Null dereference loading Blink layout test http/tests/misc/detach-during-notifyDone...
authorjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 Dec 2015 00:33:47 +0000 (00:33 +0000)
committerjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 Dec 2015 00:33:47 +0000 (00:33 +0000)
commit2bdd9034b04f86388850ac54085f54a975375390
treeee37ce4ad998c2e4f21b3a057a85d9c7e60cff32
parentfd2be8017e06aabc15c8895ca5bab934c20ff377
Null dereference loading Blink layout test http/tests/misc/detach-during-notifyDone.html
https://bugs.webkit.org/show_bug.cgi?id=149309
<rdar://problem/22748363>

Reviewed by Brent Fulgham.

Source/WebCore:

A weird order of event execution introduced by the test case will kill the webpage in a
subframe of the page while executing its |frame.loader().checkLoadCompleteForThisFrame()|.
Therefore, any frames comes after the failing subframe will have no page. Check it before
calling to those frames' |frame.loader().checkLoadCompleteForThisFrame()|, otherwise the
assertion in |frame.loader().checkLoadCompleteForThisFrame()| will fail.

Test: http/tests/misc/detach-during-notifyDone.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::checkLoadComplete):

Source/WebKit/mac:

* WebView/WebDataSource.mm:
(WebDataSourcePrivate::~WebDataSourcePrivate):
Refine the assertion to treat <rdar://problem/9673866>.

Source/WebKit2:

Callback of bundle clients could kill the documentloader. Therefore, make a copy
of the navigationID before invoking the callback.

* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::dispatchDidChangeLocationWithinPage):
(WebKit::WebFrameLoaderClient::dispatchDidPushStateWithinPage):
(WebKit::WebFrameLoaderClient::dispatchDidReplaceStateWithinPage):
(WebKit::WebFrameLoaderClient::dispatchDidPopStateWithinPage):
(WebKit::WebFrameLoaderClient::dispatchDidFailLoad):
(WebKit::WebFrameLoaderClient::dispatchDidFinishDocumentLoad):
(WebKit::WebFrameLoaderClient::dispatchDidFinishLoad):

LayoutTests:

The test case is from Blink r175601:
https://codereview.chromium.org/317513002
The test case will generate a set of weird ordering events that affects the documentLoader:
1. The subframe finishes loading, and since the frame’s testRunner is not set to wait until
done, WebKitTestRunner stops the load (by calling WKBundlePageStopLoading()).
2. This causes the in-progress XHR to be aborted, which causes its readyState to become DONE
(this bug doesn’t always reproduce because sometimes the XHR has already finished before the
frame finishes loading).
3. The onreadystatechange callback is executed, which sets innerHTML on the parent frame.
4. Setting innerHTML disconnects the subframe, nulling out its DocumentLoader.
5. We return to WebFrameLoaderClient::dispatchDidFinishLoad() from step #1, but now the
FrameLoader’s DocumentLoader is null. And WebKit crashes here.

Note that steps 2-4 happen synchronously inside WebFrameLoaderClient::dispatchDidFinishLoad().

* http/tests/misc/detach-during-notifyDone-expected.txt: Added.
* http/tests/misc/detach-during-notifyDone.html: Added.
* http/tests/misc/resources/detached-frame.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@192844 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/misc/detach-during-notifyDone-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/misc/detach-during-notifyDone.html [new file with mode: 0644]
LayoutTests/http/tests/misc/resources/detached-frame.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp
Source/WebKit/mac/ChangeLog
Source/WebKit/mac/WebView/WebDataSource.mm
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp