Changeset 250843 in webkit


Ignore:
Timestamp:
Oct 8, 2019 11:39:04 AM (5 years ago)
Author:
Chris Dumez
Message:

Make sure ActiveDOMObject properly deals with detached documents
https://bugs.webkit.org/show_bug.cgi?id=202596

Reviewed by Geoffrey Garen.

For detached document, the script execution context is their context document.
The ActiveDOMObject constructor taking a Document& would make sure to get the
document's contextDocument. However, if the ActiveDOMObject constructor taking
a ScriptExecutionContext* is called, it would assume this is the right script
execution context, which is unsafe. In this patch, all ActiveDOMObject
constructors now check for detached documents and make sure to use their
context document when necessary.

  • dom/ActiveDOMObject.cpp:

(WebCore::suitableScriptExecutionContext):
(WebCore::ActiveDOMObject::ActiveDOMObject):

  • dom/ActiveDOMObject.h:
  • dom/Document.h:
Location:
trunk/Source/WebCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r250839 r250843  
     12019-10-08  Chris Dumez  <cdumez@apple.com>
     2
     3        Make sure ActiveDOMObject properly deals with detached documents
     4        https://bugs.webkit.org/show_bug.cgi?id=202596
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        For detached document, the script execution context is their context document.
     9        The ActiveDOMObject constructor taking a Document& would make sure to get the
     10        document's contextDocument. However, if the ActiveDOMObject constructor taking
     11        a ScriptExecutionContext* is called, it would assume this is the right script
     12        execution context, which is unsafe. In this patch, all ActiveDOMObject
     13        constructors now check for detached documents and make sure to use their
     14        context document when necessary.
     15
     16        * dom/ActiveDOMObject.cpp:
     17        (WebCore::suitableScriptExecutionContext):
     18        (WebCore::ActiveDOMObject::ActiveDOMObject):
     19        * dom/ActiveDOMObject.h:
     20        * dom/Document.h:
     21
    1222019-10-08  Ross Kirsling  <ross.kirsling@sony.com>
    223

  • trunk/Source/WebCore/dom/ActiveDOMObject.cpp

    r241130 r250843  
    3333namespace WebCore {
    3434
    35 ActiveDOMObject::ActiveDOMObject(ScriptExecutionContext* scriptExecutionContext)
    36     : ContextDestructionObserver(scriptExecutionContext)
    37     , m_pendingActivityCount(0)
    38 #if !ASSERT_DISABLED
    39     , m_suspendIfNeededWasCalled(false)
    40 #endif
     35static inline ScriptExecutionContext* suitableScriptExecutionContext(ScriptExecutionContext* scriptExecutionContext)
    4136{
    42     ASSERT(!is<Document>(m_scriptExecutionContext) || &downcast<Document>(m_scriptExecutionContext)->contextDocument() == downcast<Document>(m_scriptExecutionContext));
    43     if (!m_scriptExecutionContext)
     37    // For detached documents, make sure we observe their context document instead.
     38    return is<Document>(scriptExecutionContext) ? &downcast<Document>(*scriptExecutionContext).contextDocument() : scriptExecutionContext;
     39}
     40
     41inline ActiveDOMObject::ActiveDOMObject(ScriptExecutionContext* context, CheckedScriptExecutionContextType)
     42    : ContextDestructionObserver(context)
     43{
     44    ASSERT(!is<Document>(context) || &downcast<Document>(context)->contextDocument() == downcast<Document>(context));
     45    if (!context)
    4446        return;
    4547
    46     ASSERT(m_scriptExecutionContext->isContextThread());
    47     m_scriptExecutionContext->didCreateActiveDOMObject(*this);
     48    ASSERT(context->isContextThread());
     49    context->didCreateActiveDOMObject(*this);
     50}
     51
     52ActiveDOMObject::ActiveDOMObject(ScriptExecutionContext* scriptExecutionContext)
     53    : ActiveDOMObject(suitableScriptExecutionContext(scriptExecutionContext), CheckedScriptExecutionContext)
     54{
     55}
     56
     57ActiveDOMObject::ActiveDOMObject(Document* document)
     58    : ActiveDOMObject(document ? &document->contextDocument() : nullptr, CheckedScriptExecutionContext)
     59{
     60}
     61
     62ActiveDOMObject::ActiveDOMObject(Document& document)
     63    : ActiveDOMObject(&document.contextDocument(), CheckedScriptExecutionContext)
     64{
    4865}
    4966
     
    92109}
    93110
    94 bool ActiveDOMObject::canSuspendForDocumentSuspension() const
    95 {
    96     return false;
    97 }
    98 
    99111void ActiveDOMObject::suspend(ReasonForSuspension)
    100112{

  • trunk/Source/WebCore/dom/ActiveDOMObject.h

    r250662 r250843  
    117117protected:
    118118    explicit ActiveDOMObject(ScriptExecutionContext*);
    119     explicit ActiveDOMObject(Document*) = delete;
    120     explicit ActiveDOMObject(Document&); // Implemented in Document.h
     119    explicit ActiveDOMObject(Document*);
     120    explicit ActiveDOMObject(Document&);
    121121    virtual ~ActiveDOMObject();
    122122
    123123private:
    124     unsigned m_pendingActivityCount;
     124    enum CheckedScriptExecutionContextType { CheckedScriptExecutionContext };
     125    ActiveDOMObject(ScriptExecutionContext*, CheckedScriptExecutionContextType);
     126
     127    unsigned m_pendingActivityCount { 0 };
    125128#if !ASSERT_DISABLED
    126     bool m_suspendIfNeededWasCalled;
     129    bool m_suspendIfNeededWasCalled { false };
    127130    Ref<Thread> m_creationThread { Thread::current() };
    128131#endif

  • trunk/Source/WebCore/dom/Document.h

    r250816 r250843  
    21052105}
    21062106
    2107 inline ActiveDOMObject::ActiveDOMObject(Document& document)
    2108     : ActiveDOMObject(static_cast<ScriptExecutionContext*>(&document.contextDocument()))
    2109 {
    2110 }
    2111 
    21122107} // namespace WebCore
    21132108
Note: See TracChangeset for help on using the changeset viewer.