Changeset 269435 in webkit

Timestamp:

Nov 5, 2020 8:54:48 AM (3 years ago)

Author:

achristensen@apple.com

Message:

Store WeakPtr<Frame> instead of Frame*
​https://bugs.webkit.org/show_bug.cgi?id=218599

Reviewed by Youenn Fablet.

Source/WebCore:

No change in behavior, but this probably fixes some bugs.

• bindings/js/WindowProxy.cpp:

(WebCore::WindowProxy::WindowProxy):
(WebCore::WindowProxy::frame const):

• bindings/js/WindowProxy.h:

(WebCore::WindowProxy::frame const): Deleted.

• dom/Document.cpp:

(WebCore::Document::willBeRemovedFromFrame):
(WebCore::Document::canNavigateInternal):
(WebCore::Document::setDesignMode):
(WebCore::Document::getDesignMode const): Deleted.

• dom/Document.h:
• html/HTMLFrameOwnerElement.cpp:

(WebCore::HTMLFrameOwnerElement::setContentFrame):
(WebCore::HTMLFrameOwnerElement::disconnectContentFrame):

• html/HTMLFrameOwnerElement.h:

(WebCore::HTMLFrameOwnerElement::contentFrame const):

• inspector/agents/InspectorPageAgent.cpp:

(WebCore::InspectorPageAgent::frameForId):
(WebCore::InspectorPageAgent::frameId):

• inspector/agents/InspectorPageAgent.h:
• loader/DocumentLoader.cpp:

(WebCore::DocumentLoader::stopLoading):
(WebCore::DocumentLoader::willSendRequest):
(WebCore::DocumentLoader::commitLoad):
(WebCore::DocumentLoader::detachFromFrame):
(WebCore::DocumentLoader::removeSubresourceLoader):
(WebCore::DocumentLoader::subresourceLoaderFinishedLoadingOnePart):

• loader/DocumentWriter.cpp:

(WebCore::DocumentWriter::createDocument):
(WebCore::DocumentWriter::decoder):
(WebCore::DocumentWriter::setFrame):

• loader/DocumentWriter.h:

(WebCore::DocumentWriter::setFrame): Deleted.

• loader/FrameLoader.cpp:

(WebCore::FrameLoader::detachFromAllOpenedFrames):
(WebCore::FrameLoader::opener):
(WebCore::FrameLoader::setOpener):
(WebCore::FrameLoader::hasOpenedFrames const):
(WebCore::FrameLoader::addExtraFieldsToRequest):

• loader/FrameLoader.h:
• loader/FrameNetworkingContext.h:

(WebCore::FrameNetworkingContext::FrameNetworkingContext):
(WebCore::FrameNetworkingContext::frame const):

• loader/appcache/ApplicationCacheGroup.cpp:

(WebCore::ApplicationCacheGroup::update):
(WebCore::ApplicationCacheGroup::didFinishLoadingEntry):
(WebCore::ApplicationCacheGroup::didFailLoadingEntry):
(WebCore::ApplicationCacheGroup::didFailLoadingManifest):
(WebCore::ApplicationCacheGroup::startLoadingEntry):

• loader/appcache/ApplicationCacheGroup.h:
• page/AbstractFrame.h:
• page/Frame.cpp:

(WebCore::Frame::Frame):
(WebCore::Frame::addDestructionObserver):
(WebCore::Frame::removeDestructionObserver):

• page/Frame.h:
• page/FrameDestructionObserver.cpp:

(WebCore::FrameDestructionObserver::frame const):
(WebCore::FrameDestructionObserver::observeFrame):

• page/FrameDestructionObserver.h:

(WebCore::FrameDestructionObserver::frame const): Deleted.

• page/FrameTree.cpp:

(WebCore::FrameTree::FrameTree):
(WebCore::FrameTree::parent const):
(WebCore::FrameTree::appendChild):
(WebCore::FrameTree::removeChild):
(WebCore::FrameTree::traverseNextInPostOrder const):

• page/FrameTree.h:

(WebCore::FrameTree::previousSibling const):
(WebCore::FrameTree::lastChild const):
(WebCore::FrameTree::FrameTree): Deleted.

• rendering/RenderScrollbar.cpp:

(WebCore::RenderScrollbar::RenderScrollbar):

• rendering/RenderScrollbar.h:

Source/WebKit:

• WebProcess/WebPage/WebFrame.cpp:

(WebKit::WebFrame::initWithCoreMainFrame):
(WebKit::WebFrame::createSubframe):
(WebKit::WebFrame::coreFrame const):
(WebKit::WebFrame::info const):
(WebKit::WebFrame::handlesPageScaleGesture const):
(WebKit::WebFrame::requiresUnifiedScaleFactor const):

• WebProcess/WebPage/WebFrame.h:

(WebKit::WebFrame::coreFrame const): Deleted.

