Potential null dereference in
authorjhoneycutt@apple.com <jhoneycutt@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 25 May 2014 03:30:56 +0000 (03:30 +0000)
committerjhoneycutt@apple.com <jhoneycutt@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 25 May 2014 03:30:56 +0000 (03:30 +0000)
WebFrameLoaderClient::dispatchDidFailProvisionalLoad()
<https://bugs.webkit.org/show_bug.cgi?id=133193>

WebFrameLoaderClient::dispatchDidFailProvisionalLoad() calls the
InjectedBundleLoaderClient's didFailProvisionalLoadWithErrorForFrame()
before sending a message to the UI process that a provisional load has
failed. It's possible for the provisional document loader to become
null while calling into the InjectedBundleLoaderClient (as is the case
with the WebKitTestRunner's injected bundle), leading to a null
dereference when trying to send the DidFailProvisionalLoadForFrame
message.

Reviewed by Darin Adler.

* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchDidFailProvisionalLoad):
Get the navigation ID before calling into the injected bundle.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@169315 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp

index 0781e29..a6c8197 100644 (file)
@@ -1,3 +1,24 @@
+2014-05-24  Jon Honeycutt  <jhoneycutt@apple.com>
+
+        Potential null dereference in
+        WebFrameLoaderClient::dispatchDidFailProvisionalLoad()
+        <https://bugs.webkit.org/show_bug.cgi?id=133193>
+
+        WebFrameLoaderClient::dispatchDidFailProvisionalLoad() calls the
+        InjectedBundleLoaderClient's didFailProvisionalLoadWithErrorForFrame()
+        before sending a message to the UI process that a provisional load has
+        failed. It's possible for the provisional document loader to become
+        null while calling into the InjectedBundleLoaderClient (as is the case
+        with the WebKitTestRunner's injected bundle), leading to a null
+        dereference when trying to send the DidFailProvisionalLoadForFrame
+        message.
+
+        Reviewed by Darin Adler.
+
+        * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+        (WebKit::WebFrameLoaderClient::dispatchDidFailProvisionalLoad):
+        Get the navigation ID before calling into the injected bundle.
+
 2014-05-23  Simon Fraser  <simon.fraser@apple.com>
 
         Rename ScrollingTreeScrollingNode's m_scrollPosition to make it clear that it's the value committed from the state tree
index 56e3af2..3274c20 100644 (file)
@@ -459,15 +459,16 @@ void WebFrameLoaderClient::dispatchDidFailProvisionalLoad(const ResourceError& e
 
     RefPtr<API::Object> userData;
 
+    uint64_t navigationID = static_cast<WebDocumentLoader*>(m_frame->coreFrame()->loader().provisionalDocumentLoader())->navigationID();
+
     // Notify the bundle client.
     webPage->injectedBundleLoaderClient().didFailProvisionalLoadWithErrorForFrame(webPage, m_frame, error, userData);
 
     webPage->sandboxExtensionTracker().didFailProvisionalLoad(m_frame);
 
     // Notify the UIProcess.
-    WebDocumentLoader& provisionalLoader = static_cast<WebDocumentLoader&>(*m_frame->coreFrame()->loader().provisionalDocumentLoader());
-    webPage->send(Messages::WebPageProxy::DidFailProvisionalLoadForFrame(m_frame->frameID(), provisionalLoader.navigationID(), error, InjectedBundleUserMessageEncoder(userData.get())));
-    
+    webPage->send(Messages::WebPageProxy::DidFailProvisionalLoadForFrame(m_frame->frameID(), navigationID, error, InjectedBundleUserMessageEncoder(userData.get())));
+
     // If we have a load listener, notify it.
     if (WebFrame::LoadListener* loadListener = m_frame->loadListener())
         loadListener->didFailLoad(m_frame, error.isCancellation());