Changeset 225577 in webkit

Timestamp:

Dec 6, 2017 10:40:05 AM (6 years ago)

Author:

Chris Dumez

Message:

ServiceWorkers API should reject promises when calling objects inside detached frames
​https://bugs.webkit.org/show_bug.cgi?id=180444

Reviewed by Youenn Fablet.

LayoutTests/imported/w3c:

Rebaseline test now that it is passing some checks.

• web-platform-tests/service-workers/service-worker/detached-context.https-expected.txt:
• web-platform-tests/service-workers/service-worker/register-closed-window.https-expected.txt:

Source/WebCore:

ServiceWorkers API should reject promises when calling objects inside detached frames.

No new tests, rebaselined existing test.

• bindings/js/JSDOMPromiseDeferred.h:

(WebCore::callPromiseFunction):
Use the caller's globalObject instead of the lexicalGlobalObject when constructing the
deferred promise. The bug became visible when working on this service worker bug since
rejecting the promise when the frame is detached did not actually work. The issue is
that since the promise was created with the detached frame's globalObject, then it was
suspended and would not run script.

• bindings/js/JSDOMWindowBase.cpp:

(WebCore::callerGlobalObject):
(WebCore::incumbentDOMWindow):

• bindings/js/JSDOMWindowBase.h:

Add convenience function to get the caller's globalObject. It was carved out of
incumbentDOMWindow().

• workers/service/ServiceWorker.cpp:

(WebCore::ServiceWorker::postMessage):

• workers/service/ServiceWorkerContainer.cpp:

(WebCore::ServiceWorkerContainer::addRegistration):
(WebCore::ServiceWorkerContainer::getRegistration):
(WebCore::ServiceWorkerContainer::getRegistrations):

• workers/service/ServiceWorkerRegistration.cpp:

(WebCore::ServiceWorkerRegistration::update):
(WebCore::ServiceWorkerRegistration::unregister):
Reject the promise when m_isStopped flag is set (i.e. ActiveDOMObject::stop()
has been called).

LayoutTests:

• TestExpectations:

Unskip test that no longer times out and starts passing a few checks.

• fast/dom/navigator-detached-no-crash-expected.txt:

Rebaseline test now that promise is rejected.

• http/tests/media/media-stream/disconnected-frame-permission-denied-expected.txt:
• http/tests/media/media-stream/disconnected-frame-permission-denied.html:

Update and rebaseline test now that the promise is rejected. I verified that this
behavior is consistent with Chrome.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/fast/dom/navigator-detached-no-crash-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/media/media-stream/disconnected-frame-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/media/media-stream/disconnected-frame-permission-denied-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/media/media-stream/disconnected-frame-permission-denied.html (modified) (2 diffs)
• LayoutTests/http/tests/media/media-stream/disconnected-frame.html (modified) (1 diff)
• LayoutTests/http/tests/media/media-stream/resources/disconnected-frame-inner.html (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/detached-context.https-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/ready.https-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/register-closed-window.https-expected.txt (modified) (1 diff)
• LayoutTests/platform/gtk/fast/dom/navigator-detached-no-crash-expected.txt (modified) (1 diff)
• LayoutTests/platform/mac-elcapitan-wk2/fast/dom/navigator-detached-no-crash-expected.txt (modified) (1 diff)
• LayoutTests/platform/mac-wk1/fast/dom/navigator-detached-no-crash-expected.txt (modified) (1 diff)
• LayoutTests/platform/win/fast/dom/navigator-detached-no-crash-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMGlobalObject.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMGlobalObject.h (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMPromiseDeferred.h (modified) (2 diffs)
• Source/WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (1 diff)
• Source/WebCore/workers/service/ServiceWorker.cpp (modified) (1 diff)
• Source/WebCore/workers/service/ServiceWorkerContainer.cpp (modified) (5 diffs)
• Source/WebCore/workers/service/ServiceWorkerRegistration.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-12-06  Chris Dumez  <cdumez@apple.com>
+
+        ServiceWorkers API should reject promises when calling objects inside detached frames
+        https://bugs.webkit.org/show_bug.cgi?id=180444
+
+        Reviewed by Youenn Fablet.
+
+        * TestExpectations:
+        Unskip test that no longer times out and starts passing a few checks.
+
+        * fast/dom/navigator-detached-no-crash-expected.txt:
+        Rebaseline test now that promise is rejected.
+
+        * http/tests/media/media-stream/disconnected-frame-permission-denied-expected.txt:
+        * http/tests/media/media-stream/disconnected-frame-permission-denied.html:
+        Update and rebaseline test now that the promise is rejected. I verified that this
+        behavior is consistent with Chrome.
+
 2017-12-06  Matt Lewis  <jlewis3@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -146 +146 @@
 # Skip service worker tests that are timing out.
 imported/w3c/web-platform-tests/fetch/api/abort/general-serviceworker.https.html [ Skip ]
-imported/w3c/web-platform-tests/service-workers/service-worker/detached-context.https.html [ Skip ]
 imported/w3c/web-platform-tests/service-workers/service-worker/extendable-event-waituntil.https.html [ Skip ]
 imported/w3c/web-platform-tests/service-workers/service-worker/fetch-event-respond-with-partial-stream.https.html [ Skip ]