Location:

trunk/Source

Files:

• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/WindowProxy.cpp (modified) (2 diffs)
• WebCore/bindings/js/WindowProxy.h (modified) (3 diffs)
• WebCore/dom/Document.cpp (modified) (5 diffs)
• WebCore/dom/Document.h (modified) (1 diff)
• WebCore/html/HTMLFrameOwnerElement.cpp (modified) (2 diffs)
• WebCore/html/HTMLFrameOwnerElement.h (modified) (2 diffs)
• WebCore/inspector/agents/InspectorPageAgent.cpp (modified) (2 diffs)
• WebCore/inspector/agents/InspectorPageAgent.h (modified) (1 diff)
• WebCore/loader/DocumentLoader.cpp (modified) (6 diffs)
• WebCore/loader/DocumentWriter.cpp (modified) (3 diffs)
• WebCore/loader/DocumentWriter.h (modified) (2 diffs)
• WebCore/loader/FrameLoader.cpp (modified) (6 diffs)
• WebCore/loader/FrameLoader.h (modified) (4 diffs)
• WebCore/loader/FrameNetworkingContext.h (modified) (1 diff)
• WebCore/loader/appcache/ApplicationCacheGroup.cpp (modified) (7 diffs)
• WebCore/loader/appcache/ApplicationCacheGroup.h (modified) (1 diff)
• WebCore/page/AbstractFrame.h (modified) (2 diffs)
• WebCore/page/Frame.cpp (modified) (2 diffs)
• WebCore/page/Frame.h (modified) (1 diff)
• WebCore/page/FrameDestructionObserver.cpp (modified) (1 diff)
• WebCore/page/FrameDestructionObserver.h (modified) (3 diffs)
• WebCore/page/FrameTree.cpp (modified) (5 diffs)
• WebCore/page/FrameTree.h (modified) (3 diffs)
• WebCore/rendering/RenderScrollbar.cpp (modified) (1 diff)
• WebCore/rendering/RenderScrollbar.h (modified) (1 diff)
• WebKit/ChangeLog (modified) (1 diff)
• WebKit/WebProcess/InjectedBundle/API/glib/DOM/DOMObjectCache.cpp (modified) (1 diff)
• WebKit/WebProcess/WebPage/WebFrame.cpp (modified) (6 diffs)
• WebKit/WebProcess/WebPage/WebFrame.h (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-11-05  Alex Christensen  <achristensen@webkit.org>
+
+        Store WeakPtr<Frame> instead of Frame*
+        https://bugs.webkit.org/show_bug.cgi?id=218599
+
+        Reviewed by Youenn Fablet.
+
+        No change in behavior, but this probably fixes some bugs.
+
+        * bindings/js/WindowProxy.cpp:
+        (WebCore::WindowProxy::WindowProxy):
+        (WebCore::WindowProxy::frame const):
+        * bindings/js/WindowProxy.h:
+        (WebCore::WindowProxy::frame const): Deleted.
+        * dom/Document.cpp:
+        (WebCore::Document::willBeRemovedFromFrame):
+        (WebCore::Document::canNavigateInternal):
+        (WebCore::Document::setDesignMode):
+        (WebCore::Document::getDesignMode const): Deleted.
+        * dom/Document.h:
+        * html/HTMLFrameOwnerElement.cpp:
+        (WebCore::HTMLFrameOwnerElement::setContentFrame):
+        (WebCore::HTMLFrameOwnerElement::disconnectContentFrame):
+        * html/HTMLFrameOwnerElement.h:
+        (WebCore::HTMLFrameOwnerElement::contentFrame const):
+        * inspector/agents/InspectorPageAgent.cpp:
+        (WebCore::InspectorPageAgent::frameForId):
+        (WebCore::InspectorPageAgent::frameId):
+        * inspector/agents/InspectorPageAgent.h:
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::stopLoading):
+        (WebCore::DocumentLoader::willSendRequest):
+        (WebCore::DocumentLoader::commitLoad):
+        (WebCore::DocumentLoader::detachFromFrame):
+        (WebCore::DocumentLoader::removeSubresourceLoader):
+        (WebCore::DocumentLoader::subresourceLoaderFinishedLoadingOnePart):
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::createDocument):
+        (WebCore::DocumentWriter::decoder):
+        (WebCore::DocumentWriter::setFrame):
+        * loader/DocumentWriter.h:
+        (WebCore::DocumentWriter::setFrame): Deleted.
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::detachFromAllOpenedFrames):
+        (WebCore::FrameLoader::opener):
+        (WebCore::FrameLoader::setOpener):
+        (WebCore::FrameLoader::hasOpenedFrames const):
+        (WebCore::FrameLoader::addExtraFieldsToRequest):
+        * loader/FrameLoader.h:
+        * loader/FrameNetworkingContext.h:
+        (WebCore::FrameNetworkingContext::FrameNetworkingContext):
+        (WebCore::FrameNetworkingContext::frame const):
+        * loader/appcache/ApplicationCacheGroup.cpp:
+        (WebCore::ApplicationCacheGroup::update):
+        (WebCore::ApplicationCacheGroup::didFinishLoadingEntry):
+        (WebCore::ApplicationCacheGroup::didFailLoadingEntry):
+        (WebCore::ApplicationCacheGroup::didFailLoadingManifest):
+        (WebCore::ApplicationCacheGroup::startLoadingEntry):
+        * loader/appcache/ApplicationCacheGroup.h:
+        * page/AbstractFrame.h:
+        * page/Frame.cpp:
+        (WebCore::Frame::Frame):
+        (WebCore::Frame::addDestructionObserver):
+        (WebCore::Frame::removeDestructionObserver):
+        * page/Frame.h:
+        * page/FrameDestructionObserver.cpp:
+        (WebCore::FrameDestructionObserver::frame const):
+        (WebCore::FrameDestructionObserver::observeFrame):
+        * page/FrameDestructionObserver.h:
+        (WebCore::FrameDestructionObserver::frame const): Deleted.
+        * page/FrameTree.cpp:
+        (WebCore::FrameTree::FrameTree):
+        (WebCore::FrameTree::parent const):
+        (WebCore::FrameTree::appendChild):
+        (WebCore::FrameTree::removeChild):
+        (WebCore::FrameTree::traverseNextInPostOrder const):
+        * page/FrameTree.h:
+        (WebCore::FrameTree::previousSibling const):
+        (WebCore::FrameTree::lastChild const):
+        (WebCore::FrameTree::FrameTree): Deleted.
+        * rendering/RenderScrollbar.cpp:
+        (WebCore::RenderScrollbar::RenderScrollbar):
+        * rendering/RenderScrollbar.h:
+
 2020-11-05  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/bindings/js/WindowProxy.cpp

