Crash in WKBundleFrameGetParentFrame when called inside didRemoveFrameFromHierarchy
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Feb 2019 06:47:32 +0000 (06:47 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Feb 2019 06:47:32 +0000 (06:47 +0000)
https://bugs.webkit.org/show_bug.cgi?id=194641

Reviewed by Geoffrey Garen.

Source/WebKit:

Fixed the bug by adding a null check to WebFrame::parentFrame.

* WebProcess/WebPage/WebFrame.cpp:
(WebKit::WebFrame::parentFrame const):

Tools:

Added a call to WKBundleFrameGetParentFrame to an existing test for didRemoveFrameFromHierarchy
so that the test would fail without this fix.

* TestWebKitAPI/Tests/WebKit/DidRemoveFrameFromHiearchyInPageCache_Bundle.cpp:
(TestWebKitAPI::didRemoveFrameFromHierarchyCallback):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241500 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/WebProcess/WebPage/WebFrame.cpp
Tools/ChangeLog
Tools/TestWebKitAPI/Tests/WebKit/DidRemoveFrameFromHiearchyInPageCache_Bundle.cpp

index c14f6a2..ae189dc 100644 (file)
@@ -1,3 +1,15 @@
+2019-02-13  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in WKBundleFrameGetParentFrame when called inside didRemoveFrameFromHierarchy
+        https://bugs.webkit.org/show_bug.cgi?id=194641
+
+        Reviewed by Geoffrey Garen.
+
+        Fixed the bug by adding a null check to WebFrame::parentFrame.
+
+        * WebProcess/WebPage/WebFrame.cpp:
+        (WebKit::WebFrame::parentFrame const):
+
 2019-02-13  Timothy Hatcher  <timothy@apple.com>
 
         Allow some deprecations in WKDrawingView.
index 6903510..b96059f 100644 (file)
@@ -463,9 +463,13 @@ String WebFrame::innerText() const
 WebFrame* WebFrame::parentFrame() const
 {
     if (!m_coreFrame || !m_coreFrame->ownerElement())
-        return 0;
+        return nullptr;
+
+    auto* frame = m_coreFrame->ownerElement()->document().frame();
+    if (!frame)
+        return nullptr;
 
-    return WebFrame::fromCoreFrame(*m_coreFrame->ownerElement()->document().frame());
+    return WebFrame::fromCoreFrame(*frame);
 }
 
 Ref<API::Array> WebFrame::childFrames()
index 9ea8acc..e7c8dd8 100644 (file)
@@ -1,3 +1,16 @@
+2019-02-13  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in WKBundleFrameGetParentFrame when called inside didRemoveFrameFromHierarchy
+        https://bugs.webkit.org/show_bug.cgi?id=194641
+
+        Reviewed by Geoffrey Garen.
+
+        Added a call to WKBundleFrameGetParentFrame to an existing test for didRemoveFrameFromHierarchy
+        so that the test would fail without this fix.
+
+        * TestWebKitAPI/Tests/WebKit/DidRemoveFrameFromHiearchyInPageCache_Bundle.cpp:
+        (TestWebKitAPI::didRemoveFrameFromHierarchyCallback):
+
 2019-02-13  Aakash Jain  <aakash_jain@apple.com>
 
         [ews-app] Change log level for a log statement
index 712b3fb..ac7e03a 100644 (file)
@@ -30,6 +30,7 @@
 #include "InjectedBundleTest.h"
 
 #include "PlatformUtilities.h"
+#include <WebKit/WKBundleFrame.h>
 #include <WebKit/WKBundlePage.h>
 
 namespace TestWebKitAPI {
@@ -45,10 +46,12 @@ static InjectedBundleTest::Register<DidRemoveFrameFromHiearchyInPageCacheTest> r
 
 static unsigned didRemoveFrameFromHierarchyCount;
 
-void didRemoveFrameFromHierarchyCallback(WKBundlePageRef page, WKBundleFrameRef, WKTypeRef*, const void*)
+void didRemoveFrameFromHierarchyCallback(WKBundlePageRef page, WKBundleFrameRef frame, WKTypeRef*, const void*)
 {
     didRemoveFrameFromHierarchyCount++;
 
+    RELEASE_ASSERT(!WKBundleFrameGetParentFrame(frame));
+
     WKRetainPtr<WKStringRef> message(AdoptWK, WKStringCreateWithUTF8CString("DidRemoveFrameFromHierarchy"));
     WKBundlePagePostMessage(page, message.get(), message.get());
 }