trunk/LayoutTests/fast/dom/navigator-detached-no-crash-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unhandled Promise Rejection: TypeError: Not enough arguments
 This tests that the navigator object of a deleted frame is disconnected properly. Accessing fields or methods shouldn't crash the browser. 
  Check Navigator

trunk/LayoutTests/http/tests/media/media-stream/disconnected-frame-expected.txt

@@ -1 @@
-frame "<!--framePath //<!--frame0-->-->" - has 1 onunload handler(s)
 Tests that when a request is made on a UserMedia object and its Frame is disconnected before a callback is made, the error callback is invoked with the correct error message.
 

trunk/LayoutTests/http/tests/media/media-stream/disconnected-frame-permission-denied-expected.txt

@@ -1 @@
-frame "<!--framePath //<!--frame0-->-->" - has 1 onunload handler(s)
 Tests that when a getUserMedia request is made, permission is denied and its Frame is disconnected before a callback is made, the error callback is invoked with PERMISSION_DENIED.
 
@@ -7 +6 @@
 PASS error.name is "NotAllowedError"
 
-PASS No callbacks invoked
+PASS Error callback invoked
 PASS successfullyParsed is true
 

trunk/LayoutTests/http/tests/media/media-stream/disconnected-frame-permission-denied.html

@@ -18 +18 @@
 function onIframeLoaded() {
     iframeNavigator = iframe.contentWindow.navigator;
+    iframe.contentWindow.onunload = onIframeUnloaded;
     iframeNavigator.mediaDevices.getUserMedia(options)
         .then(stream => {
@@ -39 +40 @@
         })
         .catch(err => {
-            testFailed('Error callback invoked unexpectedly');
+            testPassed('Error callback invoked');
             finishJSTest();
         });
     setTimeout(function() {
-        testPassed('No callbacks invoked');
+        testFailed('No callbacks invoked');
         finishJSTest();
     }, 100);

trunk/LayoutTests/http/tests/media/media-stream/disconnected-frame.html

@@ -14 +14 @@
 function onIframeLoaded() {
     iframeNavigator = iframe.contentWindow.navigator;
-    iframe.src = 'data:text/html,This frame should be visible when the test completes';
+    iframe.remove();
+    onIframeUnloaded();
 }
 

trunk/LayoutTests/http/tests/media/media-stream/resources/disconnected-frame-inner.html

@@ -3 +3 @@
   <head>
   </head>
-  <body onload="window.parent.onIframeLoaded()" onunload="window.parent.onIframeUnloaded();">
+  <body onload="window.parent.onIframeLoaded()">
     <p>This frame should be replaced before the test ends</p>
   </body>

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2017-12-06  Chris Dumez  <cdumez@apple.com>
+
+        ServiceWorkers API should reject promises when calling objects inside detached frames
+        https://bugs.webkit.org/show_bug.cgi?id=180444
+
+        Reviewed by Youenn Fablet.
+
+        Rebaseline test now that it is passing some checks.
+
+        * web-platform-tests/service-workers/service-worker/detached-context.https-expected.txt:
+        * web-platform-tests/service-workers/service-worker/register-closed-window.https-expected.txt:
+
 2017-12-06  Youenn Fablet  <youenn@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/detached-context.https-expected.txt

@@ -1 +1 @@
 
-Harness Error (TIMEOUT), message = null
 
-TIMEOUT accessing a ServiceWorkerRegistration from a removed iframe Test timed out
-NOTRUN accessing a ServiceWorker object from a removed iframe 
-NOTRUN accessing navigator.serviceWorker on a detached iframe 
+PASS accessing a ServiceWorkerRegistration from a removed iframe 
+PASS accessing a ServiceWorker object from a removed iframe 
+PASS accessing navigator.serviceWorker on a detached iframe 
 FAIL accessing navigator on a removed frame assert_throws: function "() => get_navigator()" did not throw
 FAIL accessing navigator.serviceWorker on a removed about:blank frame undefined is not an object (evaluating 'get_navigator().serviceWorker')

trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/ready.https-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unhandled Promise Rejection: InvalidStateError: The object is in an invalid state.
+CONSOLE MESSAGE: Unhandled Promise Rejection: InvalidStateError: The object is in an invalid state.
 
 PASS ready returns the same Promise object 

trunk/LayoutTests/imported/w3c/web-platform-tests/service-workers/service-worker/register-closed-window.https-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unhandled Promise Rejection: TypeError: serviceWorker.register() must be called with a valid relative script URL
 
 PASS Call register() on ServiceWorkerContainer owned by closed window. 

trunk/LayoutTests/platform/gtk/fast/dom/navigator-detached-no-crash-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unhandled Promise Rejection: TypeError: Not enough arguments
 This tests that the navigator object of a deleted frame is disconnected properly. Accessing fields or methods shouldn't crash the browser. 
  Check Navigator

trunk/LayoutTests/platform/mac-elcapitan-wk2/fast/dom/navigator-detached-no-crash-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unhandled Promise Rejection: TypeError: Not enough arguments
 This tests that the navigator object of a deleted frame is disconnected properly. Accessing fields or methods shouldn't crash the browser. 
  Check Navigator

trunk/LayoutTests/platform/mac-wk1/fast/dom/navigator-detached-no-crash-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unhandled Promise Rejection: TypeError: Not enough arguments
 This tests that the navigator object of a deleted frame is disconnected properly. Accessing fields or methods shouldn't crash the browser. 
  Check Navigator

trunk/LayoutTests/platform/win/fast/dom/navigator-detached-no-crash-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: Unhandled Promise Rejection: TypeError: Not enough arguments
 This tests that the navigator object of a deleted frame is disconnected properly. Accessing fields or methods shouldn't crash the browser. 
  Check Navigator

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-12-06  Chris Dumez  <cdumez@apple.com>
+
+        ServiceWorkers API should reject promises when calling objects inside detached frames
+        https://bugs.webkit.org/show_bug.cgi?id=180444
+
+        Reviewed by Youenn Fablet.
+
+        ServiceWorkers API should reject promises when calling objects inside detached frames.
+
+        No new tests, rebaselined existing test.
+
+        * bindings/js/JSDOMPromiseDeferred.h:
+        (WebCore::callPromiseFunction):
+        Use the caller's globalObject instead of the lexicalGlobalObject when constructing the
+        deferred promise. The bug became visible when working on this service worker bug since
+        rejecting the promise when the frame is detached did not actually work. The issue is
+        that since the promise was created with the detached frame's globalObject, then it was
+        suspended and would not run script.
+
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::callerGlobalObject):
+        (WebCore::incumbentDOMWindow):
+        * bindings/js/JSDOMWindowBase.h:
+        Add convenience function to get the caller's globalObject. It was carved out of
+        incumbentDOMWindow().
+
+        * workers/service/ServiceWorker.cpp:
+        (WebCore::ServiceWorker::postMessage):
+        * workers/service/ServiceWorkerContainer.cpp:
+        (WebCore::ServiceWorkerContainer::addRegistration):
+        (WebCore::ServiceWorkerContainer::getRegistration):
+        (WebCore::ServiceWorkerContainer::getRegistrations):
+        * workers/service/ServiceWorkerRegistration.cpp:
+        (WebCore::ServiceWorkerRegistration::update):
+        (WebCore::ServiceWorkerRegistration::unregister):
+        Reject the promise when m_isStopped flag is set (i.e. ActiveDOMObject::stop()
+        has been called).
+
 2017-12-06  Said Abou-Hallawa  <sabouhallawa@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.cpp

