Changeset 71368 in webkit

Timestamp:

Nov 4, 2010 5:08:27 PM (13 years ago)

Author:

mihaip@chromium.org

Message:

Merge 71170 - 2010-11-02 Mihai Parparita <​mihaip@chromium.org>

Reviewed by Adam Barth.

[Chromium] Crash when encountering history.back() call during Page::goToItem execution
​https://bugs.webkit.org/show_bug.cgi?id=48477

Add a reduced version of the page that was originally reported at
​http://crbug.com/59554.

• http/tests/history/back-during-onload-triggered-by-back-expected.txt: Added.
• http/tests/history/back-during-onload-triggered-by-back.html: Added.
• http/tests/history/resources/back-during-onload-container.html: Added.
• http/tests/history/resources/back-during-onload-hung-page.php: Added.
• http/tests/history/resources/back-during-onload-middle.html: Added.

2010-11-02 Mihai Parparita <​mihaip@chromium.org>

Reviewed by Adam Barth.

[Chromium] Crash when encountering history.back() call during Page::goToItem execution
​https://bugs.webkit.org/show_bug.cgi?id=48477

For the Chromium port, BackForwardList::itemAtIndex synthesizes a
HistoryItem and saves a pointer to it in m_pendingItem. During
Page::goToItem we call FrameLoader::stopAllLoaders, which can trigger
onload handlers (if a subframe was not considered committed by the frame
loader). If one of those handlers calls calls history.back() or another
operation that ends up in NavigationScheduler::scheduleHistoryNavigation,
we would call BackForwardList::itemAtIndex, which means that we would
lose the m_pendingItem RefPtr that pointed to the item being navigated
to, causing its ref count to go to 0*, and thus for the HistoryItem to
be deleted before we were done navigating to it.

This is fixed in two ways:

• Add a protector RefPtr in Page::goToItem to make sure that the item is still around for when we pass it to HistoryController:goToItem.
• Change NavigationScheduler::scheduleHistoryNavigation to not use BackForwardList::itemAtIndex and instead look at the forward/backListCount() (since it doesn't actually care about the returned HistoryItem).

• Full annotated stack trace of this is at ​http://crbug.com/59554#c9.

Test: http/tests/history/back-during-onload-triggered-by-back.html

• loader/NavigationScheduler.cpp: (WebCore::NavigationScheduler::scheduleHistoryNavigation):
• page/Page.cpp: (WebCore::Page::goToItem):

TBR=​mihaip@chromium.org

Location:

branches/chromium/552

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/history/back-during-onload-triggered-by-back-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/history/back-during-onload-triggered-by-back-expected.txt)
• LayoutTests/http/tests/history/back-during-onload-triggered-by-back.html (copied) (copied from trunk/LayoutTests/http/tests/history/back-during-onload-triggered-by-back.html)
• LayoutTests/http/tests/history/resources/back-during-onload-container.html (copied) (copied from trunk/LayoutTests/http/tests/history/resources/back-during-onload-container.html)
• LayoutTests/http/tests/history/resources/back-during-onload-hung-page.php (copied) (copied from trunk/LayoutTests/http/tests/history/resources/back-during-onload-hung-page.php)
• LayoutTests/http/tests/history/resources/back-during-onload-middle.html (copied) (copied from trunk/LayoutTests/http/tests/history/resources/back-during-onload-middle.html)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/loader/NavigationScheduler.cpp (modified) (1 diff)
• WebCore/page/Page.cpp (modified) (1 diff)

branches/chromium/552/LayoutTests/ChangeLog

@@ +1 @@
+2010-11-02  Mihai Parparita  <mihaip@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        [Chromium] Crash when encountering history.back() call during Page::goToItem execution
+        https://bugs.webkit.org/show_bug.cgi?id=48477
+        
+        Add a reduced version of the page that was originally reported at
+        http://crbug.com/59554.
+
+        * http/tests/history/back-during-onload-triggered-by-back-expected.txt: Added.
+        * http/tests/history/back-during-onload-triggered-by-back.html: Added.
+        * http/tests/history/resources/back-during-onload-container.html: Added.
+        * http/tests/history/resources/back-during-onload-hung-page.php: Added.
+        * http/tests/history/resources/back-during-onload-middle.html: Added.
+
 2010-10-27  Andy Estes  <aestes@apple.com>
 

branches/chromium/552/WebCore/ChangeLog

@@ +1 @@
+2010-11-02  Mihai Parparita  <mihaip@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        [Chromium] Crash when encountering history.back() call during Page::goToItem execution
+        https://bugs.webkit.org/show_bug.cgi?id=48477
+        
+        For the Chromium port, BackForwardList::itemAtIndex synthesizes a 
+        HistoryItem and saves a pointer to it in m_pendingItem. During 
+        Page::goToItem we call FrameLoader::stopAllLoaders, which can trigger
+        onload handlers (if a subframe was not considered committed by the frame
+        loader). If one of those handlers calls calls history.back() or another
+        operation that ends up in NavigationScheduler::scheduleHistoryNavigation,
+        we would call BackForwardList::itemAtIndex, which means that we would 
+        lose the m_pendingItem RefPtr that pointed to the item being navigated 
+        to, causing its ref count to go to 0*, and thus for the HistoryItem to
+        be deleted before we were done navigating to it.
+        
+        This is fixed in two ways:
+        - Add a protector RefPtr in Page::goToItem to make sure that the item is
+          still around for when we pass it to HistoryController:goToItem.
+        - Change NavigationScheduler::scheduleHistoryNavigation to not use
+          BackForwardList::itemAtIndex and instead look at the
+          forward/backListCount() (since it doesn't actually care about the
+          returned HistoryItem).
+        
+        * Full annotated stack trace of this is at http://crbug.com/59554#c9.        
+
+        Test: http/tests/history/back-during-onload-triggered-by-back.html
+
+        * loader/NavigationScheduler.cpp:
+        (WebCore::NavigationScheduler::scheduleHistoryNavigation):
+        * page/Page.cpp:
+        (WebCore::Page::goToItem):
+
 2010-10-27  Andy Estes  <aestes@apple.com>
 

branches/chromium/552/WebCore/loader/NavigationScheduler.cpp

@@ -342 +342 @@
     // Invalid history navigations (such as history.forward() during a new load) have the side effect of cancelling any scheduled
     // redirects. We also avoid the possibility of cancelling the current load by avoiding the scheduled redirection altogether.
-    HistoryItem* specifiedEntry = m_frame->page()->backForwardList()->itemAtIndex(steps);
-    if (!specifiedEntry) {
+    BackForwardList* backForwardList = m_frame->page()->backForwardList();
+    if (steps > backForwardList->forwardListCount() || -steps > backForwardList->backListCount()) {
         cancel();
         return;

branches/chromium/552/WebCore/page/Page.cpp

@@ -348 +348 @@
     if (defersLoading())
         return;
+
+    // stopAllLoaders may end up running onload handlers, which could cause further history traversals that may lead to the passed in HistoryItem
+    // being deref()-ed. Make sure we can still use it with HistoryController::goToItem later.
+    RefPtr<HistoryItem> protector(item);
     
     // Abort any current load unless we're navigating the current document to a new state object