[webkit-changes] [229683] trunk/Source

Fri, 16 Mar 2018 14:17:42 -0700

Title: [229683] trunk/Source
Revision
229683
Author
[email protected]
Date
2018-03-16 14:17:27 -0700 (Fri, 16 Mar 2018)

Log Message

Set a trap to catch an infrequent form-related nullptr crash
https://bugs.webkit.org/show_bug.cgi?id=183704
<rdar://problem/37579354>

Reviewed by Ryosuke Niwa.

Source/WebCore:

Make FormState a FrameDestructionObserver. We expect all relevant FormState objects to have been
cleaned up prior to the frame being destroyed. If we find such a case, we'd like to see the
stack trace to see what's going on.

* loader/FormState.cpp:
(WebCore::FormState::FormState):
(WebCore::FormState::willDetachPage): RELEASE_ASSERT_NOT_REACHED if we ever get here.
* loader/FormState.h:

Source/WebKit:

Add a RELEASE_ASSERT to see if we ever encounter a nullptr WebCore frame.

* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchWillSubmitForm):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (229682 => 229683)


--- trunk/Source/WebCore/ChangeLog	2018-03-16 21:01:25 UTC (rev 229682)
+++ trunk/Source/WebCore/ChangeLog	2018-03-16 21:17:27 UTC (rev 229683)
@@ -1,3 +1,20 @@
+2018-03-16  Brent Fulgham  <[email protected]>
+
+        Set a trap to catch an infrequent form-related nullptr crash
+        https://bugs.webkit.org/show_bug.cgi?id=183704
+        <rdar://problem/37579354>
+
+        Reviewed by Ryosuke Niwa.
+
+        Make FormState a FrameDestructionObserver. We expect all relevant FormState objects to have been
+        cleaned up prior to the frame being destroyed. If we find such a case, we'd like to see the
+        stack trace to see what's going on.
+
+        * loader/FormState.cpp:
+        (WebCore::FormState::FormState):
+        (WebCore::FormState::willDetachPage): RELEASE_ASSERT_NOT_REACHED if we ever get here.
+        * loader/FormState.h:
+
 2018-03-16  Joanmarie Diggs  <[email protected]>
 
         AX: AccessibilityNodeObject::textForLabelElement() doesn't follow AccName calculation rules

Modified: trunk/Source/WebCore/loader/FormState.cpp (229682 => 229683)


--- trunk/Source/WebCore/loader/FormState.cpp	2018-03-16 21:01:25 UTC (rev 229682)
+++ trunk/Source/WebCore/loader/FormState.cpp	2018-03-16 21:17:27 UTC (rev 229683)
@@ -35,11 +35,13 @@
 namespace WebCore {
 
 inline FormState::FormState(HTMLFormElement& form, StringPairVector&& textFieldValues, Document& sourceDocument, FormSubmissionTrigger formSubmissionTrigger)
-    : m_form(form)
+    : FrameDestructionObserver(sourceDocument.frame())
+    , m_form(form)
     , m_textFieldValues(WTFMove(textFieldValues))
     , m_sourceDocument(sourceDocument)
     , m_formSubmissionTrigger(formSubmissionTrigger)
 {
+    RELEASE_ASSERT(sourceDocument.frame());
 }
 
 Ref<FormState> FormState::create(HTMLFormElement& form, StringPairVector&& textFieldValues, Document& sourceDocument, FormSubmissionTrigger formSubmissionTrigger)
@@ -47,4 +49,10 @@
     return adoptRef(*new FormState(form, WTFMove(textFieldValues), sourceDocument, formSubmissionTrigger));
 }
 
+void FormState::willDetachPage()
+{
+    // Beartrap for <rdar://problem/37579354>
+    RELEASE_ASSERT_NOT_REACHED();
 }
+
+}

Modified: trunk/Source/WebCore/loader/FormState.h (229682 => 229683)


--- trunk/Source/WebCore/loader/FormState.h	2018-03-16 21:01:25 UTC (rev 229682)
+++ trunk/Source/WebCore/loader/FormState.h	2018-03-16 21:17:27 UTC (rev 229683)
@@ -28,6 +28,7 @@
 
 #pragma once
 
+#include "FrameDestructionObserver.h"
 #include <wtf/text/WTFString.h>
 
 namespace WebCore {
@@ -39,7 +40,7 @@
 
 using StringPairVector = Vector<std::pair<String, String>>;
 
-class FormState : public RefCounted<FormState> {
+class FormState : public RefCounted<FormState>, public FrameDestructionObserver {
 public:
     static Ref<FormState> create(HTMLFormElement&, StringPairVector&& textFieldValues, Document&, FormSubmissionTrigger);
 
@@ -50,6 +51,7 @@
 
 private:
     FormState(HTMLFormElement&, StringPairVector&& textFieldValues, Document&, FormSubmissionTrigger);
+    void willDetachPage() override;
 
     Ref<HTMLFormElement> m_form;
     StringPairVector m_textFieldValues;

Modified: trunk/Source/WebKit/ChangeLog (229682 => 229683)


--- trunk/Source/WebKit/ChangeLog	2018-03-16 21:01:25 UTC (rev 229682)
+++ trunk/Source/WebKit/ChangeLog	2018-03-16 21:17:27 UTC (rev 229683)
@@ -1,3 +1,16 @@
+2018-03-16  Brent Fulgham  <[email protected]>
+
+        Set a trap to catch an infrequent form-related nullptr crash
+        https://bugs.webkit.org/show_bug.cgi?id=183704
+        <rdar://problem/37579354>
+
+        Reviewed by Ryosuke Niwa.
+
+        Add a RELEASE_ASSERT to see if we ever encounter a nullptr WebCore frame.
+
+        * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+        (WebKit::WebFrameLoaderClient::dispatchWillSubmitForm):
+
 2018-03-16  Jer Noble  <[email protected]>
 
         Make Fullscreen API an Experimental Feature

Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (229682 => 229683)


--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp	2018-03-16 21:01:25 UTC (rev 229682)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp	2018-03-16 21:17:27 UTC (rev 229683)
@@ -939,7 +939,9 @@
 
     auto& form = formState.form();
 
-    auto* sourceFrame = WebFrame::fromCoreFrame(*formState.sourceDocument().frame());
+    auto* sourceCoreFrame = formState.sourceDocument().frame();
+    RELEASE_ASSERT(sourceCoreFrame);
+    auto* sourceFrame = WebFrame::fromCoreFrame(*sourceCoreFrame);
     ASSERT(sourceFrame);
 
     auto& values = formState.textFieldValues();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to