heap use-after-free at WebCore::TimerBase::heapPopMin()

https://bugs.webkit.org/show_bug.cgi?id=157742
<rdar://problem/26236778>

Source/WebCore:

Reviewed by David Kilzer.

Tested by fast/frames/resources/crash-during-iframe-load-stop.html.

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
being used by the current stack frame.
(WebCore::FrameLoader::frameDetached): Ditto.
(WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.

LayoutTests:

Reviewed by Simon Fraser.

* fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
* fast/frames/crash-during-iframe-load-stop.html: Added.
* fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
* fast/frames/resources/crash-during-iframe-load-stop.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@200986 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog

@@ -1,3 +1,16 @@
2016-05-16  Brent Fulgham  <bfulgham@apple.com>

        heap use-after-free at WebCore::TimerBase::heapPopMin()
        https://bugs.webkit.org/show_bug.cgi?id=157742
        <rdar://problem/26236778>

        Reviewed by Simon Fraser.

        * fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
        * fast/frames/crash-during-iframe-load-stop.html: Added.
        * fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
        * fast/frames/resources/crash-during-iframe-load-stop.html: Added.

2016-05-16  Saam barati  <sbarati@apple.com>

        Hook up ShadowChicken to the debugger to show tail deleted frames

LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt

@@ -0,0 +1,3 @@
This tests that WebKit does not crash when frame loads are interrupted. This test passes if it does not crash.

LayoutTests/fast/frames/crash-during-iframe-load-stop.html

@@ -0,0 +1,38 @@
<html>
<head>
<script>
    if (window.testRunner) {
        testRunner.waitUntilDone();
        testRunner.dumpAsText();
    }

    var count = 0;
</script>
</head>
<body onload='deleteFrame()'>
    <script>
    function deleteFrame()
    {
        var frameToRemove = document.getElementById('subframe');
        document.body.removeChild(frameToRemove);
    }

    function reloadSubframe()
    {
        var iframe = document.createElement('iframe');
        iframe.id = 'subframe';
        iframe.src = 'resources/crash-during-iframe-load-stop.html';
        document.body.appendChild(iframe);
        setTimeout(function() { deleteFrame(); }, 0);
    }

    function subFrameFinishedLoading()
    {
        if (window.testRunner)
            testRunner.notifyDone();
    }
    </script>
    <p>This tests that WebKit does not crash when frame loads are interrupted. This test passes if it does not crash.</p>
    <iframe id="subframe" src='resources/crash-during-iframe-load-stop.html'></iframe>
</body>
</html>

LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html

@@ -0,0 +1,6 @@
<html>
  <script>
      window.parent.stop();
      window.parent.subFrameFinishedLoading();
  </script>
</html>

LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html

@@ -0,0 +1,16 @@
<html>
<head>
    <script>
    function subFrameFinishedLoading()
    {
        window.parent.count = window.parent.count + 1;
        if (window.parent.count < 10)
            window.parent.reloadSubframe();
        else
            window.parent.subFrameFinishedLoading();
    }
    </script>
</head>
  <iframe src="crash-during-iframe-load-stop-inner.html"></iframe>
  <iframe src="data:text/html, <html></html>"></iframe>
</html>

Source/WebCore/ChangeLog

@@ -1,3 +1,19 @@
2016-05-16  Brent Fulgham  <bfulgham@apple.com>

        heap use-after-free at WebCore::TimerBase::heapPopMin()
        https://bugs.webkit.org/show_bug.cgi?id=157742
        <rdar://problem/26236778>

        Reviewed by David Kilzer.

        Tested by fast/frames/resources/crash-during-iframe-load-stop.html.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
        being used by the current stack frame.
        (WebCore::FrameLoader::frameDetached): Ditto.
        (WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.

2016-05-16  Dean Jackson  <dino@apple.com>

        WebCoreJSBuiltinInternals won't compile if some build flags are off

Source/WebCore/loader/FrameLoader.cpp

@@ -1632,6 +1632,9 @@ void FrameLoader::stopAllLoaders(ClearProvisionalItemPolicy clearProvisionalItem

void FrameLoader::stopForUserCancel(bool deferCheckLoadComplete)
{
    // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
    Ref<Frame> protectedFrame(m_frame);

    stopAllLoaders();

#if PLATFORM(IOS)
@@ -2491,6 +2494,9 @@ void FrameLoader::dispatchOnloadEvents()

void FrameLoader::frameDetached()
{
    // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
    Ref<Frame> protectedFrame(m_frame);

    stopAllLoaders();
    m_frame.document()->stopActiveDOMObjects();
    detachFromParent();
@@ -2790,6 +2796,10 @@ void FrameLoader::continueFragmentScrollAfterNavigationPolicy(const ResourceRequ
    if (!shouldContinue)
        return;

    // Calling stopLoading() on the provisional document loader can cause the underlying
    // frame to be deallocated.
    Ref<Frame> protectedFrame(m_frame);

    // If we have a provisional request for a different document, a fragment scroll should cancel it.
    if (m_provisionalDocumentLoader && !equalIgnoringFragmentIdentifier(m_provisionalDocumentLoader->request().url(), request.url())) {
        m_provisionalDocumentLoader->stopLoading();