[webkit-changes] [241848] trunk/Source/WebCore

Wed, 20 Feb 2019 16:08:00 -0800

Title: [241848] trunk/Source/WebCore
Revision
241848
Author
[email protected]
Date
2019-02-20 16:06:27 -0800 (Wed, 20 Feb 2019)

Log Message

Crash in DOMWindowExtension::suspendForPageCache
https://bugs.webkit.org/show_bug.cgi?id=194871

Reviewed by Chris Dumez.

This is a speculative fix for a crash in DOMWindowExtension::suspendForPageCache.

We think it's possible for DOMWindowExtension::suspendForPageCache notifying the clients via
dispatchWillDisconnectDOMWindowExtensionFromGlobalObject to remove other DOMWindowExtension's.
Check that each DOMWindowProperty is still in m_properties before invoking suspendForPageCache
to avoid the crash.

* page/DOMWindow.cpp:
(WebCore::DOMWindow::willDestroyCachedFrame):
(WebCore::DOMWindow::willDestroyDocumentInFrame):
(WebCore::DOMWindow::willDetachDocumentFromFrame):
(WebCore::DOMWindow::suspendForPageCache):
(WebCore::DOMWindow::resumeFromPageCache):
* page/DOMWindowExtension.cpp:
(WebCore::DOMWindowExtension::suspendForPageCache):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (241847 => 241848)


--- trunk/Source/WebCore/ChangeLog	2019-02-21 00:03:17 UTC (rev 241847)
+++ trunk/Source/WebCore/ChangeLog	2019-02-21 00:06:27 UTC (rev 241848)
@@ -1,3 +1,26 @@
+2019-02-20  Ryosuke Niwa  <[email protected]>
+
+        Crash in DOMWindowExtension::suspendForPageCache
+        https://bugs.webkit.org/show_bug.cgi?id=194871
+
+        Reviewed by Chris Dumez.
+
+        This is a speculative fix for a crash in DOMWindowExtension::suspendForPageCache.
+
+        We think it's possible for DOMWindowExtension::suspendForPageCache notifying the clients via
+        dispatchWillDisconnectDOMWindowExtensionFromGlobalObject to remove other DOMWindowExtension's.
+        Check that each DOMWindowProperty is still in m_properties before invoking suspendForPageCache
+        to avoid the crash.
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::willDestroyCachedFrame):
+        (WebCore::DOMWindow::willDestroyDocumentInFrame):
+        (WebCore::DOMWindow::willDetachDocumentFromFrame):
+        (WebCore::DOMWindow::suspendForPageCache):
+        (WebCore::DOMWindow::resumeFromPageCache):
+        * page/DOMWindowExtension.cpp:
+        (WebCore::DOMWindowExtension::suspendForPageCache):
+
 2019-02-20  Alex Christensen  <[email protected]>
 
         Always call CompletionHandlers after r240909

Modified: trunk/Source/WebCore/page/DOMWindow.cpp (241847 => 241848)


--- trunk/Source/WebCore/page/DOMWindow.cpp	2019-02-21 00:03:17 UTC (rev 241847)
+++ trunk/Source/WebCore/page/DOMWindow.cpp	2019-02-21 00:06:27 UTC (rev 241848)
@@ -456,8 +456,10 @@
 {
     // It is necessary to copy m_properties to a separate vector because the DOMWindowProperties may
     // unregister themselves from the DOMWindow as a result of the call to willDestroyGlobalObjectInCachedFrame.
-    for (auto& property : copyToVector(m_properties))
-        property->willDestroyGlobalObjectInCachedFrame();
+    for (auto* property : copyToVector(m_properties)) {
+        if (m_properties.contains(property))
+            property->willDestroyGlobalObjectInCachedFrame();
+    }
 }
 
 void DOMWindow::willDestroyDocumentInFrame()
@@ -464,8 +466,10 @@
 {
     // It is necessary to copy m_properties to a separate vector because the DOMWindowProperties may
     // unregister themselves from the DOMWindow as a result of the call to willDestroyGlobalObjectInFrame.
-    for (auto& property : copyToVector(m_properties))
-        property->willDestroyGlobalObjectInFrame();
+    for (auto* property : copyToVector(m_properties)) {
+        if (m_properties.contains(property))
+            property->willDestroyGlobalObjectInFrame();
+    }
 }
 
 void DOMWindow::willDetachDocumentFromFrame()
@@ -475,8 +479,10 @@
 
     // It is necessary to copy m_properties to a separate vector because the DOMWindowProperties may
     // unregister themselves from the DOMWindow as a result of the call to willDetachGlobalObjectFromFrame.
-    for (auto& property : copyToVector(m_properties))
-        property->willDetachGlobalObjectFromFrame();
+    for (auto& property : copyToVector(m_properties)) {
+        if (m_properties.contains(property))
+            property->willDetachGlobalObjectFromFrame();
+    }
 
     if (m_performance)
         m_performance->clearResourceTimings();
@@ -520,8 +526,10 @@
 
 void DOMWindow::suspendForPageCache()
 {
-    for (auto& property : copyToVector(m_properties))
-        property->suspendForPageCache();
+    for (auto* property : copyToVector(m_properties)) {
+        if (m_properties.contains(property))
+            property->suspendForPageCache();
+    }
 
     m_suspendedForDocumentSuspension = true;
 }
@@ -528,8 +536,10 @@
 
 void DOMWindow::resumeFromPageCache()
 {
-    for (auto& property : copyToVector(m_properties))
-        property->resumeFromPageCache();
+    for (auto* property : copyToVector(m_properties)) {
+        if (m_properties.contains(property))
+            property->resumeFromPageCache();
+    }
 
     m_suspendedForDocumentSuspension = false;
 }

Modified: trunk/Source/WebCore/page/DOMWindowExtension.cpp (241847 => 241848)


--- trunk/Source/WebCore/page/DOMWindowExtension.cpp	2019-02-21 00:03:17 UTC (rev 241847)
+++ trunk/Source/WebCore/page/DOMWindowExtension.cpp	2019-02-21 00:06:27 UTC (rev 241848)
@@ -48,11 +48,11 @@
     // Calling out to the client might result in this DOMWindowExtension being destroyed
     // while there is still work to do.
     Ref<DOMWindowExtension> protectedThis(*this);
-    
-    Frame* frame = this->frame();
+
+    auto frame = makeRef(*this->frame());
     frame->loader().client().dispatchWillDisconnectDOMWindowExtensionFromGlobalObject(this);
 
-    m_disconnectedFrame = frame;
+    m_disconnectedFrame = WTFMove(frame);
 
     DOMWindowProperty::suspendForPageCache();
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to