@@ -54 +54 @@
 
 WindowProxy::WindowProxy(AbstractFrame& frame)
-    : m_frame(&frame)
+    : m_frame(makeWeakPtr(frame))
     , m_jsWindowProxies(makeUniqueRef<ProxyMap>())
 {
@@ -63 +63 @@
     ASSERT(!m_frame);
     ASSERT(m_jsWindowProxies->isEmpty());
+}
+
+AbstractFrame* WindowProxy::frame() const
+{
+    return m_frame.get();
 }
 

trunk/Source/WebCore/bindings/js/WindowProxy.h

@@ -25 +25 @@
 #include <wtf/RefCounted.h>
 #include <wtf/UniqueRef.h>
+#include <wtf/WeakPtr.h>
 
 namespace JSC {
@@ -50 +51 @@
     WEBCORE_EXPORT ~WindowProxy();
 
-    AbstractFrame* frame() const { return m_frame; }
+    WEBCORE_EXPORT AbstractFrame* frame() const;
     void detachFromFrame();
 
@@ -95 +96 @@
     WEBCORE_EXPORT JSWindowProxy& createJSWindowProxyWithInitializedScript(DOMWrapperWorld&);
 
-    AbstractFrame* m_frame;
+    WeakPtr<AbstractFrame> m_frame;
     UniqueRef<ProxyMap> m_jsWindowProxies;
 };

trunk/Source/WebCore/dom/Document.cpp

@@ -2559 +2559 @@
 
     {
-        NavigationDisabler navigationDisabler(m_frame);
+        NavigationDisabler navigationDisabler(m_frame.get());
         disconnectDescendantFrames();
     }
@@ -3467 +3467 @@
 
     // iii. A sandboxed frame can always navigate its descendants.
-    if (isSandboxed(SandboxNavigation) && targetFrame.tree().isDescendantOf(m_frame))
+    if (isSandboxed(SandboxNavigation) && targetFrame.tree().isDescendantOf(m_frame.get()))
         return true;
 
@@ -3473 +3473 @@
     // 1. If A is not the same browsing context as B, and A is not one of the ancestor browsing contexts of B, and B is not a top-level browsing context, and A's active document's active sandboxing
     // flag set has its sandboxed navigation browsing context flag set, then abort these steps negatively.
-    if (m_frame != &targetFrame && isSandboxed(SandboxNavigation) && targetFrame.tree().parent() && !targetFrame.tree().isDescendantOf(m_frame)) {
+    if (m_frame != &targetFrame && isSandboxed(SandboxNavigation) && targetFrame.tree().parent() && !targetFrame.tree().isDescendantOf(m_frame.get())) {
         printNavigationErrorMessage(targetFrame, url(), "The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors."_s);
         return false;
@@ -5701 +5701 @@
 {
     m_designMode = value;
-    for (Frame* frame = m_frame; frame && frame->document(); frame = frame->tree().traverseNext(m_frame))
+    for (auto* frame = m_frame.get(); frame && frame->document(); frame = frame->tree().traverseNext(m_frame.get()))
         frame->document()->scheduleFullStyleRebuild();
 }
@@ -5720 +5720 @@
         mode = inherit;
     setDesignMode(mode);
-}
-
-auto Document::getDesignMode() const -> InheritedBool
-{
-    return m_designMode;
 }
 

trunk/Source/WebCore/dom/Document.h

@@ -1008 +1008 @@
     enum InheritedBool { off = false, on = true, inherit };    
     void setDesignMode(InheritedBool value);
-    InheritedBool getDesignMode() const;
     bool inDesignMode() const;
     WEBCORE_EXPORT String designMode() const;

trunk/Source/WebCore/html/HTMLFrameOwnerElement.cpp

@@ -51 +51 @@
 }
 
-void HTMLFrameOwnerElement::setContentFrame(Frame* frame)
+void HTMLFrameOwnerElement::setContentFrame(Frame& frame)
 {
     // Make sure we will not end up with two frames referencing the same owner element.
     ASSERT(!m_contentFrame || m_contentFrame->ownerElement() != this);
-    ASSERT(frame);
     // Disconnected frames should not be allowed to load.
     ASSERT(isConnected());
-    m_contentFrame = frame;
+    m_contentFrame = makeWeakPtr(frame);
 
     for (RefPtr<ContainerNode> node = this; node; node = node->parentOrShadowHostNode())
@@ -77 +76 @@
 void HTMLFrameOwnerElement::disconnectContentFrame()
 {
-    if (RefPtr<Frame> frame = m_contentFrame) {
+    if (RefPtr<Frame> frame = m_contentFrame.get()) {
         frame->loader().frameDetached();
         frame->disconnectOwnerElement();

trunk/Source/WebCore/html/HTMLFrameOwnerElement.h

@@ -36 +36 @@
     virtual ~HTMLFrameOwnerElement();
 
