Skip to site navigation (Press enter)

[webkit-changes] [200986] trunk

bfulgham Mon, 16 May 2016 18:10:04 -0700

Title: [200986] trunk

Revision: 200986
Author: bfulg...@apple.com
Date: 2016-05-16 18:09:27 -0700 (Mon, 16 May 2016)

Log Message

heap use-after-free at WebCore::TimerBase::heapPopMin()
https://bugs.webkit.org/show_bug.cgi?id=157742
<rdar://problem/26236778>


Source/WebCore:

Reviewed by David Kilzer.

Tested by fast/frames/resources/crash-during-iframe-load-stop.html.

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
being used by the current stack frame.
(WebCore::FrameLoader::frameDetached): Ditto.
(WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.

LayoutTests:

Reviewed by Simon Fraser.

* fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
* fast/frames/crash-during-iframe-load-stop.html: Added.
* fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
* fast/frames/resources/crash-during-iframe-load-stop.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/loader/FrameLoader.cpp

Added Paths

trunk/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt
trunk/LayoutTests/fast/frames/crash-during-iframe-load-stop.html
trunk/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html
trunk/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html

Diff

Modified: trunk/LayoutTests/ChangeLog (200985 => 200986)


--- trunk/LayoutTests/ChangeLog	2016-05-17 01:05:41 UTC (rev 200985)
+++ trunk/LayoutTests/ChangeLog	2016-05-17 01:09:27 UTC (rev 200986)
@@ -1,3 +1,16 @@
+2016-05-16  Brent Fulgham  <bfulg...@apple.com>
+
+        heap use-after-free at WebCore::TimerBase::heapPopMin()
+        https://bugs.webkit.org/show_bug.cgi?id=157742
+        <rdar://problem/26236778>
+
+        Reviewed by Simon Fraser.
+
+        * fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
+        * fast/frames/crash-during-iframe-load-stop.html: Added.
+        * fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
+        * fast/frames/resources/crash-during-iframe-load-stop.html: Added.
+
 2016-05-16  Saam barati  <sbar...@apple.com>
 
         Hook up ShadowChicken to the debugger to show tail deleted frames

Added: trunk/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt (0 => 200986)


--- trunk/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt	2016-05-17 01:09:27 UTC (rev 200986)
@@ -0,0 +1,3 @@
+This tests that WebKit does not crash when frame loads are interrupted. This test passes if it does not crash.
+
+

Added: trunk/LayoutTests/fast/frames/crash-during-iframe-load-stop.html (0 => 200986)


--- trunk/LayoutTests/fast/frames/crash-during-iframe-load-stop.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/crash-during-iframe-load-stop.html	2016-05-17 01:09:27 UTC (rev 200986)
@@ -0,0 +1,38 @@
+<html>
+<head>
+<script>
+    if (window.testRunner) {
+        testRunner.waitUntilDone();
+        testRunner.dumpAsText();
+    }
+
+    var count = 0;
+</script>
+</head>
+<body _onload_='deleteFrame()'>
+    <script>
+    function deleteFrame()
+    {
+        var frameToRemove = document.getElementById('subframe');
+        document.body.removeChild(frameToRemove);
+    }
+
+    function reloadSubframe()
+    {
+        var iframe = document.createElement('iframe');
+        iframe.id = 'subframe';
+        iframe.src = '';
+        document.body.appendChild(iframe);
+        setTimeout(function() { deleteFrame(); }, 0);
+    }
+
+    function subFrameFinishedLoading()
+    {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+    </script>
+    <p>This tests that WebKit does not crash when frame loads are interrupted. This test passes if it does not crash.</p>
+    <iframe id="subframe" src=''></iframe>
+</body>
+</html>
\ No newline at end of file

Added: trunk/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html (0 => 200986)


--- trunk/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html	2016-05-17 01:09:27 UTC (rev 200986)
@@ -0,0 +1,6 @@
+<html>
+  <script>
+      window.parent.stop();
+      window.parent.subFrameFinishedLoading();
+  </script>
+</html>
\ No newline at end of file

Added: trunk/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html (0 => 200986)


--- trunk/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html	2016-05-17 01:09:27 UTC (rev 200986)
@@ -0,0 +1,16 @@
+<html>
+<head>
+    <script>
+    function subFrameFinishedLoading()
+    {
+        window.parent.count = window.parent.count + 1;
+        if (window.parent.count < 10)
+            window.parent.reloadSubframe();
+        else
+            window.parent.subFrameFinishedLoading();
+    }
+    </script>
+</head>
+  <iframe src=""
+  <iframe src="" <html></html>"></iframe>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (200985 => 200986)


--- trunk/Source/WebCore/ChangeLog	2016-05-17 01:05:41 UTC (rev 200985)
+++ trunk/Source/WebCore/ChangeLog	2016-05-17 01:09:27 UTC (rev 200986)
@@ -1,3 +1,19 @@
+2016-05-16  Brent Fulgham  <bfulg...@apple.com>
+
+        heap use-after-free at WebCore::TimerBase::heapPopMin()
+        https://bugs.webkit.org/show_bug.cgi?id=157742
+        <rdar://problem/26236778>
+
+        Reviewed by David Kilzer.
+
+        Tested by fast/frames/resources/crash-during-iframe-load-stop.html.
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
+        being used by the current stack frame.
+        (WebCore::FrameLoader::frameDetached): Ditto.
+        (WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.
+
 2016-05-16  Dean Jackson  <d...@apple.com>
 
         WebCoreJSBuiltinInternals won't compile if some build flags are off

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (200985 => 200986)


--- trunk/Source/WebCore/loader/FrameLoader.cpp	2016-05-17 01:05:41 UTC (rev 200985)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2016-05-17 01:09:27 UTC (rev 200986)
@@ -1632,6 +1632,9 @@
 
 void FrameLoader::stopForUserCancel(bool deferCheckLoadComplete)
 {
+    // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
+    Ref<Frame> protectedFrame(m_frame);
+
     stopAllLoaders();
 
 #if PLATFORM(IOS)
@@ -2491,6 +2494,9 @@
 
 void FrameLoader::frameDetached()
 {
+    // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
+    Ref<Frame> protectedFrame(m_frame);
+
     stopAllLoaders();
     m_frame.document()->stopActiveDOMObjects();
     detachFromParent();
@@ -2790,6 +2796,10 @@
     if (!shouldContinue)
         return;
 
+    // Calling stopLoading() on the provisional document loader can cause the underlying
+    // frame to be deallocated.
+    Ref<Frame> protectedFrame(m_frame);
+
     // If we have a provisional request for a different document, a fragment scroll should cancel it.
     if (m_provisionalDocumentLoader && !equalIgnoringFragmentIdentifier(m_provisionalDocumentLoader->request().url(), request.url())) {
         m_provisionalDocumentLoader->stopLoading();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes