202596 2019-10-04 12:59:03 -0700 Make sure ActiveDOMObject properly deals with detached documents 2019-10-08 11:39:12 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 202293 1 cdumez cdumez achristensen commit-queue dbates esprehn+autocc ews-watchlist ggaren jer.noble kangil.han webkit-bug-importer youennf oldest_to_newest 1576968 0 cdumez 2019-10-04 12:59:03 -0700 Make sure ActiveDOMObject properly deals with detached documents. 1576987 1 380242 cdumez 2019-10-04 13:21:03 -0700 Created attachment 380242 Patch 1577353 2 webkit-bug-importer 2019-10-07 08:14:17 -0700 <rdar://problem/56036491> 1577822 3 380242 cdumez 2019-10-08 10:36:06 -0700 Comment on attachment 380242 Patch ping review? 1577834 4 380242 ggaren 2019-10-08 10:53:47 -0700 Comment on attachment 380242 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380242&action=review r=me > Source/WebCore/dom/ActiveDOMObject.cpp:50 > +inline ActiveDOMObject::ActiveDOMObject(ScriptExecutionContext* context, CheckedScriptExecutionContextType) > + : ContextDestructionObserver(context) > +{ > + ASSERT(!is<Document>(context) || &downcast<Document>(context)->contextDocument() == downcast<Document>(context)); > + if (!context) > return; > > - ASSERT(m_scriptExecutionContext->isContextThread()); > - m_scriptExecutionContext->didCreateActiveDOMObject(*this); > + ASSERT(context->isContextThread()); > + context->didCreateActiveDOMObject(*this); > +} Isn't this constructor still unsafe in the way you described? ( 1577836 5 380242 cdumez 2019-10-08 11:03:39 -0700 Comment on attachment 380242 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=380242&action=review >> Source/WebCore/dom/ActiveDOMObject.cpp:50 >> +} > > Isn't this constructor still unsafe in the way you described? ( Thus the CheckedScriptExecutionContextType parameter. This is a private constructor which other protected constructors call *after* they've checked the script execution context. This is purely to avoid code duplication between constructors. 1577852 6 380242 commit-queue 2019-10-08 11:39:11 -0700 Comment on attachment 380242 Patch Clearing flags on attachment: 380242 Committed r250843: <https://trac.webkit.org/changeset/250843> 1577853 7 commit-queue 2019-10-08 11:39:12 -0700 All reviewed patches have been landed. Closing bug. 380242 2019-10-04 13:21:03 -0700 2019-10-08 11:39:11 -0700 Patch bug-202596-20191004132102.patch text/plain 5493 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjUwNzMxCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNGJmMjg5ODhiOTIxMTFi MzJkZDhmMmNlMDI4MDIwOGEwZDI0MTdmMS4uZWI3MDhjYzYyOGJjMDRmYTVmYzUwMTBiODI3MWY5 MzJkMWU0Nzc2OCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI0IEBACisyMDE5LTEwLTA0ICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CisKKyAgICAgICAgTWFrZSBzdXJlIEFjdGl2ZURP TU9iamVjdCBwcm9wZXJseSBkZWFscyB3aXRoIGRldGFjaGVkIGRvY3VtZW50cworICAgICAgICBo dHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjAyNTk2CisKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgRm9yIGRldGFjaGVkIGRvY3Vt ZW50LCB0aGUgc2NyaXB0IGV4ZWN1dGlvbiBjb250ZXh0IGlzIHRoZWlyIGNvbnRleHQgZG9jdW1l bnQuCisgICAgICAgIFRoZSBBY3RpdmVET01PYmplY3QgY29uc3RydWN0b3IgdGFraW5nIGEgRG9j dW1lbnQmIHdvdWxkIG1ha2Ugc3VyZSB0byBnZXQgdGhlCisgICAgICAgIGRvY3VtZW50J3MgY29u dGV4dERvY3VtZW50LiBIb3dldmVyLCBpZiB0aGUgQWN0aXZlRE9NT2JqZWN0IGNvbnN0cnVjdG9y IHRha2luZworICAgICAgICBhIFNjcmlwdEV4ZWN1dGlvbkNvbnRleHQqIGlzIGNhbGxlZCwgaXQg d291bGQgYXNzdW1lIHRoaXMgaXMgdGhlIHJpZ2h0IHNjcmlwdAorICAgICAgICBleGVjdXRpb24g Y29udGV4dCwgd2hpY2ggaXMgdW5zYWZlLiBJbiB0aGlzIHBhdGNoLCBhbGwgQWN0aXZlRE9NT2Jq ZWN0CisgICAgICAgIGNvbnN0cnVjdG9ycyBub3cgY2hlY2sgZm9yIGRldGFjaGVkIGRvY3VtZW50 cyBhbmQgbWFrZSBzdXJlIHRvIHVzZSB0aGVpcgorICAgICAgICBjb250ZXh0IGRvY3VtZW50IHdo ZW4gbmVjZXNzYXJ5LgorCisgICAgICAgICogZG9tL0FjdGl2ZURPTU9iamVjdC5jcHA6CisgICAg ICAgIChXZWJDb3JlOjpzdWl0YWJsZVNjcmlwdEV4ZWN1dGlvbkNvbnRleHQpOgorICAgICAgICAo V2ViQ29yZTo6QWN0aXZlRE9NT2JqZWN0OjpBY3RpdmVET01PYmplY3QpOgorICAgICAgICAqIGRv bS9BY3RpdmVET01PYmplY3QuaDoKKyAgICAgICAgKiBkb20vRG9jdW1lbnQuaDoKKwogMjAxOS0x MC0wNCAgQ2hyaXMgRHVtZXogIDxjZHVtZXpAYXBwbGUuY29tPgogCiAgICAgICAgIERPTUNhY2hl IHNob3VsZCBub3QgcHJldmVudCBwYWdlcyBmcm9tIGVudGVyaW5nIHRoZSBiYWNrL2ZvcndhcmQg Y2FjaGUKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2RvbS9BY3RpdmVET01PYmplY3QuY3Bw IGIvU291cmNlL1dlYkNvcmUvZG9tL0FjdGl2ZURPTU9iamVjdC5jcHAKaW5kZXggYjc2ODg2ZjVk M2MzNTFmNDk5MmIxM2I3MjUyZmQzYjhmODZlMmMyNy4uMjQ5Y2RiZmI0NjUzMjU4Njk2OTdhMmVm ZDk1MDJjZWZmNmMyNDVkMiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvZG9tL0FjdGl2ZURP TU9iamVjdC5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvZG9tL0FjdGl2ZURPTU9iamVjdC5jcHAK QEAgLTMyLDE5ICszMiwzNiBAQAogCiBuYW1lc3BhY2UgV2ViQ29yZSB7CiAKLUFjdGl2ZURPTU9i amVjdDo6QWN0aXZlRE9NT2JqZWN0KFNjcmlwdEV4ZWN1dGlvbkNvbnRleHQqIHNjcmlwdEV4ZWN1 dGlvbkNvbnRleHQpCi0gICAgOiBDb250ZXh0RGVzdHJ1Y3Rpb25PYnNlcnZlcihzY3JpcHRFeGVj dXRpb25Db250ZXh0KQotICAgICwgbV9wZW5kaW5nQWN0aXZpdHlDb3VudCgwKQotI2lmICFBU1NF