandler::platformCompleteWheelEvent): Add null check.
+        * rendering/RenderLayer.cpp:
+        (WebCore::RenderLayer::scrollTo): Add logging.
+
 2016-04-05  Ada Chan  <adachan@apple.com>
 

trunk/Source/WebCore/loader/FrameLoader.cpp

@@ -605 +605 @@
 
     m_frame.selection().prepareForDestruction();
-    m_frame.eventHandler().clear();
+
+    // We may call this code during object destruction, so need to make sure eventHandler is present.
+    if (auto eventHandler = m_frame.eventHandlerPtr())
+        eventHandler->clear();
+
     if (clearFrameView && m_frame.view())
         m_frame.view()->clear();

trunk/Source/WebCore/page/EventHandler.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
  * Copyright (C) 2006 Alexey Proskuryakov (ap@webkit.org)
  * Copyright (C) 2012 Digia Plc. and/or its subsidiary(-ies)
@@ -456 +456 @@
     m_capturesDragging = false;
     m_capturingMouseEventsElement = nullptr;
-#if PLATFORM(MAC)
-    m_frame.mainFrame().resetLatchingState();
-#endif
+    clearLatchedState();
 #if ENABLE(TOUCH_EVENTS) && !ENABLE(IOS_TOUCH_EVENTS)
     m_originatingTouchPointTargets.clear();
@@ -2694 +2692 @@
     m_frame.mainFrame().resetLatchingState();
 #endif
-    m_frame.mainFrame().wheelEventDeltaFilter()->endFilteringDeltas();
+    if (auto filter = m_frame.mainFrame().wheelEventDeltaFilter())
+        filter->endFilteringDeltas();
 }
 

trunk/Source/WebCore/page/Frame.cpp

@@ -6 +6 @@
  *                     2000 Stefan Schimanski <1Stein@gmx.de>
  *                     2001 George Staikos <staikos@kde.org>
- * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
  * Copyright (C) 2005 Alexey Proskuryakov <ap@nypop.com>
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
@@ -161 +161 @@
     , m_editor(std::make_unique<Editor>(*this))
     , m_selection(std::make_unique<FrameSelection>(this))
-    , m_eventHandler(std::make_unique<EventHandler>(*this))
     , m_animationController(std::make_unique<AnimationController>(*this))
 #if PLATFORM(IOS)
@@ -170 +169 @@
     , m_textZoomFactor(parentTextZoomFactor(this))
     , m_activeDOMObjectsAndAnimationsSuspendedCount(0)
+    , m_eventHandler(std::make_unique<EventHandler>(*this))
 {
     AtomicString::init();
@@ -252 +252 @@
         m_view->unscheduleRelayout();
     
-    eventHandler().clear();
+    // This may be called during destruction, so need to do a null check.
+    if (m_eventHandler)
+        m_eventHandler->clear();
 
     m_view = WTFMove(view);

trunk/Source/WebCore/page/Frame.h

@@ -6 +6 @@
  *                     2000-2001 Dirk Mueller <mueller@kde.org>
  *                     2000 Stefan Schimanski <1Stein@gmx.de>
- * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008 Eric Seidel <eric@webkit.org>
@@ -152 +152 @@
         Editor& editor() const;
         EventHandler& eventHandler() const;
+        EventHandler* eventHandlerPtr() const;
         FrameLoader& loader() const;
         NavigationScheduler& navigationScheduler() const;
@@ -279 +280 @@
     protected:
         Frame(Page&, HTMLFrameOwnerElement*, FrameLoaderClient&);
+        void setMainFrameWasDestroyed();
 
     private:
@@ -297 +299 @@
         const std::unique_ptr<Editor> m_editor;
         const std::unique_ptr<FrameSelection> m_selection;
-        const std::unique_ptr<EventHandler> m_eventHandler;
         const std::unique_ptr<AnimationController> m_animationController;
 
@@ -327 +328 @@
 
         int m_activeDOMObjectsAndAnimationsSuspendedCount;
+        bool m_mainFrameWasDestroyed { false };
+
+    protected:
+        std::unique_ptr<EventHandler> m_eventHandler;
     };
 
@@ -399 +404 @@
     }
 
+    inline EventHandler* Frame::eventHandlerPtr() const
+    {
+        return m_eventHandler.get();
+    }
+
     inline MainFrame& Frame::mainFrame() const
     {
+        ASSERT_WITH_SECURITY_IMPLICATION(!m_mainFrameWasDestroyed);
         return m_mainFrame;
     }
 
+    inline void Frame::setMainFrameWasDestroyed()
+    {
+        m_mainFrameWasDestroyed = false;
+    }
+
 } // namespace WebCore
 

trunk/Source/WebCore/page/MainFrame.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -67 +67 @@
     if (m_diagnosticLoggingClient)
         m_diagnosticLoggingClient->mainFrameDestroyed();
+
+    m_recentWheelEventDeltaFilter = nullptr;
+    m_eventHandler = nullptr;
+
+    setMainFrameWasDestroyed();
 }
 

trunk/Source/WebCore/page/WheelEventDeltaFilter.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32 +32 @@
 
 #include "FloatSize.h"
+#include "Logging.h"
+#include "TextStream.h"
 
 namespace WebCore {
@@ -59 +61 @@
 FloatSize WheelEventDeltaFilter::filteredDelta() const
 {
+    LOG_WITH_STREAM(Scrolling, stream << "BasicWheelEventDeltaFilter::filteredDelta returning " << m_currentFilteredDelta);
     return m_currentFilteredDelta;
 }

trunk/Source/WebCore/page/mac/EventHandlerMac.mm

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2007, 2008, 2009, 2014-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1050 +1050 @@
 bool EventHandler::platformCompleteWheelEvent(const PlatformWheelEvent& wheelEvent, ContainerNode* scrollableContainer, ScrollableArea* scrollableArea)
 {
+    FrameView* view = m_frame.view();
     // We do another check on the frame view because the event handler can run JS which results in the frame getting destroyed.
-    ASSERT(m_frame.view());
-    FrameView* view = m_frame.view();
+    if (!view)
+        return false;
 
     ScrollLatchingState* latchingState = m_frame.mainFrame().latchingState();

trunk/Source/WebCore/rendering/RenderLayer.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006-2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
  *
  * Portions are Copyright (C) 1998 Netscape Communications Corporation.
@@ -2347 +2347 @@
         return;
 
+    LOG_WITH_STREAM(Scrolling, stream << "RenderLayer::scrollTo " << position);
+
     ScrollPosition newPosition = position;
     if (!box->isHTMLMarquee()) {