Modified: releases/WebKitGTK/webkit-2.22/Source/WebKit/ChangeLog (238983 => 238984)
--- releases/WebKitGTK/webkit-2.22/Source/WebKit/ChangeLog 2018-12-08 00:25:29 UTC (rev 238983)
+++ releases/WebKitGTK/webkit-2.22/Source/WebKit/ChangeLog 2018-12-08 00:25:31 UTC (rev 238984)
@@ -1,3 +1,31 @@
+2018-09-19 Chris Dumez <[email protected]>
+
+ Crash under WebPageProxy::decidePolicyForNavigationAction()
+ https://bugs.webkit.org/show_bug.cgi?id=189763
+ <rdar://problem/44597111>
+
+ Reviewed by Alex Christensen.
+
+ Update WebNavigationState::navigation() / WebNavigationState::takeNavigation()
+ to return a pointer instead of a reference as we have evidence that they can
+ return null. I kept the debug assertions to try and catch the cases where we
+ return null but at least we stop crashing in release builds.
+
+ * UIProcess/WebNavigationState.cpp:
+ (WebKit::WebNavigationState::navigation):
+ (WebKit::WebNavigationState::takeNavigation):
+ * UIProcess/WebNavigationState.h:
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::didStartProvisionalLoadForFrame):
+ (WebKit::WebPageProxy::didReceiveServerRedirectForProvisionalLoadForFrame):
+ (WebKit::WebPageProxy::didCommitLoadForFrame):
+ (WebKit::WebPageProxy::didFinishDocumentLoadForFrame):
+ (WebKit::WebPageProxy::didFinishLoadForFrame):
+ (WebKit::WebPageProxy::didFailLoadForFrame):
+ (WebKit::WebPageProxy::didSameDocumentNavigationForFrame):
+ (WebKit::WebPageProxy::decidePolicyForNavigationAction):
+ (WebKit::WebPageProxy::decidePolicyForResponse):
+
2018-11-16 Jiewen Tan <[email protected]>
Disallow loading webarchives as iframes
Modified: releases/WebKitGTK/webkit-2.22/Source/WebKit/UIProcess/WebNavigationState.cpp (238983 => 238984)
--- releases/WebKitGTK/webkit-2.22/Source/WebKit/UIProcess/WebNavigationState.cpp 2018-12-08 00:25:29 UTC (rev 238983)
+++ releases/WebKitGTK/webkit-2.22/Source/WebKit/UIProcess/WebNavigationState.cpp 2018-12-08 00:25:31 UTC (rev 238984)
@@ -77,20 +77,20 @@
return navigation;
}
-API::Navigation& WebNavigationState::navigation(uint64_t navigationID)
+API::Navigation* WebNavigationState::navigation(uint64_t navigationID)
{
ASSERT(navigationID);
ASSERT(m_navigations.contains(navigationID));
- return *m_navigations.get(navigationID);
+ return m_navigations.get(navigationID);
}
-Ref<API::Navigation> WebNavigationState::takeNavigation(uint64_t navigationID)
+RefPtr<API::Navigation> WebNavigationState::takeNavigation(uint64_t navigationID)
{
ASSERT(navigationID);
ASSERT(m_navigations.contains(navigationID));
- return m_navigations.take(navigationID).releaseNonNull();
+ return m_navigations.take(navigationID);
}
void WebNavigationState::didDestroyNavigation(uint64_t navigationID)
Modified: releases/WebKitGTK/webkit-2.22/Source/WebKit/UIProcess/WebNavigationState.h (238983 => 238984)
--- releases/WebKitGTK/webkit-2.22/Source/WebKit/UIProcess/WebNavigationState.h 2018-12-08 00:25:29 UTC (rev 238983)
+++ releases/WebKitGTK/webkit-2.22/Source/WebKit/UIProcess/WebNavigationState.h 2018-12-08 00:25:31 UTC (rev 238984)
@@ -53,8 +53,8 @@
Ref<API::Navigation> createReloadNavigation();
Ref<API::Navigation> createLoadDataNavigation();
- API::Navigation& navigation(uint64_t navigationID);
- Ref<API::Navigation> takeNavigation(uint64_t navigationID);
+ API::Navigation* navigation(uint64_t navigationID);
+ RefPtr<API::Navigation> takeNavigation(uint64_t navigationID);
void didDestroyNavigation(uint64_t navigationID);
void clearAllNavigations();
Modified: releases/WebKitGTK/webkit-2.22/Source/WebKit/UIProcess/WebPageProxy.cpp (238983 => 238984)
--- releases/WebKitGTK/webkit-2.22/Source/WebKit/UIProcess/WebPageProxy.cpp 2018-12-08 00:25:29 UTC (rev 238983)
+++ releases/WebKitGTK/webkit-2.22/Source/WebKit/UIProcess/WebPageProxy.cpp 2018-12-08 00:25:31 UTC (rev 238984)
@@ -3431,7 +3431,7 @@
// FIXME: We should message check that navigationID is not zero here, but it's currently zero for some navigations through the page cache.
