[webkit-changes] [192947] trunk

[jiewen_tan]

Title: [192947] trunk

Revision

192947

Author

jiewen_...@apple.com

Date

2015-12-02 11:04:07 -0800 (Wed, 02 Dec 2015)

Log Message

Null dereference loading Blink layout test fast/loader/unload-mutation-crash.html
https://bugs.webkit.org/show_bug.cgi?id=149305
<rdar://problem/22747892>

Reviewed by Brent Fulgham.

Source/WebCore:

Add an extra guard to replaceDocument() against rude JS in unload event handlers.

Test: fast/loader/unload-mutation-crash.html

* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::replaceDocument):
(WebCore::DocumentWriter::begin):

LayoutTests:

This test case is from Blink r180918:
https://codereview.chromium.org/495743003

* fast/loader/unload-mutation-crash-expected.txt: Added.
* fast/loader/unload-mutation-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/loader/DocumentWriter.cpp

Added Paths

• trunk/LayoutTests/fast/loader/unload-mutation-crash-expected.txt
• trunk/LayoutTests/fast/loader/unload-mutation-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (192946 => 192947)

--- trunk/LayoutTests/ChangeLog	2015-12-02 18:49:09 UTC (rev 192946)
+++ trunk/LayoutTests/ChangeLog	2015-12-02 19:04:07 UTC (rev 192947)
@@ -1,3 +1,17 @@
+2015-12-02  Jiewen Tan  <jiewen_...@apple.com>
+
+        Null dereference loading Blink layout test fast/loader/unload-mutation-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=149305
+        <rdar://problem/22747892>
+
+        Reviewed by Brent Fulgham.
+
+        This test case is from Blink r180918:
+        https://codereview.chromium.org/495743003
+
+        * fast/loader/unload-mutation-crash-expected.txt: Added.
+        * fast/loader/unload-mutation-crash.html: Added.
+
 2015-12-02  Joseph Pecoraro  <pecor...@apple.com>
 
         Web Inspector: Handle YieldExpressions in the ScriptSyntaxTree

Added: trunk/LayoutTests/fast/loader/unload-mutation-crash-expected.txt (0 => 192947)

--- trunk/LayoutTests/fast/loader/unload-mutation-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/loader/unload-mutation-crash-expected.txt	2015-12-02 19:04:07 UTC (rev 192947)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.

Added: trunk/LayoutTests/fast/loader/unload-mutation-crash.html (0 => 192947)

--- trunk/LayoutTests/fast/loader/unload-mutation-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/loader/unload-mutation-crash.html	2015-12-02 19:04:07 UTC (rev 192947)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    window.testRunner.dumpAsText();
+
+function start() {
+    window.firstFrame = document.createElement('iframe');
+    document.body.appendChild(window.firstFrame);
+    window.secondFrame = document.createElement('iframe');
+    window.secondFrame.src = '';
+    window.firstFrame.contentDocument.documentElement.appendChild(window.secondFrame);
+}
+
+function maybeStart() {
+    window.secondFrame.contentWindow._onunload_ = function() {
+        document.documentElement.removeChild(window.bodyEl);
+    };
+
+    window.firstFrame.src = '';
+    document.write("PASS. WebKit didn't crash.");
+}
+</script>
+</head>
+<body id=bodyEl _onload_=start()></body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (192946 => 192947)

--- trunk/Source/WebCore/ChangeLog	2015-12-02 18:49:09 UTC (rev 192946)
+++ trunk/Source/WebCore/ChangeLog	2015-12-02 19:04:07 UTC (rev 192947)
@@ -1,3 +1,19 @@
+2015-12-02  Jiewen Tan  <jiewen_...@apple.com>
+
+        Null dereference loading Blink layout test fast/loader/unload-mutation-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=149305
+        <rdar://problem/22747892>
+
+        Reviewed by Brent Fulgham.
+
+        Add an extra guard to replaceDocument() against rude JS in unload event handlers.
+
+        Test: fast/loader/unload-mutation-crash.html
+
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::replaceDocument):
+        (WebCore::DocumentWriter::begin):
+
 2015-12-02  Per Arne Vollan  <pe...@outlook.com>
 
         [WinCairo] Compile error.

Modified: trunk/Source/WebCore/loader/DocumentWriter.cpp (192946 => 192947)

--- trunk/Source/WebCore/loader/DocumentWriter.cpp	2015-12-02 18:49:09 UTC (rev 192946)
+++ trunk/Source/WebCore/loader/DocumentWriter.cpp	2015-12-02 19:04:07 UTC (rev 192947)
@@ -73,6 +73,11 @@
     m_frame->loader().stopAllLoaders();
     begin(m_frame->document()->url(), true, ownerDocument);
 
+    // begin() might fire an unload event, which will result in a situation where no new document has been attached,
+    // and the old document has been detached. Therefore, bail out if no document is attached.
+    if (!m_frame->document())
+        return;
+
     if (!source.isNull()) {
         if (!m_hasReceivedSomeData) {
             m_hasReceivedSomeData = true;
@@ -141,6 +146,11 @@
     m_frame->loader().clear(document.ptr(), !shouldReuseDefaultView, !shouldReuseDefaultView);
     clear();
 
+    // m_frame->loader().clear() might fire unload event which could remove the view of the document.
+    // Bail out if document has no view.
+    if (!document->view())
+        return;
+
     if (!shouldReuseDefaultView)
         m_frame->script().updatePlatformScriptObjects();
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes