heap use-after-free at WebCore::TimerBase::heapPopMin()

https://bugs.webkit.org/show_bug.cgi?id=157742
<rdar://problem/26236778>

Source/WebCore:

Reviewed by David Kilzer.

Tested by fast/frames/resources/crash-during-iframe-load-stop.html.

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
being used by the current stack frame.
(WebCore::FrameLoader::frameDetached): Ditto.
(WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.

LayoutTests:

Reviewed by Simon Fraser.

* fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
* fast/frames/crash-during-iframe-load-stop.html: Added.
* fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
* fast/frames/resources/crash-during-iframe-load-stop.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@200986 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog

@@ -1,3 +1,16 @@
+2016-05-16  Brent Fulgham  <bfulgham@apple.com>
+
+        heap use-after-free at WebCore::TimerBase::heapPopMin()
+        https://bugs.webkit.org/show_bug.cgi?id=157742
+        <rdar://problem/26236778>
+
+        Reviewed by Simon Fraser.
+
+        * fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
+        * fast/frames/crash-during-iframe-load-stop.html: Added.
+        * fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
+        * fast/frames/resources/crash-during-iframe-load-stop.html: Added.
+
 2016-05-16  Saam barati  <sbarati@apple.com>
 
         Hook up ShadowChicken to the debugger to show tail deleted frames

LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt

@@ -0,0 +1,3 @@
+This tests that WebKit does not crash when frame loads are interrupted. This test passes if it does not crash.
+
+

LayoutTests/fast/frames/crash-during-iframe-load-stop.html

@@ -0,0 +1,38 @@
+<html>
+<head>
+<script>
+    if (window.testRunner) {
+        testRunner.waitUntilDone();
+        testRunner.dumpAsText();
+    }
+
+    var count = 0;
+</script>
+</head>
+<body onload='deleteFrame()'>
+    <script>
+    function deleteFrame()
+    {
+        var frameToRemove = document.getElementById('subframe');
+        document.body.removeChild(frameToRemove);
+    }
+
+    function reloadSubframe()
+    {
+        var iframe = document.createElement('iframe');
+        iframe.id = 'subframe';
+        iframe.src = 'resources/crash-during-iframe-load-stop.html';
+        document.body.appendChild(iframe);
+        setTimeout(function() { deleteFrame(); }, 0);
+    }
+
+    function subFrameFinishedLoading()
+    {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+    </script>
+    <p>This tests that WebKit does not crash when frame loads are interrupted. This test passes if it does not crash.</p>
+    <iframe id="subframe" src='resources/crash-during-iframe-load-stop.html'></iframe>
+</body>
+</html>

LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html

@@ -0,0 +1,6 @@
+<html>
+  <script>
+      window.parent.stop();
+      window.parent.subFrameFinishedLoading();
+  </script>
+</html>

LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html

@@ -0,0 +1,16 @@
+<html>
+<head>
+    <script>
+    function subFrameFinishedLoading()
+    {
+        window.parent.count = window.parent.count + 1;
+        if (window.parent.count < 10)
+            window.parent.reloadSubframe();
+        else
+            window.parent.subFrameFinishedLoading();
+    }
+    </script>
+</head>
+  <iframe src="crash-during-iframe-load-stop-inner.html"></iframe>
+  <iframe src="data:text/html, <html></html>"></iframe>
+</html>

Source/WebCore/ChangeLog

@@ -1,3 +1,19 @@
+2016-05-16  Brent Fulgham  <bfulgham@apple.com>
+
+        heap use-after-free at WebCore::TimerBase::heapPopMin()
+        https://bugs.webkit.org/show_bug.cgi?id=157742
+        <rdar://problem/26236778>
+
+        Reviewed by David Kilzer.
+
+        Tested by fast/frames/resources/crash-during-iframe-load-stop.html.
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
+        being used by the current stack frame.
+        (WebCore::FrameLoader::frameDetached): Ditto.
+        (WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.
+
 2016-05-16  Dean Jackson  <dino@apple.com>
 
         WebCoreJSBuiltinInternals won't compile if some build flags are off

Source/WebCore/loader/FrameLoader.cpp

@@ -1632,6 +1632,9 @@ void FrameLoader::stopAllLoaders(ClearProvisionalItemPolicy clearProvisionalItem
 
 void FrameLoader::stopForUserCancel(bool deferCheckLoadComplete)
 {
+    // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
+    Ref<Frame> protectedFrame(m_frame);
+
     stopAllLoaders();
 
 #if PLATFORM(IOS)
@@ -2491,6 +2494,9 @@ void FrameLoader::dispatchOnloadEvents()
 
 void FrameLoader::frameDetached()
 {
+    // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
+    Ref<Frame> protectedFrame(m_frame);
+
     stopAllLoaders();
     m_frame.document()->stopActiveDOMObjects();
     detachFromParent();
@@ -2790,6 +2796,10 @@ void FrameLoader::continueFragmentScrollAfterNavigationPolicy(const ResourceRequ
     if (!shouldContinue)
         return;
 
+    // Calling stopLoading() on the provisional document loader can cause the underlying
+    // frame to be deallocated.
+    Ref<Frame> protectedFrame(m_frame);
+
     // If we have a provisional request for a different document, a fragment scroll should cancel it.
     if (m_provisionalDocumentLoader && !equalIgnoringFragmentIdentifier(m_provisionalDocumentLoader->request().url(), request.url())) {
         m_provisionalDocumentLoader->stopLoading();