-    Frame* contentFrame() const { return m_contentFrame; }
+    Frame* contentFrame() const { return m_contentFrame.get(); }
     WEBCORE_EXPORT WindowProxy* contentWindow() const;
     WEBCORE_EXPORT Document* contentDocument() const;
 
-    void setContentFrame(Frame*);
+    void setContentFrame(Frame&);
     void clearContentFrame();
 
@@ -74 +74 @@
     bool isFrameOwnerElement() const final { return true; }
 
-    Frame* m_contentFrame { nullptr };
+    WeakPtr<Frame> m_contentFrame;
     SandboxFlags m_sandboxFlags { SandboxNone };
 };

trunk/Source/WebCore/inspector/agents/InspectorPageAgent.cpp

@@ -829 +829 @@
 Frame* InspectorPageAgent::frameForId(const Protocol::Network::FrameId& frameId)
 {
-    return frameId.isEmpty() ? nullptr : m_identifierToFrame.get(frameId);
+    return frameId.isEmpty() ? nullptr : m_identifierToFrame.get(frameId).get();
 }
 
@@ -838 +838 @@
     return m_frameToIdentifier.ensure(frame, [this, frame] {
         auto identifier = IdentifiersFactory::createIdentifier();
-        m_identifierToFrame.set(identifier, frame);
+        m_identifierToFrame.set(identifier, makeWeakPtr(frame));
         return identifier;
     }).iterator->value;

trunk/Source/WebCore/inspector/agents/InspectorPageAgent.h

@@ -166 +166 @@
     InspectorOverlay* m_overlay { nullptr };
 
+    // FIXME: Make a WeakHashMap and use it for m_frameToIdentifier and m_loaderToIdentifier.
     HashMap<Frame*, String> m_frameToIdentifier;
-    HashMap<String, Frame*> m_identifierToFrame;
+    HashMap<String, WeakPtr<Frame>> m_identifierToFrame;
     HashMap<DocumentLoader*, String> m_loaderToIdentifier;
     String m_userAgentOverride;

trunk/Source/WebCore/loader/DocumentLoader.cpp

@@ -284 +284 @@
 void DocumentLoader::stopLoading()
 {
-    RefPtr<Frame> protectedFrame(m_frame);
+    RefPtr<Frame> protectedFrame(m_frame.get());
     Ref<DocumentLoader> protectedThis(*this);
 
@@ -600 +600 @@
         if (!redirectingOrigin.get().canDisplay(newRequest.url())) {
             RELEASE_LOG_IF_ALLOWED("willSendRequest: canceling - redirecting URL not allowed to display content from target");
-            FrameLoader::reportLocalLoadFailed(m_frame, newRequest.url().string());
+            FrameLoader::reportLocalLoadFailed(m_frame.get(), newRequest.url().string());
             cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
             return completionHandler(WTFMove(newRequest));
@@ -1049 +1049 @@
     // Both unloading the old page and parsing the new page may execute JavaScript which destroys the datasource
     // by starting a new load, so retain temporarily.
-    RefPtr<Frame> protectedFrame(m_frame);
+    RefPtr<Frame> protectedFrame(m_frame.get());
     Ref<DocumentLoader> protectedThis(*this);
 
@@ -1303 +1303 @@
         ASSERT_WITH_MESSAGE(m_frame, "detachFromFrame() is being called on a DocumentLoader that has never attached to any Frame");
 #endif
-    RefPtr<Frame> protectedFrame(m_frame);
+    RefPtr<Frame> protectedFrame(m_frame.get());
     Ref<DocumentLoader> protectedThis(*this);
 
@@ -1788 +1788 @@
         return;
     checkLoadComplete();
-    if (Frame* frame = m_frame)
-        frame->loader().subresourceLoadDone(type);
+    if (m_frame)
+        m_frame->loader().subresourceLoadDone(type);
 }
 
@@ -2074 +2074 @@
 
     checkLoadComplete();
-    if (Frame* frame = m_frame)
-        frame->loader().checkLoadComplete();    
+    if (m_frame)
+        m_frame->loader().checkLoadComplete();
 }
 

trunk/Source/WebCore/loader/DocumentWriter.cpp

@@ -118 +118 @@
     if (!m_frame->loader().client().hasHTMLView())
         return Document::createNonRenderedPlaceholder(*m_frame, url);
-    return DOMImplementation::createDocument(m_mimeType, m_frame, m_frame->settings(), url);
+    return DOMImplementation::createDocument(m_mimeType, m_frame.get(), m_frame->settings(), url);
 }
 
@@ -223 +223 @@
         // FIXME: This might be too cautious for non-7bit-encodings and
         // we may consider relaxing this later after testing.
-        if (canReferToParentFrameEncoding(m_frame, parentFrame))
+        if (canReferToParentFrameEncoding(m_frame.get(), parentFrame))
             m_decoder->setHintEncoding(parentFrame->document()->decoder());
         if (m_encoding.isEmpty()) {
-            if (canReferToParentFrameEncoding(m_frame, parentFrame))
+            if (canReferToParentFrameEncoding(m_frame.get(), parentFrame))
                 m_decoder->setEncoding(parentFrame->document()->textEncoding(), TextResourceDecoder::EncodingFromParentFrame);
         } else {
@@ -298 +298 @@
 }
 
+void DocumentWriter::setFrame(Frame& frame)
+{
+    m_frame = makeWeakPtr(frame);
+}
+
 void DocumentWriter::setDocumentWasLoadedAsPartOfNavigation()
 {

trunk/Source/WebCore/loader/DocumentWriter.h

@@ -51 +51 @@
     WEBCORE_EXPORT void end();
 
-    void setFrame(Frame& frame) { m_frame = &frame; }
+    void setFrame(Frame&);
 
     WEBCORE_EXPORT void setEncoding(const String& encoding, bool userChosen);
@@ -68 +68 @@
     void clear();
 
-    Frame* m_frame { nullptr };
+    WeakPtr<Frame> m_frame;
 
     bool m_hasReceivedSomeData { false };

trunk/Source/WebCore/loader/FrameLoader.cpp

@@ -331 +331 @@
 {
     for (auto& frame : m_openedFrames)
-        frame->loader().m_opener = nullptr;
+        frame.loader().m_opener = nullptr;
     m_openedFrames.clear();
 }
@@ -383 +383 @@
 {
     return client().frameID();
+}
+
+Frame* FrameLoader::opener()
+{
+    return m_opener;
+}
+
+const Frame* FrameLoader::opener() const
+{
+    return m_opener;
 }
 
@@ -1051 +1061 @@
         // When setOpener is called in ~FrameLoader, opener's m_frameLoader is already cleared.
         auto& openerFrameLoader = m_opener == &m_frame ? *this : m_opener->loader();
-        openerFrameLoader.m_openedFrames.remove(&m_frame);
+        openerFrameLoader.m_openedFrames.remove(m_frame);
     }
     if (opener) {
@@ -1058 +1068 @@
             page->setOpenedByDOMWithOpener();
     }
-    m_opener = opener;
+    m_opener = makeWeakPtr(opener);
 
     if (m_frame.document())
@@ -1640 +1650 @@
 }
 
+bool FrameLoader::hasOpenedFrames() const
+{
+    return !m_openedFrames.computesEmpty();
+}
+
 void FrameLoader::reportLocalLoadFailed(Frame* frame, const String& url)
 {
@@ -2892 +2907 @@
             auto* ownerFrame = m_frame.tree().parent();
             if (!ownerFrame && m_stateMachine.isDisplayingInitialEmptyDocument())
-                ownerFrame = m_opener;
+                ownerFrame = m_opener.get();
             if (ownerFrame)
                 initiator = ownerFrame->document();

trunk/Source/WebCore/loader/FrameLoader.h

@@ -54 +54 @@
 #include <wtf/UniqueRef.h>
 #include <wtf/WallTime.h>
+#include <wtf/WeakHashSet.h>
 
 namespace WebCore {
@@ -249 +250 @@
     bool checkIfFormActionAllowedByCSP(const URL&, bool didReceiveRedirectResponse) const;
 
-    Frame* opener() { return m_opener; }
-    const Frame* opener() const { return m_opener; }
+    WEBCORE_EXPORT Frame* opener();
+    WEBCORE_EXPORT const Frame* opener() const;
     WEBCORE_EXPORT void setOpener(Frame*);
     WEBCORE_EXPORT void detachFromAllOpenedFrames();
@@ -427 +428 @@
     // PolicyChecker specific.
     void clearProvisionalLoadForPolicyCheck();
-    bool hasOpenedFrames() const { return !m_openedFrames.isEmpty(); }
+    bool hasOpenedFrames() const;
 
     bool preventsParentFromBeingComplete(const Frame&) const;
@@ -483 +484 @@
     bool m_shouldCallCheckLoadComplete;
 
-    Frame* m_opener;
-    HashSet<Frame*> m_openedFrames;
+    WeakPtr<Frame> m_opener;
+    WeakHashSet<Frame> m_openedFrames;
 
     bool m_loadingFromCachedPage;

trunk/Source/WebCore/loader/FrameNetworkingContext.h

@@ -45 +45 @@
 protected:
     explicit FrameNetworkingContext(Frame* frame)
-        : m_frame(frame)
+        : m_frame(makeWeakPtr(frame))
     {
     }
 
-    Frame* frame() const { return m_frame; }
+    Frame* frame() const { return m_frame.get(); }
 
 private:
-    bool isValid() const override { return m_frame; }
+    bool isValid() const override { return !!m_frame; }
 
-    Frame* m_frame;
+    WeakPtr<Frame> m_frame;
 };
 

trunk/Source/WebCore/loader/appcache/ApplicationCacheGroup.cpp

@@ -417 +417 @@
 
     ASSERT(!m_frame);
-    m_frame = &frame;
+    m_frame = makeWeakPtr(frame);
 
     setUpdateStatus(Checking);
@@ -438 +438 @@
 
     m_currentResourceIdentifier = m_frame->page()->progress().createUniqueIdentifier();
-    InspectorInstrumentation::willSendRequest(m_frame, m_currentResourceIdentifier, m_frame->loader().documentLoader(), request, ResourceResponse { });
+    InspectorInstrumentation::willSendRequest(m_frame.get(), m_currentResourceIdentifier, m_frame->loader().documentLoader(), request, ResourceResponse { });
 