UlRfRElTQUJMRUQKLSAgICAsIG1fc3VzcGVuZElmTmVlZGVkV2FzQ2FsbGVkKGZhbHNlKQotI2Vu ZGlmCitzdGF0aWMgaW5saW5lIFNjcmlwdEV4ZWN1dGlvbkNvbnRleHQqIHN1aXRhYmxlU2NyaXB0 RXhlY3V0aW9uQ29udGV4dChTY3JpcHRFeGVjdXRpb25Db250ZXh0KiBzY3JpcHRFeGVjdXRpb25D b250ZXh0KQogewotICAgIEFTU0VSVCghaXM8RG9jdW1lbnQ+KG1fc2NyaXB0RXhlY3V0aW9uQ29u dGV4dCkgfHwgJmRvd25jYXN0PERvY3VtZW50PihtX3NjcmlwdEV4ZWN1dGlvbkNvbnRleHQpLT5j b250ZXh0RG9jdW1lbnQoKSA9PSBkb3duY2FzdDxEb2N1bWVudD4obV9zY3JpcHRFeGVjdXRpb25D b250ZXh0KSk7Ci0gICAgaWYgKCFtX3NjcmlwdEV4ZWN1dGlvbkNvbnRleHQpCisgICAgLy8gRm9y IGRldGFjaGVkIGRvY3VtZW50cywgbWFrZSBzdXJlIHdlIG9ic2VydmUgdGhlaXIgY29udGV4dCBk b2N1bWVudCBpbnN0ZWFkLgorICAgIHJldHVybiBpczxEb2N1bWVudD4oc2NyaXB0RXhlY3V0aW9u Q29udGV4dCkgPyAmZG93bmNhc3Q8RG9jdW1lbnQ+KCpzY3JpcHRFeGVjdXRpb25Db250ZXh0KS5j b250ZXh0RG9jdW1lbnQoKSA6IHNjcmlwdEV4ZWN1dGlvbkNvbnRleHQ7Cit9CisKK2lubGluZSBB Y3RpdmVET01PYmplY3Q6OkFjdGl2ZURPTU9iamVjdChTY3JpcHRFeGVjdXRpb25Db250ZXh0KiBj b250ZXh0LCBDaGVja2VkU2NyaXB0RXhlY3V0aW9uQ29udGV4dFR5cGUpCisgICAgOiBDb250ZXh0 RGVzdHJ1Y3Rpb25PYnNlcnZlcihjb250ZXh0KQoreworICAgIEFTU0VSVCghaXM8RG9jdW1lbnQ+ KGNvbnRleHQpIHx8ICZkb3duY2FzdDxEb2N1bWVudD4oY29udGV4dCktPmNvbnRleHREb2N1bWVu dCgpID09IGRvd25jYXN0PERvY3VtZW50Pihjb250ZXh0KSk7CisgICAgaWYgKCFjb250ZXh0KQog ICAgICAgICByZXR1cm47CiAKLSAgICBBU1NFUlQobV9zY3JpcHRFeGVjdXRpb25Db250ZXh0LT5p c0NvbnRleHRUaHJlYWQoKSk7Ci0gICAgbV9zY3JpcHRFeGVjdXRpb25Db250ZXh0LT5kaWRDcmVh dGVBY3RpdmVET01PYmplY3QoKnRoaXMpOworICAgIEFTU0VSVChjb250ZXh0LT5pc0NvbnRleHRU aHJlYWQoKSk7CisgICAgY29udGV4dC0+ZGlkQ3JlYXRlQWN0aXZlRE9NT2JqZWN0KCp0aGlzKTsK K30KKworQWN0aXZlRE9NT2JqZWN0OjpBY3RpdmVET01PYmplY3QoU2NyaXB0RXhlY3V0aW9uQ29u dGV4dCogc2NyaXB0RXhlY3V0aW9uQ29udGV4dCkKKyAgICA6IEFjdGl2ZURPTU9iamVjdChzdWl0 YWJsZVNjcmlwdEV4ZWN1dGlvbkNvbnRleHQoc2NyaXB0RXhlY3V0aW9uQ29udGV4dCksIENoZWNr ZWRTY3JpcHRFeGVjdXRpb25Db250ZXh0KQoreworfQorCitBY3RpdmVET01PYmplY3Q6OkFjdGl2 ZURPTU9iamVjdChEb2N1bWVudCogZG9jdW1lbnQpCisgICAgOiBBY3RpdmVET01PYmplY3QoZG9j dW1lbnQgPyAmZG9jdW1lbnQtPmNvbnRleHREb2N1bWVudCgpIDogbnVsbHB0ciwgQ2hlY2tlZFNj cmlwdEV4ZWN1dGlvbkNvbnRleHQpCit7Cit9CisKK0FjdGl2ZURPTU9iamVjdDo6QWN0aXZlRE9N T2JqZWN0KERvY3VtZW50JiBkb2N1bWVudCkKKyAgICA6IEFjdGl2ZURPTU9iamVjdCgmZG9jdW1l bnQuY29udGV4dERvY3VtZW50KCksIENoZWNrZWRTY3JpcHRFeGVjdXRpb25Db250ZXh0KQorewog fQogCiBBY3RpdmVET01PYmplY3Q6On5BY3RpdmVET01PYmplY3QoKQpAQCAtOTEsMTEgKzEwOCw2 IEBAIGJvb2wgQWN0aXZlRE9NT2JqZWN0OjpoYXNQZW5kaW5nQWN0aXZpdHkoKSBjb25zdAogICAg IHJldHVybiBtX3BlbmRpbmdBY3Rpdml0eUNvdW50OwogfQogCi1ib29sIEFjdGl2ZURPTU9iamVj