@@ -272 +272 @@
 }
 
+JSDOMGlobalObject& callerGlobalObject(ExecState& state)
+{
+    class GetCallerGlobalObjectFunctor {
+    public:
+        GetCallerGlobalObjectFunctor() = default;
+
+        StackVisitor::Status operator()(StackVisitor& visitor) const
+        {
+            if (!m_hasSkippedFirstFrame) {
+                m_hasSkippedFirstFrame = true;
+                return StackVisitor::Continue;
+            }
+
+            if (auto* codeBlock = visitor->codeBlock())
+                m_globalObject = codeBlock->globalObject();
+            else {
+                ASSERT(visitor->callee().rawPtr());
+                // FIXME: Callee is not an object if the caller is Web Assembly.
+                // Figure out what to do here. We can probably get the global object
+                // from the top-most Wasm Instance. https://bugs.webkit.org/show_bug.cgi?id=165721
+                if (visitor->callee().isCell() && visitor->callee().asCell()->isObject())
+                    m_globalObject = jsCast<JSObject*>(visitor->callee().asCell())->globalObject();
+            }
+            return StackVisitor::Done;
+        }
+
+        JSGlobalObject* globalObject() const { return m_globalObject; }
+
+    private:
+        mutable bool m_hasSkippedFirstFrame { false };
+        mutable JSGlobalObject* m_globalObject { nullptr };
+    };
+
+    GetCallerGlobalObjectFunctor iter;
+    state.iterate(iter);
+    return *jsCast<JSDOMGlobalObject*>(iter.globalObject() ? iter.globalObject() : state.vmEntryGlobalObject());
+}
+
 } // namespace WebCore

trunk/Source/WebCore/bindings/js/JSDOMGlobalObject.h

@@ -130 +130 @@
 JSDOMGlobalObject* toJSDOMGlobalObject(ScriptExecutionContext*, DOMWrapperWorld&);
 
+WEBCORE_EXPORT JSDOMGlobalObject& callerGlobalObject(JSC::ExecState&);
+
 } // namespace WebCore

trunk/Source/WebCore/bindings/js/JSDOMPromiseDeferred.h

@@ -265 +265 @@
     auto scope = DECLARE_CATCH_SCOPE(vm);
 
-    JSDOMGlobalObject& globalObject = *JSC::jsCast<JSDOMGlobalObject*>(state.lexicalGlobalObject());
+    auto& globalObject = callerGlobalObject(state);
     JSC::JSPromiseDeferred* promiseDeferred = JSC::JSPromiseDeferred::create(&state, &globalObject);
 
@@ -285 +285 @@
     auto scope = DECLARE_CATCH_SCOPE(vm);
 
-    JSDOMGlobalObject& globalObject = *JSC::jsCast<JSDOMGlobalObject*>(state.lexicalGlobalObject());
+    auto& globalObject = callerGlobalObject(state);
     JSC::JSPromiseDeferred* promiseDeferred = JSC::JSPromiseDeferred::create(&state, &globalObject);
 

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

@@ -290 +290 @@
 DOMWindow& incumbentDOMWindow(ExecState& state)
 {
-    class GetCallerGlobalObjectFunctor {
-    public:
-        GetCallerGlobalObjectFunctor() = default;
-
-        StackVisitor::Status operator()(StackVisitor& visitor) const
-        {
-            if (!m_hasSkippedFirstFrame) {
-                m_hasSkippedFirstFrame = true;
-                return StackVisitor::Continue;
-            }
-
-            if (auto* codeBlock = visitor->codeBlock())
-                m_globalObject = codeBlock->globalObject();
-            else {
-                ASSERT(visitor->callee().rawPtr());
-                // FIXME: Callee is not an object if the caller is Web Assembly.
-                // Figure out what to do here. We can probably get the global object
-                // from the top-most Wasm Instance. https://bugs.webkit.org/show_bug.cgi?id=165721
-                if (visitor->callee().isCell() && visitor->callee().asCell()->isObject())
-                    m_globalObject = jsCast<JSObject*>(visitor->callee().asCell())->globalObject();
-            }
-            return StackVisitor::Done;
-        }
-
-        JSGlobalObject* globalObject() const { return m_globalObject; }
-
-    private:
-        mutable bool m_hasSkippedFirstFrame { false };
-        mutable JSGlobalObject* m_globalObject { nullptr };
-    };
-
-    GetCallerGlobalObjectFunctor iter;
-    state.iterate(iter);
-    return iter.globalObject() ? asJSDOMWindow(iter.globalObject())->wrapped() : firstDOMWindow(state);
+    return asJSDOMWindow(&callerGlobalObject(state))->wrapped();
 }
 

trunk/Source/WebCore/workers/service/ServiceWorker.cpp

@@ -89 +89 @@
 ExceptionOr<void> ServiceWorker::postMessage(ScriptExecutionContext& context, JSC::JSValue messageValue, Vector<JSC::Strong<JSC::JSObject>>&& transfer)
 {
+    if (m_isStopped)
+        return Exception { InvalidStateError };
+
     if (state() == State::Redundant)
         return Exception { InvalidStateError, ASCIILiteral("Service Worker state is redundant") };

