Release assertion in canExecuteScript when executing scripts during page cache restore
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 22 Jan 2018 03:39:36 +0000 (03:39 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 22 Jan 2018 03:39:36 +0000 (03:39 +0000)
commit4ecba6821d895468f8a93dfaa73af726a92b91f6
tree8b9ec7e3785eb4a105087d20894d3d8d84874623
parent13e87a149466b952ce1e94874e07eca68b16b99e
Release assertion in canExecuteScript when executing scripts during page cache restore
https://bugs.webkit.org/show_bug.cgi?id=181902

Reviewed by Antti Koivisto.

Source/WebCore:

The crash was caused by an erroneous instantiation of ScriptDisallowedScope::InMainThread in CachedPage::restore.
It can execute arbitrary scripts since CachedFrame::open can update style, layout, and evaluate media queries.

This is fine because there is no way to put this page back into a page cache until the load is commited via
FrameLoader::commitProvisionalLoad is invoked later which only happens after CachedPage::restore had exited.

Also added a release assert to make sure this condition holds.

Tests: fast/history/page-cache-execute-script-during-restore.html
       fast/history/page-cache-navigate-during-restore.html

* history/CachedPage.cpp:
(WebCore::CachedPageRestorationScope::CachedPageRestorationScope): Added.
(WebCore::CachedPageRestorationScope::~CachedPageRestorationScope): Added.
(WebCore::CachedPage::restore): Don't instantiate ScriptDisallowedScope::InMainThread. Set isRestoringCachedPage
on the cached pate to release-assert that there won't be any attempt to put this very page back into the cache.
* history/PageCache.cpp:
(WebCore::canCachePage): Added a release assert to make sure the page which is in the process of being restored
from the page cache is not put into the page cache.
* page/Page.h:
(WebCore::Page::setIsRestoringCachedPage): Added.
(WebCore::Page::isRestoringCachedPage const): Added.

LayoutTests:

Added regression tests for the release assertion and navigating while a document is being restored from the page cache.
WebKit should not hit any assertions in either situations.

* fast/history/page-cache-execute-script-during-restore-expected.txt: Added.
* fast/history/page-cache-execute-script-during-restore.html: Added.
* fast/history/page-cache-navigate-during-restore-expected.txt: Added.
* fast/history/page-cache-navigate-during-restore.html: Added.
* fast/history/resources/navigate-back-with-finish-test-stage.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227280 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/history/page-cache-execute-script-during-restore-expected.txt [new file with mode: 0644]
LayoutTests/fast/history/page-cache-execute-script-during-restore.html [new file with mode: 0644]
LayoutTests/fast/history/page-cache-navigate-during-restore-expected.txt [new file with mode: 0644]
LayoutTests/fast/history/page-cache-navigate-during-restore.html [new file with mode: 0644]
LayoutTests/fast/history/resources/navigate-back-with-finish-test-stage.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/history/CachedPage.cpp
Source/WebCore/history/PageCache.cpp
Source/WebCore/page/Page.h