[webkit-changes] [140561] trunk/Tools

[jochen]

Title: [140561] trunk/Tools

Revision

140561

Author

joc...@chromium.org

Date

2013-01-23 11:45:52 -0800 (Wed, 23 Jan 2013)

Log Message

[chromium] Use after free in plugins/geturlnotify-during-document-teardown.html
https://bugs.webkit.org/show_bug.cgi?id=107556

Reviewed by Tony Chang.

WebViewHost initiates a navigation to about:blank in its destructor.
However, since WebTestProxy inherits from WebViewHost, at this point
the WebViewClient and WebFrameClient interfaces are already partially
destructed resulting in the use after free.

This does not affect the chromium implementation since it doesn't
invoke WebKit API methods in its destructor.

* DumpRenderTree/chromium/TestShell.cpp:
(TestShell::~TestShell):
(TestShell::closeWindow):
* DumpRenderTree/chromium/WebViewHost.cpp:
(WebViewHost::WebViewHost):
(WebViewHost::~WebViewHost):
(WebViewHost::shutdown):
* DumpRenderTree/chromium/WebViewHost.h:
(WebViewHost):

Modified Paths

• trunk/Tools/ChangeLog
• trunk/Tools/DumpRenderTree/chromium/TestShell.cpp
• trunk/Tools/DumpRenderTree/chromium/WebViewHost.cpp
• trunk/Tools/DumpRenderTree/chromium/WebViewHost.h

Diff

Modified: trunk/Tools/ChangeLog (140560 => 140561)

--- trunk/Tools/ChangeLog	2013-01-23 19:27:38 UTC (rev 140560)
+++ trunk/Tools/ChangeLog	2013-01-23 19:45:52 UTC (rev 140561)
@@ -1,3 +1,28 @@
+2013-01-23  Jochen Eisinger  <joc...@chromium.org>
+
+        [chromium] Use after free in plugins/geturlnotify-during-document-teardown.html
+        https://bugs.webkit.org/show_bug.cgi?id=107556
+
+        Reviewed by Tony Chang.
+
+        WebViewHost initiates a navigation to about:blank in its destructor.
+        However, since WebTestProxy inherits from WebViewHost, at this point
+        the WebViewClient and WebFrameClient interfaces are already partially
+        destructed resulting in the use after free.
+
+        This does not affect the chromium implementation since it doesn't
+        invoke WebKit API methods in its destructor.
+
+        * DumpRenderTree/chromium/TestShell.cpp:
+        (TestShell::~TestShell):
+        (TestShell::closeWindow):
+        * DumpRenderTree/chromium/WebViewHost.cpp:
+        (WebViewHost::WebViewHost):
+        (WebViewHost::~WebViewHost):
+        (WebViewHost::shutdown):
+        * DumpRenderTree/chromium/WebViewHost.h:
+        (WebViewHost):
+
 2013-01-23  Andrei Bucur  <abu...@adobe.com>
 
         [CSS Regions] Create Regions watchlist

Modified: trunk/Tools/DumpRenderTree/chromium/TestShell.cpp (140560 => 140561)

--- trunk/Tools/DumpRenderTree/chromium/TestShell.cpp	2013-01-23 19:27:38 UTC (rev 140560)
+++ trunk/Tools/DumpRenderTree/chromium/TestShell.cpp	2013-01-23 19:45:52 UTC (rev 140561)
@@ -202,6 +202,8 @@
     m_testRunner->setDelegate(0);
     m_testRunner->setWebView(0);
     m_drtDevToolsAgent->setWebView(0);
+    if (m_webViewHost)
+        m_webViewHost->shutdown();
 }
 
 void TestShell::createDRTDevToolsClient(DRTDevToolsAgent* agent)
@@ -795,6 +797,7 @@
     if (window->webWidget() == m_focusedWidget)
         focusedWidget = 0;
 
+    window->shutdown();
     delete window;
     // We set the focused widget after deleting the web view host because it
     // can change the focus.

Modified: trunk/Tools/DumpRenderTree/chromium/WebViewHost.cpp (140560 => 140561)

--- trunk/Tools/DumpRenderTree/chromium/WebViewHost.cpp	2013-01-23 19:27:38 UTC (rev 140560)
+++ trunk/Tools/DumpRenderTree/chromium/WebViewHost.cpp	2013-01-23 19:45:52 UTC (rev 140561)
@@ -1128,12 +1128,22 @@
     : m_shell(shell)
     , m_proxy(0)
     , m_webWidget(0)
+    , m_shutdownWasInvoked(false)
 {
     reset();
 }
 
 WebViewHost::~WebViewHost()
 {
+    ASSERT(m_shutdownWasInvoked);
+    if (m_inModalLoop)
+        webkit_support::QuitMessageLoop();
+}
+
+void WebViewHost::shutdown()
+{
+    ASSERT(!m_shutdownWasInvoked);
+
     // DevTools frontend page is supposed to be navigated only once and
     // loading another URL in that Page is an error.
     if (m_shell->devToolsWebView() != this) {
@@ -1148,8 +1158,8 @@
 
     m_layerTreeView.clear();
     webWidget()->close();
-    if (m_inModalLoop)
-        webkit_support::QuitMessageLoop();
+    m_webWidget = 0;
+    m_shutdownWasInvoked = true;
 }
 
 void WebViewHost::setWebWidget(WebKit::WebWidget* widget)

Modified: trunk/Tools/DumpRenderTree/chromium/WebViewHost.h (140560 => 140561)

--- trunk/Tools/DumpRenderTree/chromium/WebViewHost.h	2013-01-23 19:27:38 UTC (rev 140560)
+++ trunk/Tools/DumpRenderTree/chromium/WebViewHost.h	2013-01-23 19:45:52 UTC (rev 140561)
@@ -79,6 +79,7 @@
  public:
     WebViewHost(TestShell*);
     virtual ~WebViewHost();
+    void shutdown();
     void setWebWidget(WebKit::WebWidget*);
     WebKit::WebView* webView() const;
     WebKit::WebWidget* webWidget() const;
@@ -372,6 +373,9 @@
 
     bool m_hasWindow;
     bool m_inModalLoop;
+
+    bool m_shutdownWasInvoked;
+
     WebKit::WebRect m_windowRect;
 
     // true if we want to enable smart insert/delete.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes