Nullptr crash in Page::sessionID() via WebKit::WebFrameLoaderClient::detachedFromPare...
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Sep 2019 00:54:05 +0000 (00:54 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Sep 2019 00:54:05 +0000 (00:54 +0000)
commit8f22cf08e0a5732f8c87b6ee268193631fca02f3
tree0ec11fe19382e99de92e024c66243ebc9aaa6488
parent9b212fd4732000439c8554f194a89390c605d193
Nullptr crash in Page::sessionID() via WebKit::WebFrameLoaderClient::detachedFromParent2()
https://bugs.webkit.org/show_bug.cgi?id=201625

Reviewed by Ryosuke Niwa.

This is based on a patch from Ryosuke Niwa.

Source/WebCore:

Drop setHasFrameSpecificStorageAccess() in WebCore and call it from the WebKit layer instead.

* dom/DocumentStorageAccess.cpp:
(WebCore::DocumentStorageAccess::requestStorageAccess):
(WebCore::DocumentStorageAccess::setHasFrameSpecificStorageAccess): Deleted.
* dom/DocumentStorageAccess.h:
* loader/EmptyFrameLoaderClient.h:
* loader/FrameLoaderClient.h:

Source/WebKit:

The crash was caused by WebFrameLoaderClient::sessionID() calling WebPage::sessionID() without
checking the nullity of WebPage::m_page which can be null. Added a null check.

Because passing a wrong session to RemoveStorageAccessForFrame could result in a leak, this patch
also replaces m_hasFrameSpecificStorageAccess boolean with an optioanl struct which stores
session ID, frame ID, and page ID even after WebCore::Frame or WebCore::Page had been cleared
or before WebFrameLoaderClient::m_frame is set.

* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::sessionID const):
(WebKit::WebFrameLoaderClient::setHasFrameSpecificStorageAccess):
(WebKit::WebFrameLoaderClient::detachedFromParent2):
(WebKit::WebFrameLoaderClient::dispatchWillChangeDocument):
* WebProcess/WebCoreSupport/WebFrameLoaderClient.h:
* WebProcess/WebPage/WebFrame.h:
(WebKit::WebFrame::frameLoaderClient const):
* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::requestStorageAccess):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249748 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/dom/DocumentStorageAccess.cpp
Source/WebCore/dom/DocumentStorageAccess.h
Source/WebCore/loader/EmptyFrameLoaderClient.h
Source/WebCore/loader/FrameLoaderClient.h
Source/WebKit/ChangeLog
Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.h
Source/WebKit/WebProcess/WebPage/WebFrame.h
Source/WebKit/WebProcess/WebPage/WebPage.cpp