Modified: trunk/Source/WebKit/ChangeLog (225291 => 225292)
--- trunk/Source/WebKit/ChangeLog 2017-11-29 21:39:56 UTC (rev 225291)
+++ trunk/Source/WebKit/ChangeLog 2017-11-29 21:41:59 UTC (rev 225292)
@@ -1,5 +1,24 @@
2017-11-29 Alex Christensen <achristen...@webkit.org>
+ Make WebFrameLoaderClient more robust against null pointer dereferencing
+ https://bugs.webkit.org/show_bug.cgi?id=180157
+ <rdar://problem/34895616>
+
+ Reviewed by Tim Horton.
+
+ There has always been rare null pointer crashes in this code, but they have become more common
+ now that we are waiting for completion handlers for redirects, which makes it more likely that
+ we are hitting this code after we have detached from the core frame.
+
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse):
+ (WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNewWindowAction):
+ (WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction):
+ * WebProcess/WebPage/WebFrame.cpp:
+ (WebKit::WebFrame::page const):
+
+2017-11-29 Alex Christensen <achristen...@webkit.org>
+
Fix Mac CMake build.
* PlatformMac.cmake:
Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (225291 => 225292)
--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2017-11-29 21:39:56 UTC (rev 225291)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2017-11-29 21:41:59 UTC (rev 225292)
@@ -692,7 +692,7 @@
void WebFrameLoaderClient::dispatchDecidePolicyForResponse(const ResourceResponse& response, const ResourceRequest& request, FramePolicyFunction&& function)
{
- WebPage* webPage = m_frame->page();
+ WebPage* webPage = m_frame ? m_frame->page() : nullptr;
if (!webPage) {
function(PolicyAction::Ignore);
return;
@@ -721,6 +721,8 @@
Ref<WebFrame> protect(*m_frame);
WebCore::Frame* coreFrame = m_frame->coreFrame();
+ if (!coreFrame)
+ return function(PolicyAction::Ignore);
auto navigationID = static_cast<WebDocumentLoader&>(*coreFrame->loader().provisionalDocumentLoader()).navigationID();
if (!webPage->sendSync(Messages::WebPageProxy::DecidePolicyForResponseSync(m_frame->frameID(), SecurityOriginData::fromFrame(coreFrame), navigationID, response, request, canShowMIMEType, listenerID, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())), Messages::WebPageProxy::DecidePolicyForResponseSync::Reply(receivedPolicyAction, policyAction, downloadID), Seconds::infinity(), IPC::SendSyncOption::InformPlatformProcessWillSuspend)) {
m_frame->didReceivePolicyDecision(listenerID, PolicyAction::Ignore, 0, { }, { });
@@ -734,7 +736,7 @@
void WebFrameLoaderClient::dispatchDecidePolicyForNewWindowAction(const NavigationAction& navigationAction, const ResourceRequest& request, FormState* formState, const String& frameName, FramePolicyFunction&& function)
{
- WebPage* webPage = m_frame->page();
+ WebPage* webPage = m_frame ? m_frame->page() : nullptr;
if (!webPage) {
function(PolicyAction::Ignore);
return;
@@ -821,7 +823,7 @@
void WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(const NavigationAction& navigationAction, const ResourceRequest& request, bool didReceiveRedirectResponse, FormState* formState, FramePolicyFunction&& function)
{
- WebPage* webPage = m_frame->page();
+ WebPage* webPage = m_frame ? m_frame->page() : nullptr;
if (!webPage) {
function(PolicyAction::Ignore);
return;
@@ -835,10 +837,10 @@
RefPtr<API::Object> userData;
- RefPtr<InjectedBundleNavigationAction> action = "" navigationAction, formState);
+ Ref<InjectedBundleNavigationAction> action = "" navigationAction, formState);
// Notify the bundle client.
- WKBundlePagePolicyAction policy = webPage->injectedBundlePolicyClient().decidePolicyForNavigationAction(webPage, m_frame, action.get(), request, userData);
+ WKBundlePagePolicyAction policy = webPage->injectedBundlePolicyClient().decidePolicyForNavigationAction(webPage, m_frame, action.ptr(), request, userData);
if (policy == WKBundlePagePolicyActionUse) {
function(PolicyAction::Use);
return;
@@ -874,6 +876,8 @@
navigationActionData.isRedirect = didReceiveRedirectResponse;
WebCore::Frame* coreFrame = m_frame->coreFrame();
+ if (!coreFrame)
+ return function(PolicyAction::Ignore);
WebDocumentLoader* documentLoader = static_cast<WebDocumentLoader*>(coreFrame->loader().policyDocumentLoader());
if (!documentLoader) {
// FIXME: When we receive a redirect after the navigation policy has been decided for the initial request,
Modified: trunk/Source/WebKit/WebProcess/WebPage/WebFrame.cpp (225291 => 225292)
--- trunk/Source/WebKit/WebProcess/WebPage/WebFrame.cpp 2017-11-29 21:39:56 UTC (rev 225291)
+++ trunk/Source/WebKit/WebProcess/WebPage/WebFrame.cpp 2017-11-29 21:41:59 UTC (rev 225292)
@@ -171,14 +171,14 @@
}
WebPage* WebFrame::page() const
-{
+{
if (!m_coreFrame)
- return 0;
+ return nullptr;
if (Page* page = m_coreFrame->page())
return WebPage::fromCorePage(page);
- return 0;
+ return nullptr;
}
WebFrame* WebFrame::fromCoreFrame(Frame& frame)