Add release assertion to make sure callbackIdentifier is not 0 in DocumentLoader...
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 23 Jun 2017 23:24:11 +0000 (23:24 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 23 Jun 2017 23:24:11 +0000 (23:24 +0000)
https://bugs.webkit.org/show_bug.cgi?id=173792

Reviewed by Ryosuke Niwa.

Add release assertion to make sure callbackIdentifier is not 0 in DocumentLoader::finishedLoadingIcon()
as this could cause HashTable corruption on WebPageProxy side.

Source/WebCore:

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::finishedLoadingIcon):

Source/WebKit2:

* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::finishedLoadingIcon):
* WebProcess/WebCoreSupport/WebFrameLoaderClient.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@218775 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentLoader.cpp
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.h

index 96bea2e..94dd218 100644 (file)
@@ -1,3 +1,16 @@
+2017-06-23  Chris Dumez  <cdumez@apple.com>
+
+        Add release assertion to make sure callbackIdentifier is not 0 in DocumentLoader::finishedLoadingIcon()
+        https://bugs.webkit.org/show_bug.cgi?id=173792
+
+        Reviewed by Ryosuke Niwa.
+
+        Add release assertion to make sure callbackIdentifier is not 0 in DocumentLoader::finishedLoadingIcon()
+        as this could cause HashTable corruption on WebPageProxy side.
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::finishedLoadingIcon):
+
 2017-06-23  Youenn Fablet  <youenn@apple.com>
 
         webrtc::WebRtcSession is not handling correctly its state when setLocalDescription fails and is called again
index e825b14..7557eb0 100644 (file)
@@ -1695,10 +1695,10 @@ void DocumentLoader::finishedLoadingIcon(IconLoader& loader, SharedBuffer* buffe
     // If the DocumentLoader has detached from its frame, all icon loads should have already been cancelled.
     ASSERT(m_frame);
 
-    auto loadIdentifier = m_iconLoaders.take(&loader);
-    ASSERT(loadIdentifier);
+    auto callbackIdentifier = m_iconLoaders.take(&loader);
+    RELEASE_ASSERT(callbackIdentifier);
 
-    m_frame->loader().client().finishedLoadingIcon(loadIdentifier, buffer);
+    m_frame->loader().client().finishedLoadingIcon(callbackIdentifier, buffer);
 }
 
 void DocumentLoader::dispatchOnloadEvents()
index cc57973..2aa9adf 100644 (file)
@@ -1,5 +1,19 @@
 2017-06-23  Chris Dumez  <cdumez@apple.com>
 
+        Add release assertion to make sure callbackIdentifier is not 0 in DocumentLoader::finishedLoadingIcon()
+        https://bugs.webkit.org/show_bug.cgi?id=173792
+
+        Reviewed by Ryosuke Niwa.
+
+        Add release assertion to make sure callbackIdentifier is not 0 in DocumentLoader::finishedLoadingIcon()
+        as this could cause HashTable corruption on WebPageProxy side.
+
+        * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+        (WebKit::WebFrameLoaderClient::finishedLoadingIcon):
+        * WebProcess/WebCoreSupport/WebFrameLoaderClient.h:
+
+2017-06-23  Chris Dumez  <cdumez@apple.com>
+
         Stop passing Vector by value in WebProcessProxy::deleteWebsiteDataForTopPrivatelyControlledDomainsInAllPersistentDataStores()
         https://bugs.webkit.org/show_bug.cgi?id=173782
 
index db94c3f..1087a8a 100644 (file)
@@ -1813,13 +1813,13 @@ void WebFrameLoaderClient::getLoadDecisionForIcon(const LinkIcon& icon, uint64_t
         webPage->send(Messages::WebPageProxy::GetLoadDecisionForIcon(icon, callbackID));
 }
 
-void WebFrameLoaderClient::finishedLoadingIcon(uint64_t loadIdentifier, SharedBuffer* data)
+void WebFrameLoaderClient::finishedLoadingIcon(uint64_t callbackIdentifier, SharedBuffer* data)
 {
     if (WebPage* webPage { m_frame->page() }) {
         if (data)
-            webPage->send(Messages::WebPageProxy::FinishedLoadingIcon(loadIdentifier, { reinterpret_cast<const uint8_t*>(data->data()), data->size() }));
+            webPage->send(Messages::WebPageProxy::FinishedLoadingIcon(callbackIdentifier, { reinterpret_cast<const uint8_t*>(data->data()), data->size() }));
         else
-            webPage->send(Messages::WebPageProxy::FinishedLoadingIcon(loadIdentifier, { nullptr, 0 }));
+            webPage->send(Messages::WebPageProxy::FinishedLoadingIcon(callbackIdentifier, { nullptr, 0 }));
     }
 }
 
index 016318c..a2ebf2e 100644 (file)
@@ -261,7 +261,7 @@ private:
 
     bool useIconLoadingClient() final;
     void getLoadDecisionForIcon(const WebCore::LinkIcon&, uint64_t callbackID) final;
-    void finishedLoadingIcon(uint64_t loadIdentifier, WebCore::SharedBuffer*) final;
+    void finishedLoadingIcon(uint64_t callbackIdentifier, WebCore::SharedBuffer*) final;
 
     WebFrame* m_frame;
     RefPtr<PluginView> m_pluginView;