     m_manifestLoader = ApplicationCacheResourceLoader::create(ApplicationCacheResource::Type::Manifest, documentLoader.cachedResourceLoader(), WTFMove(request), [this] (auto&& resourceOrError) {
@@ -448 +448 @@
             if (error == ApplicationCacheResourceLoader::Error::CannotCreateResource) {
                 // FIXME: We should get back the error from ApplicationCacheResourceLoader level.
-                InspectorInstrumentation::didFailLoading(m_frame, m_frame->loader().documentLoader(), m_currentResourceIdentifier, ResourceError { ResourceError::Type::AccessControl });
+                InspectorInstrumentation::didFailLoading(m_frame.get(), m_frame->loader().documentLoader(), m_currentResourceIdentifier, ResourceError { ResourceError::Type::AccessControl });
                 this->cacheUpdateFailed();
                 return;
@@ -495 +495 @@
     // FIXME: We should have NetworkLoadMetrics for ApplicationCache loads.
     NetworkLoadMetrics emptyMetrics;
-    InspectorInstrumentation::didFinishLoading(m_frame, m_frame->loader().documentLoader(), m_currentResourceIdentifier, emptyMetrics, nullptr);
+    InspectorInstrumentation::didFinishLoading(m_frame.get(), m_frame->loader().documentLoader(), m_currentResourceIdentifier, emptyMetrics, nullptr);
 
     ASSERT(m_pendingEntries.contains(entryURL.string()));
@@ -544 +544 @@
     ResourceError resourceError { error == ApplicationCacheResourceLoader::Error::CannotCreateResource ? ResourceError::Type::AccessControl : ResourceError::Type::General };
 
-    InspectorInstrumentation::didFailLoading(m_frame, m_frame->loader().documentLoader(), m_currentResourceIdentifier, resourceError);
+    InspectorInstrumentation::didFailLoading(m_frame.get(), m_frame->loader().documentLoader(), m_currentResourceIdentifier, resourceError);
 
     URL url(entryURL);
@@ -664 +664 @@
         break;
     case ApplicationCacheResourceLoader::Error::NotFound:
-        InspectorInstrumentation::didFailLoading(m_frame, m_frame->loader().documentLoader(), m_currentResourceIdentifier, m_frame->loader().cancelledError(m_manifestLoader->resource()->resourceRequest()));
+        InspectorInstrumentation::didFailLoading(m_frame.get(), m_frame->loader().documentLoader(), m_currentResourceIdentifier, m_frame->loader().cancelledError(m_manifestLoader->resource()->resourceRequest()));
         m_frame->document()->addConsoleMessage(MessageSource::AppCache, MessageLevel::Error, makeString("Application Cache manifest could not be fetched, because the manifest had a ", m_manifestLoader->resource()->response().httpStatusCode(), " response."));
         manifestNotFound();
         break;
     case ApplicationCacheResourceLoader::Error::NotOK:
-        InspectorInstrumentation::didFailLoading(m_frame, m_frame->loader().documentLoader(), m_currentResourceIdentifier, m_frame->loader().cancelledError(m_manifestLoader->resource()->resourceRequest()));
+        InspectorInstrumentation::didFailLoading(m_frame.get(), m_frame->loader().documentLoader(), m_currentResourceIdentifier, m_frame->loader().cancelledError(m_manifestLoader->resource()->resourceRequest()));
         m_frame->document()->addConsoleMessage(MessageSource::AppCache, MessageLevel::Error, makeString("Application Cache manifest could not be fetched, because the manifest had a ", m_manifestLoader->resource()->response().httpStatusCode(), " response."));
         cacheUpdateFailed();
         break;
     case ApplicationCacheResourceLoader::Error::RedirectForbidden:
-        InspectorInstrumentation::didFailLoading(m_frame, m_frame->loader().documentLoader(), m_currentResourceIdentifier, m_frame->loader().cancelledError(m_manifestLoader->resource()->resourceRequest()));
+        InspectorInstrumentation::didFailLoading(m_frame.get(), m_frame->loader().documentLoader(), m_currentResourceIdentifier, m_frame->loader().cancelledError(m_manifestLoader->resource()->resourceRequest()));
         m_frame->document()->addConsoleMessage(MessageSource::AppCache, MessageLevel::Error, "Application Cache manifest could not be fetched, because a redirection was attempted."_s);
         cacheUpdateFailed();
@@ -900 +900 @@
 
     m_currentResourceIdentifier = m_frame->page()->progress().createUniqueIdentifier();
-    InspectorInstrumentation::willSendRequest(m_frame, m_currentResourceIdentifier, m_frame->loader().documentLoader(), request, ResourceResponse { });
+    InspectorInstrumentation::willSendRequest(m_frame.get(), m_currentResourceIdentifier, m_frame->loader().documentLoader(), request, ResourceResponse { });
 
     auto& documentLoader = *m_frame->loader().documentLoader();

trunk/Source/WebCore/loader/appcache/ApplicationCacheGroup.h

@@ -160 +160 @@
     // Frame used for fetching resources when updating.
     // FIXME: An update started by a particular frame should not stop if it is destroyed, but there are other frames associated with the same cache group.
-    Frame* m_frame { nullptr };
+    WeakPtr<Frame> m_frame;
   
     // An obsolete cache group is never stored, but the opposite is not true - storing may fail for multiple reasons, such as exceeding disk quota.

trunk/Source/WebCore/page/AbstractFrame.h

@@ -28 +28 @@
 #include <wtf/Ref.h>
 #include <wtf/ThreadSafeRefCounted.h>
+#include <wtf/WeakPtr.h>
 
 namespace WebCore {
@@ -35 +36 @@
 
 // FIXME: Rename Frame to LocalFrame and AbstractFrame to Frame.
-class AbstractFrame : public ThreadSafeRefCounted<AbstractFrame> {
+class AbstractFrame : public ThreadSafeRefCounted<AbstractFrame>, public CanMakeWeakPtr<AbstractFrame> {
 public:
     virtual ~AbstractFrame();

trunk/Source/WebCore/page/Frame.cpp

@@ -164 +164 @@
     if (ownerElement) {
         m_mainFrame.selfOnlyRef();
-        ownerElement->setContentFrame(this);
+        ownerElement->setContentFrame(*this);
     }
 
@@ -218 +218 @@
 }
 
-void Frame::addDestructionObserver(FrameDestructionObserver* observer)
-{
-    m_destructionObservers.add(observer);
-}
-
-void Frame::removeDestructionObserver(FrameDestructionObserver* observer)
-{
-    m_destructionObservers.remove(observer);
+void Frame::addDestructionObserver(FrameDestructionObserver& observer)
+{
+    m_destructionObservers.add(&observer);
+}
+
+void Frame::removeDestructionObserver(FrameDestructionObserver& observer)
+{
+    m_destructionObservers.remove(&observer);
 }
 

trunk/Source/WebCore/page/Frame.h

@@ -149 +149 @@
     WEBCORE_EXPORT DOMWindow* window() const;
 
-    void addDestructionObserver(FrameDestructionObserver*);
-    void removeDestructionObserver(FrameDestructionObserver*);
+    void addDestructionObserver(FrameDestructionObserver&);
+    void removeDestructionObserver(FrameDestructionObserver&);
 
     WEBCORE_EXPORT void willDetachPage();

trunk/Source/WebCore/page/FrameDestructionObserver.cpp

@@ -43 +43 @@
 }
 
+Frame* FrameDestructionObserver::frame() const
+{
+    return m_frame.get();
+}
+
 void FrameDestructionObserver::observeFrame(Frame* frame)
 {
     if (m_frame)
-        m_frame->removeDestructionObserver(this);
+        m_frame->removeDestructionObserver(*this);
 
-    m_frame = frame;
+    m_frame = makeWeakPtr(frame);
 
     if (m_frame)
-        m_frame->addDestructionObserver(this);
+        m_frame->addDestructionObserver(*this);
 }
 

trunk/Source/WebCore/page/FrameDestructionObserver.h

@@ -26 +26 @@
 #pragma once
 
+#include <wtf/WeakPtr.h>
+
 namespace WebCore {
 
@@ -37 +39 @@
     WEBCORE_EXPORT virtual void willDetachPage();
 
-    Frame* frame() const { return m_frame; }
+    WEBCORE_EXPORT Frame* frame() const;
 
 protected:
@@ -43 +45 @@
     WEBCORE_EXPORT void observeFrame(Frame*);
 
-    Frame* m_frame;
+    WeakPtr<Frame> m_frame;
 };
 

trunk/Source/WebCore/page/FrameTree.cpp

@@ -37 +37 @@
 namespace WebCore {
 
+FrameTree::FrameTree(Frame& thisFrame, Frame* parentFrame)
+    : m_thisFrame(thisFrame)
+    , m_parent(makeWeakPtr(parentFrame))
+{
+}
+
 FrameTree::~FrameTree()
 {
@@ -62 +68 @@
 Frame* FrameTree::parent() const 
 { 
-    return m_parent;
+    return m_parent.get();
 }
 
@@ -68 +74 @@
 {
     ASSERT(child.page() == m_thisFrame.page());
-    child.tree().m_parent = &m_thisFrame;
-    Frame* oldLast = m_lastChild;
-    m_lastChild = &child;
+    child.tree().m_parent = makeWeakPtr(m_thisFrame);
+    WeakPtr<Frame> oldLast = m_lastChild;
+    m_lastChild = makeWeakPtr(child);
 
     if (oldLast) {
@@ -85 +91 @@
 void FrameTree::removeChild(Frame& child)
 {
-    Frame*& newLocationForPrevious = m_lastChild == &child ? m_lastChild : child.tree().m_nextSibling->tree().m_previousSibling;
+    WeakPtr<Frame>& newLocationForPrevious = m_lastChild == &child ? m_lastChild : child.tree().m_nextSibling->tree().m_previousSibling;
     RefPtr<Frame>& newLocationForNext = m_firstChild == &child ? m_firstChild : child.tree().m_previousSibling->tree().m_nextSibling;
 
@@ -424 +430 @@
         return m_nextSibling->tree().deepFirstChild();
     if (m_parent)
-        return m_parent;
+        return m_parent.get();
     if (canWrap == CanWrap::Yes)
         return deepFirstChild();

trunk/Source/WebCore/page/FrameTree.h

@@ -35 +35 @@
     static constexpr unsigned invalidCount = static_cast<unsigned>(-1);
 
-    FrameTree(Frame& thisFrame, Frame* parentFrame)
-        : m_thisFrame(thisFrame)
-        , m_parent(parentFrame)
-        , m_previousSibling(nullptr)
-        , m_lastChild(nullptr)
-        , m_scopedChildCount(invalidCount)
-    {
-    }
+    FrameTree(Frame& thisFrame, Frame* parentFrame);
 
     ~FrameTree();
@@ -53 +46 @@
     
     Frame* nextSibling() const { return m_nextSibling.get(); }
-    Frame* previousSibling() const { return m_previousSibling; }
+    Frame* previousSibling() const { return m_previousSibling.get(); }
     Frame* firstChild() const { return m_firstChild.get(); }
-    Frame* lastChild() const { return m_lastChild; }
+    Frame* lastChild() const { return m_lastChild.get(); }
 
     Frame* firstRenderedChild() const;
@@ -101 +94 @@
     Frame& m_thisFrame;
 
-    Frame* m_parent;
+    WeakPtr<Frame> m_parent;
     AtomString m_name; // The actual frame name (may be empty).
     AtomString m_uniqueName;
 
     RefPtr<Frame> m_nextSibling;
-    Frame* m_previousSibling;
+    WeakPtr<Frame> m_previousSibling;
     RefPtr<Frame> m_firstChild;
-    Frame* m_lastChild;
-    mutable unsigned m_scopedChildCount;
+    WeakPtr<Frame> m_lastChild;
+    mutable unsigned m_scopedChildCount { invalidCount };
     mutable uint64_t m_frameIDGenerator { 0 };
 };

trunk/Source/WebCore/rendering/RenderScrollbar.cpp

@@ -45 +45 @@
     : Scrollbar(scrollableArea, orientation, ScrollbarControlSize::Regular, RenderScrollbarTheme::renderScrollbarTheme(), true)
     , m_ownerElement(ownerElement)
-    , m_owningFrame(owningFrame)
+    , m_owningFrame(makeWeakPtr(owningFrame))
 {
     ASSERT(ownerElement || owningFrame);

trunk/Source/WebCore/rendering/RenderScrollbar.h

@@ -86 +86 @@
     RefPtr<Element> m_ownerElement;
 
-    Frame* m_owningFrame;
+    WeakPtr<Frame> m_owningFrame;
     HashMap<unsigned, RenderPtr<RenderScrollbarPart>> m_parts;
 };

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-11-05  Alex Christensen  <achristensen@webkit.org>
+
+        Store WeakPtr<Frame> instead of Frame*
+        https://bugs.webkit.org/show_bug.cgi?id=218599
+
+        Reviewed by Youenn Fablet.
+
+        * WebProcess/WebPage/WebFrame.cpp:
+        (WebKit::WebFrame::initWithCoreMainFrame):
+        (WebKit::WebFrame::createSubframe):
+        (WebKit::WebFrame::coreFrame const):
+        (WebKit::WebFrame::info const):
+        (WebKit::WebFrame::handlesPageScaleGesture const):
+        (WebKit::WebFrame::requiresUnifiedScaleFactor const):
+        * WebProcess/WebPage/WebFrame.h:
+        (WebKit::WebFrame::coreFrame const): Deleted.
+
 2020-11-05  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebKit/WebProcess/InjectedBundle/API/glib/DOM/DOMObjectCache.cpp

@@ -171 +171 @@
     {
         clear();
-        WebCore::Frame* frame = m_frame;
+        WebCore::Frame* frame = m_frame.get();
         FrameDestructionObserver::frameDestroyed();
         domObjectCacheFrameObservers().remove(frame);

trunk/Source/WebKit/WebProcess/WebPage/WebFrame.cpp

@@ -107 +107 @@
     page.send(Messages::WebPageProxy::DidCreateMainFrame(frameID()));
 
-    m_coreFrame = &coreFrame;
+    m_coreFrame = makeWeakPtr(coreFrame);
     m_coreFrame->tree().setName(String());
     m_coreFrame->init();
@@ -118 +118 @@
 
     auto coreFrame = Frame::create(page->corePage(), ownerElement, makeUniqueRef<WebFrameLoaderClient>(frame.get()));
-    frame->m_coreFrame = coreFrame.ptr();
+    frame->m_coreFrame = makeWeakPtr(coreFrame.get());
 
     coreFrame->tree().setName(frameName);
@@ -178 +178 @@
 }
 
+WebCore::Frame* WebFrame::coreFrame() const
+{
+    return m_coreFrame.get();
+}
+
 FrameInfoData WebFrame::info() const
 {
@@ -186 +191 @@
         // FIXME: This should use the full request.
         ResourceRequest(url()),
-        SecurityOriginData::fromFrame(m_coreFrame),
+        SecurityOriginData::fromFrame(m_coreFrame.get()),
         m_frameID,
         parent ? Optional<WebCore::FrameIdentifier> { parent->frameID() } : WTF::nullopt,
@@ -534 +539 @@
 bool WebFrame::handlesPageScaleGesture() const
 {
-    auto* pluginView = WebPage::pluginViewForFrame(m_coreFrame);
+    auto* pluginView = WebPage::pluginViewForFrame(m_coreFrame.get());
     return pluginView && pluginView->handlesPageScaleFactor();
 }
@@ -540 +545 @@
 bool WebFrame::requiresUnifiedScaleFactor() const
 {
-    auto* pluginView = WebPage::pluginViewForFrame(m_coreFrame);
+    auto* pluginView = WebPage::pluginViewForFrame(m_coreFrame.get());
     return pluginView && pluginView->requiresUnifiedScaleFactor();
 }

trunk/Source/WebKit/WebProcess/WebPage/WebFrame.h

@@ -79 +79 @@
 
     static WebFrame* fromCoreFrame(const WebCore::Frame&);
-    WebCore::Frame* coreFrame() const { return m_coreFrame; }
+    WebCore::Frame* coreFrame() const;
 
     FrameInfoData info() const;
@@ -185 +185 @@
     WebFrame();
 
-    WebCore::Frame* m_coreFrame { nullptr };
+    WeakPtr<WebCore::Frame> m_coreFrame;
 
     uint64_t m_policyListenerID { 0 };