[webkit-changes] [259327] branches/safari-609-branch/Source/WebCore

Tue, 31 Mar 2020 17:32:38 -0700

Title: [259327] branches/safari-609-branch/Source/WebCore
Revision
259327
Author
[email protected]
Date
2020-03-31 17:31:15 -0700 (Tue, 31 Mar 2020)

Log Message

Cherry-pick r259305. rdar://problem/61131083

    Invalid memory access @ WebCore::FrameLoader::dispatchDidCommitLoad
    https://bugs.webkit.org/show_bug.cgi?id=209786

    Patch by Pinki Gyanchandani <[email protected]> on 2020-03-31
    Reviewed by Ryosuke Niwa.

    No new tests. Reduced test would be added later. Currently issue is verified with the original testcase in associated radar-58416328.

    Webkit1 only issue, where m_client.dispatchDidCommitLoad in FrameLoader::dispatchDidCommitLoad could cause the frame
    to be destroyed, and m_frame still being accessed outside. Changes made to protect the DocumentLoader and Frame.

    * loader/DocumentLoader.cpp:
    (WebCore::DocumentLoader::finishedLoading):
    (WebCore::DocumentLoader::handleSubstituteDataLoadNow):
    * loader/FrameLoader.cpp:
    (WebCore::FrameLoader::receivedFirstData):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259305 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-609-branch/Source/WebCore/ChangeLog (259326 => 259327)


--- branches/safari-609-branch/Source/WebCore/ChangeLog	2020-04-01 00:31:11 UTC (rev 259326)
+++ branches/safari-609-branch/Source/WebCore/ChangeLog	2020-04-01 00:31:15 UTC (rev 259327)
@@ -1,5 +1,46 @@
 2020-03-31  Russell Epstein  <[email protected]>
 
+        Cherry-pick r259305. rdar://problem/61131083
+
+    Invalid memory access @ WebCore::FrameLoader::dispatchDidCommitLoad
+    https://bugs.webkit.org/show_bug.cgi?id=209786
+    
+    Patch by Pinki Gyanchandani <[email protected]> on 2020-03-31
+    Reviewed by Ryosuke Niwa.
+    
+    No new tests. Reduced test would be added later. Currently issue is verified with the original testcase in associated radar-58416328.
+    
+    Webkit1 only issue, where m_client.dispatchDidCommitLoad in FrameLoader::dispatchDidCommitLoad could cause the frame
+    to be destroyed, and m_frame still being accessed outside. Changes made to protect the DocumentLoader and Frame.
+    
+    * loader/DocumentLoader.cpp:
+    (WebCore::DocumentLoader::finishedLoading):
+    (WebCore::DocumentLoader::handleSubstituteDataLoadNow):
+    * loader/FrameLoader.cpp:
+    (WebCore::FrameLoader::receivedFirstData):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259305 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-03-31  Pinki Gyanchandani  <[email protected]>
+
+            Invalid memory access @ WebCore::FrameLoader::dispatchDidCommitLoad
+            https://bugs.webkit.org/show_bug.cgi?id=209786
+
+            Reviewed by Ryosuke Niwa.
+
+            No new tests. Reduced test would be added later. Currently issue is verified with the original testcase in associated radar-58416328.
+
+            Webkit1 only issue, where m_client.dispatchDidCommitLoad in FrameLoader::dispatchDidCommitLoad could cause the frame
+            to be destroyed, and m_frame still being accessed outside. Changes made to protect the DocumentLoader and Frame.
+
+            * loader/DocumentLoader.cpp:
+            (WebCore::DocumentLoader::finishedLoading):
+            (WebCore::DocumentLoader::handleSubstituteDataLoadNow):
+            * loader/FrameLoader.cpp:
+            (WebCore::FrameLoader::receivedFirstData):
+
+2020-03-31  Russell Epstein  <[email protected]>
+
         Cherry-pick r259244. rdar://problem/61131078
 
     Assertion failure in HTMLFormElement::formElementIndex

Modified: branches/safari-609-branch/Source/WebCore/loader/DocumentLoader.cpp (259326 => 259327)


--- branches/safari-609-branch/Source/WebCore/loader/DocumentLoader.cpp	2020-04-01 00:31:11 UTC (rev 259326)
+++ branches/safari-609-branch/Source/WebCore/loader/DocumentLoader.cpp	2020-04-01 00:31:15 UTC (rev 259327)
@@ -438,6 +438,9 @@
         // DocumentWriter::begin() gets called and creates the Document.
         if (!m_gotFirstByte)
             commitData(0, 0);
+        
+        if (!frameLoader())
+            return;
         frameLoader()->client().finishedLoading(this);
     }
 
@@ -474,6 +477,8 @@
 
 void DocumentLoader::handleSubstituteDataLoadNow()
 {
+    Ref<DocumentLoader> protectedThis = makeRef(*this);
+    
     ResourceResponse response = m_substituteData.response();
     if (response.url().isEmpty())
         response = ResourceResponse(m_request.url(), m_substituteData.mimeType(), m_substituteData.content()->size(), m_substituteData.textEncoding());

Modified: branches/safari-609-branch/Source/WebCore/loader/FrameLoader.cpp (259326 => 259327)


--- branches/safari-609-branch/Source/WebCore/loader/FrameLoader.cpp	2020-04-01 00:31:11 UTC (rev 259326)
+++ branches/safari-609-branch/Source/WebCore/loader/FrameLoader.cpp	2020-04-01 00:31:15 UTC (rev 259327)
@@ -705,6 +705,8 @@
 
 void FrameLoader::receivedFirstData()
 {
+    auto protectedFrame = makeRef(m_frame);
+    
     dispatchDidCommitLoad(WTF::nullopt, WTF::nullopt);
     dispatchDidClearWindowObjectsInAllWorlds();
     dispatchGlobalObjectAvailableInAllWorlds();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to