[webkit-changes] [231579] trunk/Source/WebCore

[dbates]

Title: [231579] trunk/Source/WebCore

Revision

231579

Author

dba...@webkit.org

Date

2018-05-09 11:42:05 -0700 (Wed, 09 May 2018)

Log Message

REGRESSION (r231479): com.apple.WebCore crash in WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied()
https://bugs.webkit.org/show_bug.cgi?id=185475
<rdar://problem/40093853>

Reviewed by Andy Estes.

DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() must extends its lifetime
until completion as dispatching a DOM load event at the associated frame can cause _javascript_ execution
that can do anything, including destroying the loader that dispatched the event.

Following r231479 DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() is now
invoked by both DocumentLoader::responseReceived() and WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied().
The latter only can happen when using WebKit2 and the experimental feature Restricted HTTP Response Access
is enabled (RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess()). Unlike DocumentLoader::responseReceived()
WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() does not take out a ref
on the DocumentLoader before invoking DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied().
Therefore, DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() can cause its
own destruction as a result of dispatching a DOM load event at the frame. We should take out a ref on
the DocumentLoader when executing DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied().

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/loader/DocumentLoader.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (231578 => 231579)

--- trunk/Source/WebCore/ChangeLog	2018-05-09 18:31:24 UTC (rev 231578)
+++ trunk/Source/WebCore/ChangeLog	2018-05-09 18:42:05 UTC (rev 231579)
@@ -1,3 +1,28 @@
+2018-05-09  Daniel Bates  <daba...@apple.com>
+
+        REGRESSION (r231479): com.apple.WebCore crash in WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied()
+        https://bugs.webkit.org/show_bug.cgi?id=185475
+        <rdar://problem/40093853>
+
+        Reviewed by Andy Estes.
+
+        DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() must extends its lifetime
+        until completion as dispatching a DOM load event at the associated frame can cause _javascript_ execution
+        that can do anything, including destroying the loader that dispatched the event.
+
+        Following r231479 DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() is now
+        invoked by both DocumentLoader::responseReceived() and WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied().
+        The latter only can happen when using WebKit2 and the experimental feature Restricted HTTP Response Access
+        is enabled (RuntimeEnabledFeatures::sharedFeatures().restrictedHTTPResponseAccess()). Unlike DocumentLoader::responseReceived()
+        WebResourceLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() does not take out a ref
+        on the DocumentLoader before invoking DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied().
+        Therefore, DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied() can cause its
+        own destruction as a result of dispatching a DOM load event at the frame. We should take out a ref on
+        the DocumentLoader when executing DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied().
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied):
+
 2018-05-09  Tim Horton  <timothy_hor...@apple.com>
 
         Fix the build by ignoring some deprecation warnings

Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (231578 => 231579)

--- trunk/Source/WebCore/loader/DocumentLoader.cpp	2018-05-09 18:31:24 UTC (rev 231578)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp	2018-05-09 18:42:05 UTC (rev 231579)
@@ -727,6 +727,7 @@
 
 void DocumentLoader::stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(unsigned long identifier, const ResourceResponse& response)
 {
+    Ref<DocumentLoader> protectedThis { *this };
     InspectorInstrumentation::continueAfterXFrameOptionsDenied(*m_frame, identifier, *this, response);
     m_frame->document()->enforceSandboxFlags(SandboxOrigin);
     if (HTMLFrameOwnerElement* ownerElement = m_frame->ownerElement())

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes