Changeset 241848 in webkit
- Timestamp:
- Feb 20, 2019 4:06:27 PM (5 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r241842 r241848 1 2019-02-20 Ryosuke Niwa <rniwa@webkit.org> 2 3 Crash in DOMWindowExtension::suspendForPageCache 4 https://bugs.webkit.org/show_bug.cgi?id=194871 5 6 Reviewed by Chris Dumez. 7 8 This is a speculative fix for a crash in DOMWindowExtension::suspendForPageCache. 9 10 We think it's possible for DOMWindowExtension::suspendForPageCache notifying the clients via 11 dispatchWillDisconnectDOMWindowExtensionFromGlobalObject to remove other DOMWindowExtension's. 12 Check that each DOMWindowProperty is still in m_properties before invoking suspendForPageCache 13 to avoid the crash. 14 15 * page/DOMWindow.cpp: 16 (WebCore::DOMWindow::willDestroyCachedFrame): 17 (WebCore::DOMWindow::willDestroyDocumentInFrame): 18 (WebCore::DOMWindow::willDetachDocumentFromFrame): 19 (WebCore::DOMWindow::suspendForPageCache): 20 (WebCore::DOMWindow::resumeFromPageCache): 21 * page/DOMWindowExtension.cpp: 22 (WebCore::DOMWindowExtension::suspendForPageCache): 23 1 24 2019-02-20 Alex Christensen <achristensen@webkit.org> 2 25 -
trunk/Source/WebCore/page/DOMWindow.cpp
r241432 r241848 457 457 // It is necessary to copy m_properties to a separate vector because the DOMWindowProperties may 458 458 // unregister themselves from the DOMWindow as a result of the call to willDestroyGlobalObjectInCachedFrame. 459 for (auto& property : copyToVector(m_properties)) 460 property->willDestroyGlobalObjectInCachedFrame(); 459 for (auto* property : copyToVector(m_properties)) { 460 if (m_properties.contains(property)) 461 property->willDestroyGlobalObjectInCachedFrame(); 462 } 461 463 } 462 464 … … 465 467 // It is necessary to copy m_properties to a separate vector because the DOMWindowProperties may 466 468 // unregister themselves from the DOMWindow as a result of the call to willDestroyGlobalObjectInFrame. 467 for (auto& property : copyToVector(m_properties)) 468 property->willDestroyGlobalObjectInFrame(); 469 for (auto* property : copyToVector(m_properties)) { 470 if (m_properties.contains(property)) 471 property->willDestroyGlobalObjectInFrame(); 472 } 469 473 } 470 474 … … 476 480 // It is necessary to copy m_properties to a separate vector because the DOMWindowProperties may 477 481 // unregister themselves from the DOMWindow as a result of the call to willDetachGlobalObjectFromFrame. 478 for (auto& property : copyToVector(m_properties)) 479 property->willDetachGlobalObjectFromFrame(); 482 for (auto& property : copyToVector(m_properties)) { 483 if (m_properties.contains(property)) 484 property->willDetachGlobalObjectFromFrame(); 485 } 480 486 481 487 if (m_performance) … … 521 527 void DOMWindow::suspendForPageCache() 522 528 { 523 for (auto& property : copyToVector(m_properties)) 524 property->suspendForPageCache(); 529 for (auto* property : copyToVector(m_properties)) { 530 if (m_properties.contains(property)) 531 property->suspendForPageCache(); 532 } 525 533 526 534 m_suspendedForDocumentSuspension = true; … … 529 537 void DOMWindow::resumeFromPageCache() 530 538 { 531 for (auto& property : copyToVector(m_properties)) 532 property->resumeFromPageCache(); 539 for (auto* property : copyToVector(m_properties)) { 540 if (m_properties.contains(property)) 541 property->resumeFromPageCache(); 542 } 533 543 534 544 m_suspendedForDocumentSuspension = false; -
trunk/Source/WebCore/page/DOMWindowExtension.cpp
r237029 r241848 49 49 // while there is still work to do. 50 50 Ref<DOMWindowExtension> protectedThis(*this); 51 52 Frame* frame = this->frame();51 52 auto frame = makeRef(*this->frame()); 53 53 frame->loader().client().dispatchWillDisconnectDOMWindowExtensionFromGlobalObject(this); 54 54 55 m_disconnectedFrame = frame;55 m_disconnectedFrame = WTFMove(frame); 56 56 57 57 DOMWindowProperty::suspendForPageCache();
Note: See TracChangeset
for help on using the changeset viewer.