dDo6Y2FuU3VzcGVuZEZvckRvY3VtZW50U3VzcGVuc2lvbigpIGNvbnN0Ci17Ci0gICAgcmV0dXJu IGZhbHNlOwotfQotCiB2b2lkIEFjdGl2ZURPTU9iamVjdDo6c3VzcGVuZChSZWFzb25Gb3JTdXNw ZW5zaW9uKQogewogfQpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvZG9tL0FjdGl2ZURPTU9i amVjdC5oIGIvU291cmNlL1dlYkNvcmUvZG9tL0FjdGl2ZURPTU9iamVjdC5oCmluZGV4IDNjZjU2 N2JlNTk1ZTFhYjgyNjNjNTljMzA2M2VhYTFmMWM0NmNiOTkuLjg1Nzk5OGFmZjZmMjM3MDBhNmE2 MmY1YTFmYTAyNzYzODk5ZDNlZWEgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2RvbS9BY3Rp dmVET01PYmplY3QuaAorKysgYi9Tb3VyY2UvV2ViQ29yZS9kb20vQWN0aXZlRE9NT2JqZWN0LmgK QEAgLTExNiwxNCArMTE2LDE3IEBAIHB1YmxpYzoKIAogcHJvdGVjdGVkOgogICAgIGV4cGxpY2l0 IEFjdGl2ZURPTU9iamVjdChTY3JpcHRFeGVjdXRpb25Db250ZXh0Kik7Ci0gICAgZXhwbGljaXQg QWN0aXZlRE9NT2JqZWN0KERvY3VtZW50KikgPSBkZWxldGU7Ci0gICAgZXhwbGljaXQgQWN0aXZl RE9NT2JqZWN0KERvY3VtZW50Jik7IC8vIEltcGxlbWVudGVkIGluIERvY3VtZW50LmgKKyAgICBl eHBsaWNpdCBBY3RpdmVET01PYmplY3QoRG9jdW1lbnQqKTsKKyAgICBleHBsaWNpdCBBY3RpdmVE T01PYmplY3QoRG9jdW1lbnQmKTsKICAgICB2aXJ0dWFsIH5BY3RpdmVET01PYmplY3QoKTsKIAog cHJpdmF0ZToKLSAgICB1bnNpZ25lZCBtX3BlbmRpbmdBY3Rpdml0eUNvdW50OworICAgIGVudW0g Q2hlY2tlZFNjcmlwdEV4ZWN1dGlvbkNvbnRleHRUeXBlIHsgQ2hlY2tlZFNjcmlwdEV4ZWN1dGlv bkNvbnRleHQgfTsKKyAgICBBY3RpdmVET01PYmplY3QoU2NyaXB0RXhlY3V0aW9uQ29udGV4dCos IENoZWNrZWRTY3JpcHRFeGVjdXRpb25Db250ZXh0VHlwZSk7CisKKyAgICB1bnNpZ25lZCBtX3Bl bmRpbmdBY3Rpdml0eUNvdW50IHsgMCB9OwogI2lmICFBU1NFUlRfRElTQUJMRUQKLSAgICBib29s IG1fc3VzcGVuZElmTmVlZGVkV2FzQ2FsbGVkOworICAgIGJvb2wgbV9zdXNwZW5kSWZOZWVkZWRX YXNDYWxsZWQgeyBmYWxzZSB9OwogICAgIFJlZjxUaHJlYWQ+IG1fY3JlYXRpb25UaHJlYWQgeyBU aHJlYWQ6OmN1cnJlbnQoKSB9OwogI2VuZGlmCiB9OwpkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNv cmUvZG9tL0RvY3VtZW50LmggYi9Tb3VyY2UvV2ViQ29yZS9kb20vRG9jdW1lbnQuaAppbmRleCAx MGUzNGQyNTUzMjllMzNkZDA1Mzk1NjcwYmRhOWUwY2UzZWQyOTg2Li44OGRjNzdhYmEwMmEwZTQz OTczZTA4NmEzMzExOWY2OWZlNDg4NmZlIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9kb20v RG9jdW1lbnQuaAorKysgYi9Tb3VyY2UvV2ViQ29yZS9kb20vRG9jdW1lbnQuaApAQCAtMjA5Niwx MSArMjA5Niw2IEBAIGlubGluZSBTY3JpcHRFeGVjdXRpb25Db250ZXh0KiBOb2RlOjpzY3JpcHRF eGVjdXRpb25Db250ZXh0KCkgY29uc3QKICAgICByZXR1cm4gJmRvY3VtZW50KCkuY29udGV4dERv Y3VtZW50KCk7CiB9CiAKLWlubGluZSBBY3RpdmVET01PYmplY3Q6OkFjdGl2ZURPTU9iamVjdChE b2N1bWVudCYgZG9jdW1lbnQpCi0gICAgOiBBY3RpdmVET01PYmplY3Qoc3RhdGljX2Nhc3Q8U2Ny aXB0RXhlY3V0aW9uQ29udGV4dCo+KCZkb2N1bWVudC5jb250ZXh0RG9jdW1lbnQoKSkpCi17Ci19 Ci0KIH0gLy8gbmFtZXNwYWNlIFdlYkNvcmUKIAogU1BFQ0lBTElaRV9UWVBFX1RSQUlUU19CRUdJ TihXZWJDb3JlOjpEb2N1bWVudCkK