trunk/Source/WebCore/workers/service/ServiceWorkerContainer.cpp

@@ -112 +112 @@
 {
     auto* context = scriptExecutionContext();
-    if (!context || !context->sessionID().isValid()) {
-        ASSERT_NOT_REACHED();
+    if (m_isStopped || !context->sessionID().isValid()) {
         promise->reject(Exception(InvalidStateError));
         return;
@@ -235 +234 @@
 void ServiceWorkerContainer::getRegistration(const String& clientURL, Ref<DeferredPromise>&& promise)
 {
-    auto* context = scriptExecutionContext();
-    if (!context) {
-        ASSERT_NOT_REACHED();
+    if (m_isStopped) {
         promise->reject(Exception { InvalidStateError });
         return;
     }
 
-    URL parsedURL = context->completeURL(clientURL);
-    if (!protocolHostAndPortAreEqual(parsedURL, context->url())) {
+    ASSERT(scriptExecutionContext());
+    auto& context = *scriptExecutionContext();
+
+    URL parsedURL = context.completeURL(clientURL);
+    if (!protocolHostAndPortAreEqual(parsedURL, context.url())) {
         promise->reject(Exception { SecurityError, ASCIILiteral("Origin of clientURL is not client's origin") });
         return;
@@ -253 +253 @@
 
     auto contextIdentifier = this->contextIdentifier();
-    callOnMainThread([connection = makeRef(ensureSWClientConnection()), this, topOrigin = context->topOrigin().isolatedCopy(), parsedURL = parsedURL.isolatedCopy(), contextIdentifier, pendingPromiseIdentifier]() mutable {
+    callOnMainThread([connection = makeRef(ensureSWClientConnection()), this, topOrigin = context.topOrigin().isolatedCopy(), parsedURL = parsedURL.isolatedCopy(), contextIdentifier, pendingPromiseIdentifier]() mutable {
         connection->matchRegistration(topOrigin, parsedURL, [this, contextIdentifier, pendingPromiseIdentifier] (auto&& result) mutable {
             ScriptExecutionContext::postTaskTo(contextIdentifier, [this, pendingPromiseIdentifier, result = crossThreadCopy(result)](ScriptExecutionContext&) mutable {
@@ -301 +301 @@
 void ServiceWorkerContainer::getRegistrations(Ref<DeferredPromise>&& promise)
 {
-    auto* context = scriptExecutionContext();
-    if (!context) {
+    if (m_isStopped) {
         promise->reject(Exception { InvalidStateError });
         return;
     }
+
+    ASSERT(scriptExecutionContext());
+    auto& context = *scriptExecutionContext();
 
     uint64_t pendingPromiseIdentifier = ++m_lastPendingPromiseIdentifier;
@@ -312 +314 @@
 
     auto contextIdentifier = this->contextIdentifier();
-    auto contextURL = context->url();
-    callOnMainThread([connection = makeRef(ensureSWClientConnection()), this, topOrigin = context->topOrigin().isolatedCopy(), contextURL = contextURL.isolatedCopy(), contextIdentifier, pendingPromiseIdentifier]() mutable {
+    auto contextURL = context.url();
+    callOnMainThread([connection = makeRef(ensureSWClientConnection()), this, topOrigin = context.topOrigin().isolatedCopy(), contextURL = contextURL.isolatedCopy(), contextIdentifier, pendingPromiseIdentifier]() mutable {
         connection->getRegistrations(topOrigin, contextURL, [this, contextIdentifier, pendingPromiseIdentifier] (auto&& registrationDatas) mutable {
             ScriptExecutionContext::postTaskTo(contextIdentifier, [this, pendingPromiseIdentifier, registrationDatas = crossThreadCopy(registrationDatas)](ScriptExecutionContext&) mutable {

trunk/Source/WebCore/workers/service/ServiceWorkerRegistration.cpp

@@ -115 +115 @@
 void ServiceWorkerRegistration::update(Ref<DeferredPromise>&& promise)
 {
-    auto* context = scriptExecutionContext();
-    if (!context) {
+    if (m_isStopped) {
         promise->reject(Exception(InvalidStateError));
         return;
@@ -133 +132 @@
 void ServiceWorkerRegistration::unregister(Ref<DeferredPromise>&& promise)
 {
-    auto* context = scriptExecutionContext();
-    if (!context) {
+    if (m_isStopped) {
         promise->reject(Exception(InvalidStateError));
         return;