Diff
Modified: trunk/Source/WebKit/ChangeLog (273928 => 273929)
--- trunk/Source/WebKit/ChangeLog 2021-03-04 23:58:19 UTC (rev 273928)
+++ trunk/Source/WebKit/ChangeLog 2021-03-05 00:12:41 UTC (rev 273929)
@@ -1,3 +1,42 @@
+2021-03-04 Sihui Liu <sihui_...@appe.com>
+
+ Validate documentState of FrameState when setting and getting it
+ https://bugs.webkit.org/show_bug.cgi?id=222587
+
+ Reviewed by Geoffrey Garen.
+
+ In rdar://48634553, strings of documentState can be invalid when they are encoded in encodeFrameStateNode
+ in UI process. To get a better idea of when the strings become invalid, add checks for documentState when
+ getting and setting it.
+
+ No test as no behavior change.
+
+ * Shared/SessionState.cpp:
+ (WebKit::FrameState::encode const):
+ (WebKit::FrameState::decode):
+ (WebKit::FrameState::validateDocumentState const):
+ (WebKit::FrameState::setDocumentState):
+ * Shared/SessionState.h:
+ (WebKit::FrameState::FrameState):
+ (WebKit::FrameState::~FrameState):
+ (WebKit::FrameState::documentState const):
+ * Shared/WebBackForwardListItem.cpp:
+ (WebKit::WebBackForwardListItem::create):
+ (WebKit::WebBackForwardListItem::~WebBackForwardListItem):
+ * UIProcess/API/glib/WebKitWebViewSessionState.cpp:
+ (encodeFrameState):
+ (decodeFrameState):
+ * UIProcess/Cocoa/SessionStateCoding.h:
+ * UIProcess/LegacySessionStateCoding.h:
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::sessionState const):
+ * UIProcess/mac/LegacySessionStateCoding.cpp:
+ (WebKit::encodeFrameStateNode):
+ (WebKit::decodeBackForwardTreeNode):
+ * WebProcess/WebCoreSupport/SessionStateConversion.cpp:
+ (WebKit::toFrameState):
+ (WebKit::applyFrameState):
+
2021-03-04 Tim Horton <timothy_hor...@apple.com>
Fix the build after r273904
Modified: trunk/Source/WebKit/Shared/SessionState.cpp (273928 => 273929)
--- trunk/Source/WebKit/Shared/SessionState.cpp 2021-03-04 23:58:19 UTC (rev 273928)
+++ trunk/Source/WebKit/Shared/SessionState.cpp 2021-03-05 00:12:41 UTC (rev 273929)
@@ -110,7 +110,7 @@
encoder << referrer;
encoder << target;
- encoder << documentState;
+ encoder << m_documentState;
encoder << stateObjectData;
encoder << documentSequenceNumber;
@@ -146,8 +146,10 @@
if (!decoder.decode(result.target))
return WTF::nullopt;
- if (!decoder.decode(result.documentState))
+ if (!decoder.decode(result.m_documentState))
return WTF::nullopt;
+ result.validateDocumentState();
+
if (!decoder.decode(result.stateObjectData))
return WTF::nullopt;
@@ -270,4 +272,30 @@
return {{ WTFMove(*items), WTFMove(currentIndex) }};
}
+void FrameState::validateDocumentState() const
+{
+ for (auto& stateString : m_documentState) {
+ if (stateString.isNull())
+ continue;
+
+ if (!stateString.is8Bit())
+ continue;
+
+ // rdar://48634553 indicates 8-bit string can be invalid.
+ const LChar* characters8 = stateString.characters8();
+ for (unsigned i = 0; i < stateString.length(); ++i) {
+ auto character = characters8[i];
+ RELEASE_ASSERT(isLatin1(character));
+ }
+ }
+}
+
+void FrameState::setDocumentState(const Vector<String>& documentState, ShouldValidate shouldValidate)
+{
+ m_documentState = documentState;
+
+ if (shouldValidate == ShouldValidate::Yes)
+ validateDocumentState();
+}
+
} // namespace WebKit
Modified: trunk/Source/WebKit/Shared/SessionState.h (273928 => 273929)
--- trunk/Source/WebKit/Shared/SessionState.h 2021-03-04 23:58:19 UTC (rev 273928)
+++ trunk/Source/WebKit/Shared/SessionState.h 2021-03-05 00:12:41 UTC (rev 273929)
@@ -33,6 +33,7 @@
#include <WebCore/SerializedScriptValue.h>
#include <wtf/EnumTraits.h>
#include <wtf/Optional.h>
+#include <wtf/RunLoop.h>
#include <wtf/URL.h>
#include <wtf/Vector.h>
#include <wtf/text/WTFString.h>
@@ -80,16 +81,24 @@
Vector<Element> elements;
};
-struct FrameState {
+class FrameState {
+public:
void encode(IPC::Encoder&) const;
static Optional<FrameState> decode(IPC::Decoder&);
+ // These are used to help debug <rdar://problem/48634553>.
+ FrameState() { RELEASE_ASSERT(RunLoop::isMain()); }
+ ~FrameState() { RELEASE_ASSERT(RunLoop::isMain()); }
+ const Vector<String>& documentState() const { return m_documentState; }
+ enum class ShouldValidate : bool { No, Yes };
+ void setDocumentState(const Vector<String>&, ShouldValidate = ShouldValidate::No);
+ void validateDocumentState() const;
+
String urlString;
String originalURLString;
String referrer;
String target;
- Vector<String> documentState;
Optional<Vector<uint8_t>> stateObjectData;
int64_t documentSequenceNumber { 0 };
@@ -113,9 +122,8 @@
Vector<FrameState> children;
- // This is only used to help debug <rdar://problem/48634553>.
- bool isDestructed { false };
- ~FrameState() { isDestructed = true; }
+private:
+ Vector<String> m_documentState;
};
struct PageState {
Modified: trunk/Source/WebKit/Shared/WebBackForwardListItem.cpp (273928 => 273929)
--- trunk/Source/WebKit/Shared/WebBackForwardListItem.cpp 2021-03-04 23:58:19 UTC (rev 273928)
+++ trunk/Source/WebKit/Shared/WebBackForwardListItem.cpp 2021-03-05 00:12:41 UTC (rev 273929)
@@ -39,6 +39,7 @@
Ref<WebBackForwardListItem> WebBackForwardListItem::create(BackForwardListItemState&& backForwardListItemState, WebPageProxyIdentifier pageID)
{
+ RELEASE_ASSERT(RunLoop::isMain());
return adoptRef(*new WebBackForwardListItem(WTFMove(backForwardListItemState), pageID));
}
@@ -53,6 +54,7 @@
WebBackForwardListItem::~WebBackForwardListItem()
{
+ RELEASE_ASSERT(RunLoop::isMain());
ASSERT(allItems().get(m_itemState.identifier) == this);
allItems().remove(m_itemState.identifier);
removeFromBackForwardCache();
Modified: trunk/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp (273928 => 273929)
--- trunk/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp 2021-03-04 23:58:19 UTC (rev 273928)
+++ trunk/Source/WebKit/UIProcess/API/glib/WebKitWebViewSessionState.cpp 2021-03-05 00:12:41 UTC (rev 273929)
@@ -162,7 +162,7 @@
g_variant_builder_add(sessionBuilder, "s", frameState.referrer.utf8().data());
g_variant_builder_add(sessionBuilder, "s", frameState.target.utf8().data());
g_variant_builder_open(sessionBuilder, G_VARIANT_TYPE("as"));
- for (const auto& state : frameState.documentState)
+ for (const auto& state : frameState.documentState())
g_variant_builder_add(sessionBuilder, "s", state.utf8().data());
g_variant_builder_close(sessionBuilder);
if (!frameState.stateObjectData)
@@ -305,10 +305,12 @@
frameState.referrer = String::fromUTF8(referrer);
frameState.target = String::fromUTF8(target);
if (gsize documentStateLength = g_variant_iter_n_children(documentStateIter.get())) {
- frameState.documentState.reserveInitialCapacity(documentStateLength);
+ Vector<String> documentState;
+ documentState.reserveInitialCapacity(documentStateLength);
const char* documentStateString;
while (g_variant_iter_next(documentStateIter.get(), "&s", &documentStateString))
- frameState.documentState.uncheckedAppend(String::fromUTF8(documentStateString));
+ documentState.uncheckedAppend(String::fromUTF8(documentStateString));
+ frameState.setDocumentState(documentState);
}
if (stateObjectDataIter) {
Vector<uint8_t> stateObjectVector;
Modified: trunk/Source/WebKit/UIProcess/Cocoa/SessionStateCoding.h (273928 => 273929)
--- trunk/Source/WebKit/UIProcess/Cocoa/SessionStateCoding.h 2021-03-04 23:58:19 UTC (rev 273928)
+++ trunk/Source/WebKit/UIProcess/Cocoa/SessionStateCoding.h 2021-03-05 00:12:41 UTC (rev 273929)
@@ -30,7 +30,6 @@
namespace WebKit {
-struct FrameState;
struct SessionState;
