Merge r241500 - Crash in WKBundleFrameGetParentFrame when called insi…

…de didRemoveFrameFromHierarchy https://bugs.webkit.org/show_bug.cgi?id=194641 Reviewed by Geoffrey Garen. Source/WebKit: Fixed the bug by adding a null check to WebFrame::parentFrame. * WebProcess/WebPage/WebFrame.cpp: (WebKit::WebFrame::parentFrame const): Tools: Added a call to WKBundleFrameGetParentFrame to an existing test for didRemoveFrameFromHierarchy so that the test would fail without this fix. * TestWebKitAPI/Tests/WebKit/DidRemoveFrameFromHiearchyInPageCache_Bundle.cpp: (TestWebKitAPI::didRemoveFrameFromHierarchyCallback):
WebKit · Feb 14, 2019 · 9d286ed · 9d286ed
1 parent 9b90089
commit 9d286ed
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 3 deletions.
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
@@ -1,3 +1,15 @@
+2019-02-13  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in WKBundleFrameGetParentFrame when called inside didRemoveFrameFromHierarchy
+        https://bugs.webkit.org/show_bug.cgi?id=194641
+
+        Reviewed by Geoffrey Garen.
+
+        Fixed the bug by adding a null check to WebFrame::parentFrame.
+
+        * WebProcess/WebPage/WebFrame.cpp:
+        (WebKit::WebFrame::parentFrame const):
+
 2019-02-12  Jiewen Tan  <jiewen_tan@apple.com>
 
         Further restricting webarchive loads

diff --git a/Source/WebKit/WebProcess/WebPage/WebFrame.cpp b/Source/WebKit/WebProcess/WebPage/WebFrame.cpp
@@ -463,9 +463,13 @@ String WebFrame::innerText() const
 WebFrame* WebFrame::parentFrame() const
 {
     if (!m_coreFrame || !m_coreFrame->ownerElement())
-        return 0;
+        return nullptr;
+
+    auto* frame = m_coreFrame->ownerElement()->document().frame();
+    if (!frame)
+        return nullptr;
 
-    return WebFrame::fromCoreFrame(*m_coreFrame->ownerElement()->document().frame());
+    return WebFrame::fromCoreFrame(*frame);
 }
 
 Ref<API::Array> WebFrame::childFrames()

diff --git a/Tools/ChangeLog b/Tools/ChangeLog
@@ -1,3 +1,16 @@
+2019-02-13  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Crash in WKBundleFrameGetParentFrame when called inside didRemoveFrameFromHierarchy
+        https://bugs.webkit.org/show_bug.cgi?id=194641
+
+        Reviewed by Geoffrey Garen.
+
+        Added a call to WKBundleFrameGetParentFrame to an existing test for didRemoveFrameFromHierarchy
+        so that the test would fail without this fix.
+
+        * TestWebKitAPI/Tests/WebKit/DidRemoveFrameFromHiearchyInPageCache_Bundle.cpp:
+        (TestWebKitAPI::didRemoveFrameFromHierarchyCallback):
+
 2019-02-12  Jiewen Tan  <jiewen_tan@apple.com>
 
         Further restricting webarchive loads

diff --git a/Tools/TestWebKitAPI/Tests/WebKit/DidRemoveFrameFromHiearchyInPageCache_Bundle.cpp b/Tools/TestWebKitAPI/Tests/WebKit/DidRemoveFrameFromHiearchyInPageCache_Bundle.cpp
@@ -30,6 +30,7 @@
 #include "InjectedBundleTest.h"
 
 #include "PlatformUtilities.h"
+#include <WebKit/WKBundleFrame.h>
 #include <WebKit/WKBundlePage.h>
 
 namespace TestWebKitAPI {
@@ -45,10 +46,12 @@ static InjectedBundleTest::Register<DidRemoveFrameFromHiearchyInPageCacheTest> r
 
 static unsigned didRemoveFrameFromHierarchyCount;
 
-void didRemoveFrameFromHierarchyCallback(WKBundlePageRef page, WKBundleFrameRef, WKTypeRef*, const void*)
+void didRemoveFrameFromHierarchyCallback(WKBundlePageRef page, WKBundleFrameRef frame, WKTypeRef*, const void*)
 {
     didRemoveFrameFromHierarchyCount++;
 
+    RELEASE_ASSERT(!WKBundleFrameGetParentFrame(frame));
+
     WKRetainPtr<WKStringRef> message(AdoptWK, WKStringCreateWithUTF8CString("DidRemoveFrameFromHierarchy"));
     WKBundlePagePostMessage(page, message.get(), message.get());
 }