[webkit-changes] [237825] trunk

Mon, 05 Nov 2018 11:59:39 -0800

Title: [237825] trunk
Revision
237825
Author
[email protected]
Date
2018-11-05 11:58:05 -0800 (Mon, 05 Nov 2018)

Log Message

Crash under DOMWindow::postMessageTimerFired()
https://bugs.webkit.org/show_bug.cgi?id=191217
<rdar://problem/40888466>

Reviewed by Geoffrey Garen.

Source/WebCore:

Protect the frame in DOMWindow::postMessageTimerFired() before calling dispatchEvent() as dispatching the
event may cause JS to run and this JS may cause the frame to be destroyed, in which case we will crash
when trying to use the frame on the next line.

Test: fast/dom/Window/remove-frame-in-message-event-handler.html

* page/DOMWindow.cpp:
(WebCore::DOMWindow::postMessageTimerFired):

LayoutTests:

Add layout test coverage.

* fast/dom/Window/remove-frame-in-message-event-handler-expected.txt: Added.
* fast/dom/Window/remove-frame-in-message-event-handler.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (237824 => 237825)


--- trunk/LayoutTests/ChangeLog	2018-11-05 19:38:57 UTC (rev 237824)
+++ trunk/LayoutTests/ChangeLog	2018-11-05 19:58:05 UTC (rev 237825)
@@ -1,3 +1,16 @@
+2018-11-05  Chris Dumez  <[email protected]>
+
+        Crash under DOMWindow::postMessageTimerFired()
+        https://bugs.webkit.org/show_bug.cgi?id=191217
+        <rdar://problem/40888466>
+
+        Reviewed by Geoffrey Garen.
+
+        Add layout test coverage.
+
+        * fast/dom/Window/remove-frame-in-message-event-handler-expected.txt: Added.
+        * fast/dom/Window/remove-frame-in-message-event-handler.html: Added.
+
 2018-11-05  Wenson Hsieh  <[email protected]>
 
         [iOS] Changing view scale sometimes does not zoom the page to the new initial scale when the page is zoomed in when ignoring meta viewport

Added: trunk/LayoutTests/fast/dom/Window/remove-frame-in-message-event-handler-expected.txt (0 => 237825)


--- trunk/LayoutTests/fast/dom/Window/remove-frame-in-message-event-handler-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/Window/remove-frame-in-message-event-handler-expected.txt	2018-11-05 19:58:05 UTC (rev 237825)
@@ -0,0 +1,9 @@
+Make sure that we do not crash when a frame gets detached in a message event handler.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/Window/remove-frame-in-message-event-handler.html (0 => 237825)


--- trunk/LayoutTests/fast/dom/Window/remove-frame-in-message-event-handler.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/Window/remove-frame-in-message-event-handler.html	2018-11-05 19:58:05 UTC (rev 237825)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<iframe id="subframe"></iframe>
+<script>
+description("Make sure that we do not crash when a frame gets detached in a message event handler.");
+jsTestIsAsync = true;
+
+_onload_ = function() {
+    frames[0]._onmessage_ = function(msg) {
+        subframe.remove();
+        gc();
+        setTimeout(finishJSTest, 0);
+    }
+
+    frames[0].postMessage("foo", "*");
+}
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (237824 => 237825)


--- trunk/Source/WebCore/ChangeLog	2018-11-05 19:38:57 UTC (rev 237824)
+++ trunk/Source/WebCore/ChangeLog	2018-11-05 19:58:05 UTC (rev 237825)
@@ -1,3 +1,20 @@
+2018-11-05  Chris Dumez  <[email protected]>
+
+        Crash under DOMWindow::postMessageTimerFired()
+        https://bugs.webkit.org/show_bug.cgi?id=191217
+        <rdar://problem/40888466>
+
+        Reviewed by Geoffrey Garen.
+
+        Protect the frame in DOMWindow::postMessageTimerFired() before calling dispatchEvent() as dispatching the
+        event may cause JS to run and this JS may cause the frame to be destroyed, in which case we will crash
+        when trying to use the frame on the next line.
+
+        Test: fast/dom/Window/remove-frame-in-message-event-handler.html
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::postMessageTimerFired):
+
 2018-11-05  Thibault Saunier  <[email protected]>
 
         [GStreamer] Fix EncodedImage timestamps to match what libWebRTC expects

Modified: trunk/Source/WebCore/page/DOMWindow.cpp (237824 => 237825)


--- trunk/Source/WebCore/page/DOMWindow.cpp	2018-11-05 19:38:57 UTC (rev 237824)
+++ trunk/Source/WebCore/page/DOMWindow.cpp	2018-11-05 19:58:05 UTC (rev 237825)
@@ -904,7 +904,7 @@
     if (!document() || !isCurrentlyDisplayedInFrame())
         return;
 
-    auto* frame = this->frame();
+    Ref<Frame> frame = *this->frame();
     if (auto* intendedTargetOrigin = timer.targetOrigin()) {
         // Check target origin now since the target document may have changed since the timer was scheduled.
         if (!intendedTargetOrigin->isSameSchemeHostPort(document()->securityOrigin())) {
@@ -916,16 +916,16 @@
                     pageConsole->addMessage(MessageSource::Security, MessageLevel::Error, message);
             }
 
-            InspectorInstrumentation::didFailPostMessage(*frame, timer);
+            InspectorInstrumentation::didFailPostMessage(frame, timer);
             return;
         }
     }
 
-    InspectorInstrumentation::willDispatchPostMessage(*frame, timer);
+    InspectorInstrumentation::willDispatchPostMessage(frame, timer);
 
     dispatchEvent(timer.event(*document()));
 
-    InspectorInstrumentation::didDispatchPostMessage(*frame, timer);
+    InspectorInstrumentation::didDispatchPostMessage(frame, timer);
 }
 
 DOMSelection* DOMWindow::getSelection()

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to