RetainPtr<NSData> encodeSessionState(const SessionState&);
Modified: trunk/Source/WebKit/UIProcess/LegacySessionStateCoding.h (273928 => 273929)
--- trunk/Source/WebKit/UIProcess/LegacySessionStateCoding.h 2021-03-04 23:58:19 UTC (rev 273928)
+++ trunk/Source/WebKit/UIProcess/LegacySessionStateCoding.h 2021-03-05 00:12:41 UTC (rev 273929)
@@ -34,7 +34,6 @@
namespace WebKit {
-struct FrameState;
struct SessionState;
RefPtr<API::Data> encodeLegacySessionState(const SessionState&);
Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (273928 => 273929)
--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2021-03-04 23:58:19 UTC (rev 273928)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp 2021-03-05 00:12:41 UTC (rev 273929)
@@ -3582,6 +3582,7 @@
SessionState WebPageProxy::sessionState(WTF::Function<bool (WebBackForwardListItem&)>&& filter) const
{
+ RELEASE_ASSERT(RunLoop::isMain());
SessionState sessionState;
sessionState.backForwardListState = m_backForwardList->backForwardListState(WTFMove(filter));
Modified: trunk/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp (273928 => 273929)
--- trunk/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp 2021-03-04 23:58:19 UTC (rev 273928)
+++ trunk/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp 2021-03-05 00:12:41 UTC (rev 273929)
@@ -323,9 +323,7 @@
{
encoder << static_cast<uint64_t>(frameState.children.size());
- RELEASE_ASSERT(!frameState.isDestructed);
for (const auto& childFrameState : frameState.children) {
- RELEASE_ASSERT(!childFrameState.isDestructed);
encoder << childFrameState.originalURLString;
encoder << childFrameState.urlString;
@@ -334,8 +332,9 @@
encoder << frameState.documentSequenceNumber;
- encoder << static_cast<uint64_t>(frameState.documentState.size());
- for (const auto& documentState : frameState.documentState)
+ frameState.validateDocumentState();
+ encoder << static_cast<uint64_t>(frameState.documentState().size());
+ for (const auto& documentState : frameState.documentState())
encoder << documentState;
if (frameState.httpBody) {
@@ -899,6 +898,7 @@
uint64_t documentStateVectorSize;
decoder >> documentStateVectorSize;
+ Vector<String> documentState;
for (uint64_t i = 0; i < documentStateVectorSize; ++i) {
String state;
decoder >> state;
@@ -906,8 +906,9 @@
if (!decoder.isValid())
return;
- frameState.documentState.append(WTFMove(state));
+ documentState.append(WTFMove(state));
}
+ frameState.setDocumentState(documentState, FrameState::ShouldValidate::Yes);
String formContentType;
decoder >> formContentType;
Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp (273928 => 273929)
--- trunk/Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp 2021-03-04 23:58:19 UTC (rev 273928)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/SessionStateConversion.cpp 2021-03-05 00:12:41 UTC (rev 273929)
@@ -72,7 +72,7 @@
frameState.referrer = historyItem.referrer();
frameState.target = historyItem.target();
- frameState.documentState = historyItem.documentState();
+ frameState.setDocumentState(historyItem.documentState());
if (RefPtr<SerializedScriptValue> stateObject = historyItem.stateObject())
frameState.stateObjectData = stateObject->data();
@@ -148,7 +148,7 @@
historyItem.setReferrer(frameState.referrer);
historyItem.setTarget(frameState.target);
- historyItem.setDocumentState(frameState.documentState);
+ historyItem.setDocumentState(frameState.documentState());
if (frameState.stateObjectData) {
Vector<uint8_t> stateObjectData = frameState.stateObjectData.value();