Title: [150598] branches/safari-537.43-branch/Source/WebKit2
Revision
150598
Author
[email protected]
Date
2013-05-23 11:48:27 -0700 (Thu, 23 May 2013)

Log Message

Merged r150543.  <rdar://problem/13904054>

Modified Paths

Diff

Modified: branches/safari-537.43-branch/Source/WebKit2/ChangeLog (150597 => 150598)


--- branches/safari-537.43-branch/Source/WebKit2/ChangeLog	2013-05-23 18:44:57 UTC (rev 150597)
+++ branches/safari-537.43-branch/Source/WebKit2/ChangeLog	2013-05-23 18:48:27 UTC (rev 150598)
@@ -1,5 +1,28 @@
 2013-05-23  Lucas Forschler  <[email protected]>
 
+        Merge r150543
+
+    2013-05-22  Anders Carlsson  <[email protected]>
+
+            Fix crash when closing a page that's trying to access session storage
+            https://bugs.webkit.org/show_bug.cgi?id=116634
+            <rdar://problem/13904054>
+
+            Reviewed by Geoffrey Garen.
+
+            It is possible for the StorageManager to get messages from a web page that has already been closed by the UI process.
+            If that happens, just ignore the messages.
+
+            * UIProcess/Storage/StorageManager.cpp:
+            (WebKit::StorageManager::createSessionStorageMap):
+            (WebKit::StorageManager::getValues):
+            (WebKit::StorageManager::setItem):
+            (WebKit::StorageManager::removeItem):
+            (WebKit::StorageManager::clear):
+            (WebKit::StorageManager::destroySessionStorageNamespaceInternal):
+
+2013-05-23  Lucas Forschler  <[email protected]>
+
         Merge r150537
 
     2013-05-22  Alexey Proskuryakov  <[email protected]>

Modified: branches/safari-537.43-branch/Source/WebKit2/UIProcess/Storage/StorageManager.cpp (150597 => 150598)


--- branches/safari-537.43-branch/Source/WebKit2/UIProcess/Storage/StorageManager.cpp	2013-05-23 18:44:57 UTC (rev 150597)
+++ branches/safari-537.43-branch/Source/WebKit2/UIProcess/Storage/StorageManager.cpp	2013-05-23 18:48:27 UTC (rev 150598)
@@ -473,9 +473,13 @@
 
     ASSERT((HashMap<uint64_t, RefPtr<SessionStorageNamespace>>::isValidKey(storageNamespaceID)));
     SessionStorageNamespace* sessionStorageNamespace = m_sessionStorageNamespaces.get(storageNamespaceID);
+    if (!sessionStorageNamespace) {
+        // We're getting an incoming message from the web process that's for session storage for a web page
+        // that has already been closed, just ignore it.
+        return;
+    }
 
-    // FIXME: These should be message checks.
-    ASSERT(sessionStorageNamespace);
+    // FIXME: This should be a message check.
     ASSERT(connection == sessionStorageNamespace->allowedConnection());
 
     RefPtr<StorageArea> storageArea = sessionStorageNamespace->getOrCreateStorageArea(securityOriginData.securityOrigin());
@@ -503,10 +507,11 @@
 void StorageManager::getValues(CoreIPC::Connection* connection, uint64_t storageMapID, uint64_t storageMapSeed, HashMap<String, String>& values)
 {
     StorageArea* storageArea = findStorageArea(connection, storageMapID);
+    if (!storageArea) {
+        // This is a session storage area for a page that has already been closed. Ignore it.
+        return;
+    }
 
-    // FIXME: This should be a message check.
-    ASSERT(storageArea);
-
     values = storageArea->items();
     connection->send(Messages::StorageAreaMap::DidGetValues(storageMapSeed), storageMapID);
 }
@@ -514,10 +519,11 @@
 void StorageManager::setItem(CoreIPC::Connection* connection, uint64_t storageMapID, uint64_t sourceStorageAreaID, uint64_t storageMapSeed, const String& key, const String& value, const String& urlString)
 {
     StorageArea* storageArea = findStorageArea(connection, storageMapID);
+    if (!storageArea) {
+        // This is a session storage area for a page that has already been closed. Ignore it.
+        return;
+    }
 
-    // FIXME: This should be a message check.
-    ASSERT(storageArea);
-
     bool quotaError;
     storageArea->setItem(connection, sourceStorageAreaID, key, value, urlString, quotaError);
     connection->send(Messages::StorageAreaMap::DidSetItem(storageMapSeed, key, quotaError), storageMapID);
@@ -526,10 +532,11 @@
 void StorageManager::removeItem(CoreIPC::Connection* connection, uint64_t storageMapID, uint64_t sourceStorageAreaID, uint64_t storageMapSeed, const String& key, const String& urlString)
 {
     StorageArea* storageArea = findStorageArea(connection, storageMapID);
+    if (!storageArea) {
+        // This is a session storage area for a page that has already been closed. Ignore it.
+        return;
+    }
 
-    // FIXME: This should be a message check.
-    ASSERT(storageArea);
-
     storageArea->removeItem(connection, sourceStorageAreaID, key, urlString);
     connection->send(Messages::StorageAreaMap::DidRemoveItem(storageMapSeed, key), storageMapID);
 }
@@ -537,10 +544,11 @@
 void StorageManager::clear(CoreIPC::Connection* connection, uint64_t storageMapID, uint64_t sourceStorageAreaID, uint64_t storageMapSeed, const String& urlString)
 {
     StorageArea* storageArea = findStorageArea(connection, storageMapID);
+    if (!storageArea) {
+        // This is a session storage area for a page that has already been closed. Ignore it.
+        return;
+    }
 
-    // FIXME: This should be a message check.
-    ASSERT(storageArea);
-
     storageArea->clear(connection, sourceStorageAreaID, urlString);
     connection->send(Messages::StorageAreaMap::DidClear(storageMapSeed), storageMapID);
 }
@@ -555,7 +563,6 @@
 void StorageManager::destroySessionStorageNamespaceInternal(uint64_t storageNamespaceID)
 {
     ASSERT(m_sessionStorageNamespaces.contains(storageNamespaceID));
-
     m_sessionStorageNamespaces.remove(storageNamespaceID);
 }
 
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to