Skip to content
Permalink
Browse files
[chromium] Use after free in plugins/geturlnotify-during-document-tea…
…rdown.html

https://bugs.webkit.org/show_bug.cgi?id=107556

Reviewed by Tony Chang.

WebViewHost initiates a navigation to about:blank in its destructor.
However, since WebTestProxy inherits from WebViewHost, at this point
the WebViewClient and WebFrameClient interfaces are already partially
destructed resulting in the use after free.

This does not affect the chromium implementation since it doesn't
invoke WebKit API methods in its destructor.

* DumpRenderTree/chromium/TestShell.cpp:
(TestShell::~TestShell):
(TestShell::closeWindow):
* DumpRenderTree/chromium/WebViewHost.cpp:
(WebViewHost::WebViewHost):
(WebViewHost::~WebViewHost):
(WebViewHost::shutdown):
* DumpRenderTree/chromium/WebViewHost.h:
(WebViewHost):


Canonical link: https://commits.webkit.org/125897@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@140561 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
jeisinger committed Jan 23, 2013
1 parent 08dcc3a commit 1af2ea323cf2301e7923d1cf5c616024baccbee6
Showing 4 changed files with 44 additions and 2 deletions.
@@ -1,3 +1,28 @@
2013-01-23 Jochen Eisinger <jochen@chromium.org>

[chromium] Use after free in plugins/geturlnotify-during-document-teardown.html
https://bugs.webkit.org/show_bug.cgi?id=107556

Reviewed by Tony Chang.

WebViewHost initiates a navigation to about:blank in its destructor.
However, since WebTestProxy inherits from WebViewHost, at this point
the WebViewClient and WebFrameClient interfaces are already partially
destructed resulting in the use after free.

This does not affect the chromium implementation since it doesn't
invoke WebKit API methods in its destructor.

* DumpRenderTree/chromium/TestShell.cpp:
(TestShell::~TestShell):
(TestShell::closeWindow):
* DumpRenderTree/chromium/WebViewHost.cpp:
(WebViewHost::WebViewHost):
(WebViewHost::~WebViewHost):
(WebViewHost::shutdown):
* DumpRenderTree/chromium/WebViewHost.h:
(WebViewHost):

2013-01-23 Andrei Bucur <abucur@adobe.com>

[CSS Regions] Create Regions watchlist
@@ -202,6 +202,8 @@ TestShell::~TestShell()
m_testRunner->setDelegate(0);
m_testRunner->setWebView(0);
m_drtDevToolsAgent->setWebView(0);
if (m_webViewHost)
m_webViewHost->shutdown();
}

void TestShell::createDRTDevToolsClient(DRTDevToolsAgent* agent)
@@ -795,6 +797,7 @@ void TestShell::closeWindow(WebViewHost* window)
if (window->webWidget() == m_focusedWidget)
focusedWidget = 0;

window->shutdown();
delete window;
// We set the focused widget after deleting the web view host because it
// can change the focus.
@@ -1128,12 +1128,22 @@ WebViewHost::WebViewHost(TestShell* shell)
: m_shell(shell)
, m_proxy(0)
, m_webWidget(0)
, m_shutdownWasInvoked(false)
{
reset();
}

WebViewHost::~WebViewHost()
{
ASSERT(m_shutdownWasInvoked);
if (m_inModalLoop)
webkit_support::QuitMessageLoop();
}

void WebViewHost::shutdown()
{
ASSERT(!m_shutdownWasInvoked);

// DevTools frontend page is supposed to be navigated only once and
// loading another URL in that Page is an error.
if (m_shell->devToolsWebView() != this) {
@@ -1148,8 +1158,8 @@ WebViewHost::~WebViewHost()

m_layerTreeView.clear();
webWidget()->close();
if (m_inModalLoop)
webkit_support::QuitMessageLoop();
m_webWidget = 0;
m_shutdownWasInvoked = true;
}

void WebViewHost::setWebWidget(WebKit::WebWidget* widget)
@@ -79,6 +79,7 @@ class WebViewHost : public WebKit::WebViewClient, public WebKit::WebFrameClient,
public:
WebViewHost(TestShell*);
virtual ~WebViewHost();
void shutdown();
void setWebWidget(WebKit::WebWidget*);
WebKit::WebView* webView() const;
WebKit::WebWidget* webWidget() const;
@@ -372,6 +373,9 @@ class WebViewHost : public WebKit::WebViewClient, public WebKit::WebFrameClient,

bool m_hasWindow;
bool m_inModalLoop;

bool m_shutdownWasInvoked;

WebKit::WebRect m_windowRect;

// true if we want to enable smart insert/delete.

0 comments on commit 1af2ea3

Please sign in to comment.