RefPtr<API::Navigation> navigation;
if (frame->isMainFrame() && navigationID)
- navigation = &navigationState().navigation(navigationID);
+ navigation = navigationState().navigation(navigationID);
// If this seemingly new load is actually continuing a server redirect for a previous navigation in a new process,
// then we ignore this notification.
@@ -3479,7 +3479,7 @@
// FIXME: We should message check that navigationID is not zero here, but it's currently zero for some navigations through the page cache.
RefPtr<API::Navigation> navigation;
if (navigationID) {
- navigation = &navigationState().navigation(navigationID);
+ navigation = navigationState().navigation(navigationID);
navigation->appendRedirectionURL(request.url());
}
@@ -3612,7 +3612,7 @@
// FIXME: We should message check that navigationID is not zero here, but it's currently zero for some navigations through the page cache.
RefPtr<API::Navigation> navigation;
if (frame->isMainFrame() && navigationID)
- navigation = &navigationState().navigation(navigationID);
+ navigation = navigationState().navigation(navigationID);
m_process->didCommitProvisionalLoad();
@@ -3699,7 +3699,7 @@
// FIXME: We should message check that navigationID is not zero here, but it's currently zero for some navigations through the page cache.
RefPtr<API::Navigation> navigation;
if (frame->isMainFrame() && navigationID)
- navigation = &navigationState().navigation(navigationID);
+ navigation = navigationState().navigation(navigationID);
if (m_navigationClient) {
if (frame->isMainFrame())
@@ -3720,7 +3720,7 @@
// FIXME: We should message check that navigationID is not zero here, but it's currently zero for some navigations through the page cache.
RefPtr<API::Navigation> navigation;
if (frame->isMainFrame() && navigationID)
- navigation = &navigationState().navigation(navigationID);
+ navigation = navigationState().navigation(navigationID);
auto transaction = m_pageLoadState.transaction();
@@ -3764,7 +3764,7 @@
// FIXME: We should message check that navigationID is not zero here, but it's currently zero for some navigations through the page cache.
RefPtr<API::Navigation> navigation;
if (frame->isMainFrame() && navigationID)
- navigation = &navigationState().navigation(navigationID);
+ navigation = navigationState().navigation(navigationID);
clearLoadDependentCallbacks();
@@ -3806,7 +3806,7 @@
// FIXME: We should message check that navigationID is not zero here, but it's currently zero for some navigations through the page cache.
RefPtr<API::Navigation> navigation;
if (frame->isMainFrame() && navigationID)
- navigation = &navigationState().navigation(navigationID);
+ navigation = navigationState().navigation(navigationID);
auto transaction = m_pageLoadState.transaction();
@@ -4001,7 +4001,7 @@
RefPtr<API::Navigation> navigation;
if (navigationID)
- navigation = makeRef(m_navigationState->navigation(navigationID));
+ navigation = m_navigationState->navigation(navigationID);
if (auto targetBackForwardItemIdentifier = navigationActionData.targetBackForwardItemIdentifier) {
if (auto* item = m_backForwardList->itemForID(*navigationActionData.targetBackForwardItemIdentifier)) {
@@ -4031,7 +4031,7 @@
#if ENABLE(CONTENT_FILTERING)
if (frame->didHandleContentFilterUnblockNavigation(request))
- return receivedPolicyDecision(PolicyAction::Ignore, &m_navigationState->navigation(newNavigationID), std::nullopt, WTFMove(sender));
+ return receivedPolicyDecision(PolicyAction::Ignore, m_navigationState->navigation(newNavigationID), std::nullopt, WTFMove(sender));
#else
UNUSED_PARAM(newNavigationID);
#endif
@@ -4141,7 +4141,7 @@
MESSAGE_CHECK_URL(request.url());
MESSAGE_CHECK_URL(response.url());
- RefPtr<API::Navigation> navigation = navigationID ? &m_navigationState->navigation(navigationID) : nullptr;
+ RefPtr<API::Navigation> navigation = navigationID ? m_navigationState->navigation(navigationID) : nullptr;
auto listener = makeRef(frame->setUpPolicyListenerProxy([this, protectedThis = makeRef(*this), frameID, listenerID, navigation = WTFMove(navigation)] (WebCore::PolicyAction policyAction, API::WebsitePolicies*, ShouldProcessSwapIfPossible swap, Vector<SafeBrowsingResult>&& safeBrowsingResults) mutable {
// FIXME: Assert the API::WebsitePolicies* is nullptr here once clients of WKFramePolicyListenerUseWithPolicies go away.
RELEASE_ASSERT(swap == ShouldProcessSwapIfPossible::No);
