Bug 202596 - Make sure ActiveDOMObject properly deals with detached documents
Summary: Make sure ActiveDOMObject properly deals with detached documents
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks: 202293
  Show dependency treegraph
 
Reported: 2019-10-04 12:59 PDT by Chris Dumez
Modified: 2019-10-08 11:39 PDT (History)
10 users (show)

See Also:

Attachments
Patch (5.36 KB, patch)
2019-10-04 13:21 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2019-10-04 12:59:03 PDT 
Make sure ActiveDOMObject properly deals with detached documents.
Comment 1 Chris Dumez 2019-10-04 13:21:03 PDT 
Created attachment 380242 [details]
Patch
Comment 2 Radar WebKit Bug Importer 2019-10-07 08:14:17 PDT 
<rdar://problem/56036491>
Comment 3 Chris Dumez 2019-10-08 10:36:06 PDT 
Comment on attachment 380242 [details]
Patch

ping review?
Comment 4 Geoffrey Garen 2019-10-08 10:53:47 PDT 
Comment on attachment 380242 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=380242&action=review

r=me

> Source/WebCore/dom/ActiveDOMObject.cpp:50
> +inline ActiveDOMObject::ActiveDOMObject(ScriptExecutionContext* context, CheckedScriptExecutionContextType)
> +    : ContextDestructionObserver(context)
> +{
> +    ASSERT(!is<Document>(context) || &downcast<Document>(context)->contextDocument() == downcast<Document>(context));
> +    if (!context)
>          return;
>  
> -    ASSERT(m_scriptExecutionContext->isContextThread());
> -    m_scriptExecutionContext->didCreateActiveDOMObject(*this);
> +    ASSERT(context->isContextThread());
> +    context->didCreateActiveDOMObject(*this);
> +}

Isn't this constructor still unsafe in the way you described? (
Comment 5 Chris Dumez 2019-10-08 11:03:39 PDT 
Comment on attachment 380242 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=380242&action=review

>> Source/WebCore/dom/ActiveDOMObject.cpp:50
>> +}
> 
> Isn't this constructor still unsafe in the way you described? (

Thus the CheckedScriptExecutionContextType parameter. This is a private constructor which other protected constructors call *after* they've checked the script execution context. This is purely to avoid code duplication between constructors.
Comment 6 WebKit Commit Bot 2019-10-08 11:39:11 PDT 
Comment on attachment 380242 [details]
Patch

Clearing flags on attachment: 380242

Committed r250843: <https://trac.webkit.org/changeset/250843>
Comment 7 WebKit Commit Bot 2019-10-08 11:39:12 PDT 
All reviewed patches have been landed.  Closing bug.