[webkit-changes] [287914] trunk/Source

[commit-queue]

Title: [287914] trunk/Source

Revision

287914

Author

commit-qu...@webkit.org

Date

2022-01-12 00:51:26 -0800 (Wed, 12 Jan 2022)

Log Message

Protect DocumentLoader when a reference to its members is used.
https://bugs.webkit.org/show_bug.cgi?id=233464

Patch by Frédéric Wang <fw...@igalia.com> on 2022-01-12
Reviewed by Brady Eidson.

Source/WebCore:

No new tests, due to our infra (bug 127676).

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::checkLoadCompleteForThisFrame): Ensure that DocumentLoader loader
remains alive while DocumentLoader::m_mainDocumentError is used.

Source/WebKit:

* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::didFinishLoadForFrame): If the navigationID is obsolete, skip update
of the page load state to avoid failure of debug ASSERT.
* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchDidFinishLoad): Ensure that DocumentLoader loader
remains alive while DocumentLoader::m_request is used.

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/loader/FrameLoader.cpp
• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/UIProcess/WebPageProxy.cpp
• trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (287913 => 287914)

--- trunk/Source/WebCore/ChangeLog	2022-01-12 07:55:30 UTC (rev 287913)
+++ trunk/Source/WebCore/ChangeLog	2022-01-12 08:51:26 UTC (rev 287914)
@@ -1,3 +1,16 @@
+2022-01-12  Frédéric Wang  <fw...@igalia.com>
+
+        Protect DocumentLoader when a reference to its members is used.
+        https://bugs.webkit.org/show_bug.cgi?id=233464
+
+        Reviewed by Brady Eidson.
+
+        No new tests, due to our infra (bug 127676).
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::checkLoadCompleteForThisFrame): Ensure that DocumentLoader loader
+        remains alive while DocumentLoader::m_mainDocumentError is used.
+
 2022-01-11  Fujii Hironori  <hironori.fu...@sony.com>
 
         Remove Direct2D code (part 2)

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (287913 => 287914)

--- trunk/Source/WebCore/loader/FrameLoader.cpp	2022-01-12 07:55:30 UTC (rev 287913)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2022-01-12 08:51:26 UTC (rev 287914)
@@ -2585,7 +2585,8 @@
         if (RefPtr domWindow = m_frame.document() ? m_frame.document()->domWindow() : nullptr)
             domWindow->performance().scheduleNavigationObservationTaskIfNeeded();
 
-        const ResourceError& error = m_documentLoader->mainDocumentError();
+        Ref protector = *m_documentLoader;
+        const ResourceError& error = protector->mainDocumentError();
 
         AXObjectCache::AXLoadingEvent loadingEvent;
         if (!error.isNull()) {

Modified: trunk/Source/WebKit/ChangeLog (287913 => 287914)

--- trunk/Source/WebKit/ChangeLog	2022-01-12 07:55:30 UTC (rev 287913)
+++ trunk/Source/WebKit/ChangeLog	2022-01-12 08:51:26 UTC (rev 287914)
@@ -1,3 +1,17 @@
+2022-01-12  Frédéric Wang  <fw...@igalia.com>
+
+        Protect DocumentLoader when a reference to its members is used.
+        https://bugs.webkit.org/show_bug.cgi?id=233464
+
+        Reviewed by Brady Eidson.
+
+        * UIProcess/WebPageProxy.cpp:
+        (WebKit::WebPageProxy::didFinishLoadForFrame): If the navigationID is obsolete, skip update
+        of the page load state to avoid failure of debug ASSERT.
+        * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+        (WebKit::WebFrameLoaderClient::dispatchDidFinishLoad): Ensure that DocumentLoader loader
+        remains alive while DocumentLoader::m_request is used.
+
 2022-01-11  Fujii Hironori  <hironori.fu...@sony.com>
 
         Remove Direct2D code (part 2)

Modified: trunk/Source/WebKit/UIProcess/WebPageProxy.cpp (287913 => 287914)

--- trunk/Source/WebKit/UIProcess/WebPageProxy.cpp	2022-01-12 07:55:30 UTC (rev 287913)
+++ trunk/Source/WebKit/UIProcess/WebPageProxy.cpp	2022-01-12 08:51:26 UTC (rev 287914)
@@ -5021,23 +5021,26 @@
 
     // FIXME: We should message check that navigationID is not zero here, but it's currently zero for some navigations through the back/forward cache.
     RefPtr<API::Navigation> navigation;
-    if (frame->isMainFrame() && navigationID)
+    if (frame->isMainFrame() && navigationID && navigationState().hasNavigation(navigationID))
         navigation = navigationState().navigation(navigationID);
 
-    auto transaction = m_pageLoadState.transaction();
-
     bool isMainFrame = frame->isMainFrame();
-    if (isMainFrame)
-        m_pageLoadState.didFinishLoad(transaction);
+    if (!isMainFrame || !navigationID || navigation) {
+        auto transaction = m_pageLoadState.transaction();
 
-    if (m_controlledByAutomation) {
-        if (auto* automationSession = process().processPool().automationSession())
-            automationSession->navigationOccurredForFrame(*frame);
+        if (isMainFrame)
+            m_pageLoadState.didFinishLoad(transaction);
+
+        if (m_controlledByAutomation) {
+            if (auto* automationSession = process().processPool().automationSession())
+                automationSession->navigationOccurredForFrame(*frame);
+        }
+
+        frame->didFinishLoad();
+
+        m_pageLoadState.commitChanges();
     }
 
-    frame->didFinishLoad();
-
-    m_pageLoadState.commitChanges();
     if (m_loaderClient)
         m_loaderClient->didFinishLoadForFrame(*this, *frame, navigation.get(), m_process->transformHandlesToObjects(userData.object()).get());
     else {

Modified: trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (287913 => 287914)

--- trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp	2022-01-12 07:55:30 UTC (rev 287913)
+++ trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp	2022-01-12 08:51:26 UTC (rev 287914)
@@ -671,14 +671,14 @@
 
     RefPtr<API::Object> userData;
 
-    auto& documentLoader = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader());
-    auto navigationID = documentLoader.navigationID();
+    Ref documentLoader = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().documentLoader());
+    auto navigationID = documentLoader->navigationID();
 
     // Notify the bundle client.
     webPage->injectedBundleLoaderClient().didFinishLoadForFrame(*webPage, m_frame, userData);
 
     // Notify the UIProcess.
-    webPage->send(Messages::WebPageProxy::DidFinishLoadForFrame(m_frame->frameID(), m_frame->info(), documentLoader.request(), navigationID, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())));
+    webPage->send(Messages::WebPageProxy::DidFinishLoadForFrame(m_frame->frameID(), m_frame->info(), documentLoader->request(), navigationID, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())));
 
     // If we have a load listener, notify it.
     if (WebFrame::LoadListener* loadListener = m_frame->loadListener())

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes