Changeset 236227 in webkit

Timestamp:

Sep 19, 2018 2:58:45 PM (6 years ago)

Author:

Chris Dumez

Message:

Crash under WebPageProxy::decidePolicyForNavigationAction()
​https://bugs.webkit.org/show_bug.cgi?id=189763
<rdar://problem/44597111>

Reviewed by Alex Christensen.

Update WebNavigationState::navigation() / WebNavigationState::takeNavigation()
to return a pointer instead of a reference as we have evidence that they can
return null. I kept the debug assertions to try and catch the cases where we
return null but at least we stop crashing in release builds.

• UIProcess/WebNavigationState.cpp:

(WebKit::WebNavigationState::navigation):
(WebKit::WebNavigationState::takeNavigation):

• UIProcess/WebNavigationState.h:
• UIProcess/WebPageProxy.cpp:

(WebKit::WebPageProxy::didStartProvisionalLoadForFrame):
(WebKit::WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrame):
(WebKit::WebPageProxy::didCommitLoadForFrame):
(WebKit::WebPageProxy::didFinishDocumentLoadForFrame):
(WebKit::WebPageProxy::didFinishLoadForFrame):
(WebKit::WebPageProxy::didFailLoadForFrame):
(WebKit::WebPageProxy::didSameDocumentNavigationForFrame):
(WebKit::WebPageProxy::decidePolicyForNavigationAction):
(WebKit::WebPageProxy::decidePolicyForResponse):

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• UIProcess/WebNavigationState.cpp (modified) (1 diff)
• UIProcess/WebNavigationState.h (modified) (1 diff)
• UIProcess/WebPageProxy.cpp (modified) (10 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2018-09-19  Chris Dumez  <cdumez@apple.com>
+
+        Crash under WebPageProxy::decidePolicyForNavigationAction()
+        https://bugs.webkit.org/show_bug.cgi?id=189763
+        <rdar://problem/44597111>
+
+        Reviewed by Alex Christensen.
+
+        Update WebNavigationState::navigation() / WebNavigationState::takeNavigation()
+        to return a pointer instead of a reference as we have evidence that they can
+        return null. I kept the debug assertions to try and catch the cases where we
+        return null but at least we stop crashing in release builds.
+
+        * UIProcess/WebNavigationState.cpp:
+        (WebKit::WebNavigationState::navigation):
+        (WebKit::WebNavigationState::takeNavigation):
+        * UIProcess/WebNavigationState.h:
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::didStartProvisionalLoadForFrame):
+        (WebKit::WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrame):
+        (WebKit::WebPageProxy::didCommitLoadForFrame):
+        (WebKit::WebPageProxy::didFinishDocumentLoadForFrame):
+        (WebKit::WebPageProxy::didFinishLoadForFrame):
+        (WebKit::WebPageProxy::didFailLoadForFrame):
+        (WebKit::WebPageProxy::didSameDocumentNavigationForFrame):
+        (WebKit::WebPageProxy::decidePolicyForNavigationAction):
+        (WebKit::WebPageProxy::decidePolicyForResponse):
+
 2018-09-19  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebKit/UIProcess/WebNavigationState.cpp

@@ -78 +78 @@
 }
 
-API::Navigation& WebNavigationState::navigation(uint64_t navigationID)
+API::Navigation* WebNavigationState::navigation(uint64_t navigationID)
 {
     ASSERT(navigationID);
     ASSERT(m_navigations.contains(navigationID));
 
-    return *m_navigations.get(navigationID);
+    return m_navigations.get(navigationID);
 }
 
-Ref<API::Navigation> WebNavigationState::takeNavigation(uint64_t navigationID)
+RefPtr<API::Navigation> WebNavigationState::takeNavigation(uint64_t navigationID)
 {
     ASSERT(navigationID);
     ASSERT(m_navigations.contains(navigationID));
     
-    return m_navigations.take(navigationID).releaseNonNull();
+    return m_navigations.take(navigationID);
 }
 

trunk/Source/WebKit/UIProcess/WebNavigationState.h

@@ -54 +54 @@
     Ref<API::Navigation> createLoadDataNavigation();
 
