[webkit-changes] [216863] trunk/Source/WebCore

Mon, 15 May 2017 10:24:34 -0700

Title: [216863] trunk/Source/WebCore
Revision
216863
Author
bfulg...@apple.com
Date
2017-05-15 10:24:14 -0700 (Mon, 15 May 2017)

Log Message

[iOS WK1] Do not try to dispatch messages to subframes if their documents have not been constructed yet.
https://bugs.webkit.org/show_bug.cgi?id=172059
<rdar://problem/31963192>

Reviewed by Zalan Bujtas.

On iOS WK1 we can end up in an inconsistent state, where
1. The web thread is inside a newly-injected iframe's document's constructor and
2. waiting on a delegate callback on the main thread
while the main thread
(a) Evaluates arbitrary _javascript_ that modifies storage which
(b) Triggers an event dispatch.
 
* storage/StorageEventDispatcher.cpp:
(WebCore::StorageEventDispatcher::dispatchSessionStorageEvents): If the sub-frame's document
is in an inconsistent state, skip it.
(WebCore::StorageEventDispatcher::dispatchLocalStorageEvents): Ditto.
(WebCore::StorageEventDispatcher::dispatchSessionStorageEventsToFrames): Ditto.
(WebCore::StorageEventDispatcher::dispatchLocalStorageEventsToFrames): Ditto.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (216862 => 216863)


--- trunk/Source/WebCore/ChangeLog	2017-05-15 15:26:58 UTC (rev 216862)
+++ trunk/Source/WebCore/ChangeLog	2017-05-15 17:24:14 UTC (rev 216863)
@@ -1,3 +1,25 @@
+2017-05-15  Brent Fulgham  <bfulg...@apple.com>
+
+        [iOS WK1] Do not try to dispatch messages to subframes if their documents have not been constructed yet.
+        https://bugs.webkit.org/show_bug.cgi?id=172059
+        <rdar://problem/31963192>
+
+        Reviewed by Zalan Bujtas.
+
+        On iOS WK1 we can end up in an inconsistent state, where
+        1. The web thread is inside a newly-injected iframe's document's constructor and
+        2. waiting on a delegate callback on the main thread
+        while the main thread
+        (a) Evaluates arbitrary _javascript_ that modifies storage which
+        (b) Triggers an event dispatch.
+ 
+        * storage/StorageEventDispatcher.cpp:
+        (WebCore::StorageEventDispatcher::dispatchSessionStorageEvents): If the sub-frame's document
+        is in an inconsistent state, skip it.
+        (WebCore::StorageEventDispatcher::dispatchLocalStorageEvents): Ditto.
+        (WebCore::StorageEventDispatcher::dispatchSessionStorageEventsToFrames): Ditto.
+        (WebCore::StorageEventDispatcher::dispatchLocalStorageEventsToFrames): Ditto.
+
 2017-05-15  Zalan Bujtas  <za...@apple.com>
 
         Simple line layout: Leading whitespace followed by a <br> produces an extra linebreak.

Modified: trunk/Source/WebCore/storage/StorageEventDispatcher.cpp (216862 => 216863)


--- trunk/Source/WebCore/storage/StorageEventDispatcher.cpp	2017-05-15 15:26:58 UTC (rev 216862)
+++ trunk/Source/WebCore/storage/StorageEventDispatcher.cpp	2017-05-15 17:24:14 UTC (rev 216863)
@@ -50,6 +50,8 @@
 
     // Send events only to our page.
     for (Frame* frame = &page->mainFrame(); frame; frame = frame->tree().traverseNext()) {
+        if (!frame->document())
+            continue;
         if (sourceFrame != frame && frame->document()->securityOrigin().equal(securityOrigin.securityOrigin().ptr()))
             frames.append(frame);
     }
@@ -68,6 +70,8 @@
     // Send events to every page.
     for (auto& pageInGroup : page->group().pages()) {
         for (Frame* frame = &pageInGroup->mainFrame(); frame; frame = frame->tree().traverseNext()) {
+            if (!frame->document())
+                continue;
             if (sourceFrame != frame && frame->document()->securityOrigin().equal(securityOrigin.securityOrigin().ptr()))
                 frames.append(frame);
         }
@@ -82,6 +86,8 @@
 
     for (auto& frame : frames) {
         auto result = frame->document()->domWindow()->sessionStorage();
+        if (!frame->document())
+            continue;
         if (!result.hasException())
             frame->document()->enqueueWindowEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, url, result.releaseReturnValue()));
     }
@@ -94,6 +100,8 @@
 
     for (auto& frame : frames) {
         auto result = frame->document()->domWindow()->localStorage();
+        if (!frame->document())
+            continue;
         if (!result.hasException())
             frame->document()->enqueueWindowEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, url, result.releaseReturnValue()));
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to