-    API::Navigation& navigation(uint64_t navigationID);
-    Ref<API::Navigation> takeNavigation(uint64_t navigationID);
+    API::Navigation* navigation(uint64_t navigationID);
+    RefPtr<API::Navigation> takeNavigation(uint64_t navigationID);
     void didDestroyNavigation(uint64_t navigationID);
     void clearAllNavigations();

trunk/Source/WebKit/UIProcess/WebPageProxy.cpp

@@ -3461 +3461 @@
     RefPtr<API::Navigation> navigation;
     if (frame->isMainFrame() && navigationID)
-        navigation = &navigationState().navigation(navigationID);
+        navigation = navigationState().navigation(navigationID);
 
     // If this seemingly new load is actually continuing a server redirect for a previous navigation in a new process,
@@ -3508 +3508 @@
     RefPtr<API::Navigation> navigation;
     if (navigationID) {
-        navigation = &navigationState().navigation(navigationID);
+        navigation = navigationState().navigation(navigationID);
         navigation->appendRedirectionURL(request.url());
     }
@@ -3635 +3635 @@
     RefPtr<API::Navigation> navigation;
     if (frame->isMainFrame() && navigationID)
-        navigation = &navigationState().navigation(navigationID);
+        navigation = navigationState().navigation(navigationID);
 
     m_hasCommittedAnyProvisionalLoads = true;
@@ -3727 +3727 @@
     RefPtr<API::Navigation> navigation;
     if (frame->isMainFrame() && navigationID)
-        navigation = &navigationState().navigation(navigationID);
+        navigation = navigationState().navigation(navigationID);
 
     if (frame->isMainFrame())
@@ -3745 +3745 @@
     RefPtr<API::Navigation> navigation;
     if (frame->isMainFrame() && navigationID)
-        navigation = &navigationState().navigation(navigationID);
+        navigation = navigationState().navigation(navigationID);
 
     auto transaction = m_pageLoadState.transaction();
@@ -3788 +3788 @@
     RefPtr<API::Navigation> navigation;
     if (frame->isMainFrame() && navigationID)
-        navigation = &navigationState().navigation(navigationID);
+        navigation = navigationState().navigation(navigationID);
 
     clearLoadDependentCallbacks();
@@ -3829 +3829 @@
     RefPtr<API::Navigation> navigation;
     if (frame->isMainFrame() && navigationID)
-        navigation = &navigationState().navigation(navigationID);
+        navigation = navigationState().navigation(navigationID);
 
     auto transaction = m_pageLoadState.transaction();
@@ -4003 +4003 @@
     RefPtr<API::Navigation> navigation;
     if (navigationID)
-        navigation = makeRef(m_navigationState->navigation(navigationID));
+        navigation = m_navigationState->navigation(navigationID);
 
     if (auto targetBackForwardItemIdentifier = navigationActionData.targetBackForwardItemIdentifier) {
@@ -4035 +4035 @@
 #if ENABLE(CONTENT_FILTERING)
     if (frame->didHandleContentFilterUnblockNavigation(request))
-        return receivedPolicyDecision(PolicyAction::Ignore, &m_navigationState->navigation(newNavigationID), std::nullopt, WTFMove(sender));
+        return receivedPolicyDecision(PolicyAction::Ignore, m_navigationState->navigation(newNavigationID), std::nullopt, WTFMove(sender));
 #else
     UNUSED_PARAM(newNavigationID);
@@ -4129 +4129 @@
     MESSAGE_CHECK_URL(response.url());
 
-    RefPtr<API::Navigation> navigation = navigationID ? &m_navigationState->navigation(navigationID) : nullptr;
+    RefPtr<API::Navigation> navigation = navigationID ? m_navigationState->navigation(navigationID) : nullptr;
     auto listener = makeRef(frame->setUpPolicyListenerProxy([this, protectedThis = makeRef(*this), frameID, listenerID, navigation = WTFMove(navigation)] (WebCore::PolicyAction policyAction, API::WebsitePolicies*, ProcessSwapRequestedByClient processSwapRequestedByClient, Vector<Ref<SafeBrowsingResult>>&& safeBrowsingResults) mutable {
         // FIXME: Assert the API::WebsitePolicies* is nullptr here once clients of WKFramePolicyListenerUseWithPolicies go away.