Protect the provisional loader from detaching during prepareForCommit

third_party/WebKit/Source/core/loader/FrameLoader.cpp

 /*
  * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
  * Copyright (C) 2008 Alp Toker <alp@atoker.com>
  * Copyright (C) Research In Motion Limited 2009. All rights reserved.
  * Copyright (C) 2011 Kris Jordan <krisjordan@gmail.com>
  * Copyright (C) 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ skipping 150 matching lines @@
 FrameLoader::FrameLoader(LocalFrame* frame)
     : m_frame(frame)
     , m_progressTracker(ProgressTracker::create(frame))
     , m_loadType(FrameLoadTypeStandard)
     , m_inStopAllLoaders(false)
     , m_checkTimer(this, &FrameLoader::checkTimerFired)
     , m_didAccessInitialDocument(false)
     , m_didAccessInitialDocumentTimer(this, &FrameLoader::didAccessInitialDocumentTimerFired)
     , m_forcedSandboxFlags(SandboxNone)
     , m_dispatchingDidClearWindowObjectInMainWorld(false)
+    , m_protectProvisionalLoader(false)
 {
 }
 
 FrameLoader::~FrameLoader()
 {
     // Verify that this FrameLoader has been detached.
     ASSERT(!m_progressTracker);
 }
 
 DEFINE_TRACE(FrameLoader)
@@ skipping 65 matching lines @@
     m_currentItem->setVisualViewportScrollPoint(m_frame->host()->visualViewport().visibleRect().location());
 
     if (m_frame->isMainFrame())
         m_currentItem->setPageScaleFactor(m_frame->page()->pageScaleFactor());
 
     client()->didUpdateCurrentHistoryItem();
 }
 
 void FrameLoader::dispatchUnloadEvent()
 {
+    // If the frame is unloading, the provisional loader should no longer be
+    // protected. It will be detached soon.
+    m_protectProvisionalLoader = false;
     saveScrollState();
 
     if (m_frame->document() && !SVGImage::isInSVGImage(m_frame->document()))
         m_frame->document()->dispatchUnloadEvents();
 
     if (Page* page = m_frame->page())
         page->undoStack().didUnloadFrame(*m_frame);
 }
 
 void FrameLoader::didExplicitOpen()
@@ skipping 719 matching lines @@
     RefPtrWillBeRawPtr<LocalFrame> protect(m_frame.get());
 
     m_inStopAllLoaders = true;
 
     for (RefPtrWillBeRawPtr<Frame> child = m_frame->tree().firstChild(); child; child = child->tree().nextSibling()) {
         if (child->isLocalFrame())
             toLocalFrame(child.get())->loader().stopAllLoaders();
     }
 
     m_frame->document()->suppressLoadEvent();
-    if (m_provisionalDocumentLoader)
+    // Don't stop loading the provisional loader if it is being protected (i.e.
+    // it is about to be committed) See prepareForCommit() for more details.
+    if (m_provisionalDocumentLoader && !m_protectProvisionalLoader)
         m_provisionalDocumentLoader->stopLoading();
     if (m_documentLoader)
         m_documentLoader->stopLoading();
     m_frame->document()->cancelParsing();
 
-    detachDocumentLoader(m_provisionalDocumentLoader);
+    if (!m_protectProvisionalLoader)

[dcheng, 2016/02/22 18:12:07]

Would it be slightly more robust to put this check into DocumentLoader?

Actually, I wonder if it makes sense to move this tracking into DocumentLoader
completely: then we don't need to make sure all the entry points to
stopLoading() and detachDocumentLoader() remember to check this bool: the
DocumentLoader itself can just make it a no-op and return immediately. WDYT?

[Charlie Harrison, 2016/02/24 17:09:15]

I'm not sure. My first attempt is giving me crashes deep in
blink::FrameLoaderClientImpl::dispatchDidClearWindowObjectInMainWorld (service
worker related). I suspect there are edge cases where we want to detach the
provisional document loader. We just don't want to do it in |stopAllLoaders|.

[dcheng, 2016/02/24 21:22:59]

Hmm, mind posting a stack on here? I'm kind of curious what it looks like.

+        detachDocumentLoader(m_provisionalDocumentLoader);
 
     m_checkTimer.stop();
     m_frame->navigationScheduler().cancel();
 
     m_inStopAllLoaders = false;
 }
 
 void FrameLoader::didAccessInitialDocument()
 {
     // We only need to notify the client once, and only for the main frame.
@@ skipping 43 matching lines @@
         client()->dispatchWillClose();
         dispatchUnloadEvent();
     }
     m_frame->detachChildren();
     // The previous calls to dispatchUnloadEvent() and detachChildren() can
     // execute arbitrary script via things like unload events. If the executed
     // script intiates a new load or causes the current frame to be detached,
     // we need to abandon the current load.
     if (pdl != m_provisionalDocumentLoader)
         return false;
+    // detachFromFrame() will abort XHRs that haven't completed, which can
+    // trigger event listeners for 'abort'. These event listeners might call
+    // stop(), which will in turn detach the provisional document loader.

[dcheng, 2016/02/22 18:12:07]

Nit: window.stop()

[Charlie Harrison, 2016/02/24 17:09:15]

Done.

+    // At this point, the provisional document loader should not detach, because
+    // then the FrameLoader would not have any attached DocumentLoaders.
     if (m_documentLoader) {
         FrameNavigationDisabler navigationDisabler(*m_frame);
+        TemporaryChange<bool> inDetachDocumentLoader(m_protectProvisionalLoader, true);
         detachDocumentLoader(m_documentLoader);
     }
-    // detachFromFrame() will abort XHRs that haven't completed, which can
-    // trigger event listeners for 'abort'. These event listeners might detach
-    // the frame.
+    // 'abort' listeners can also detach the frame.
     // TODO(dcheng): Investigate if this can be moved above the check that

[dcheng, 2016/02/22 18:12:07]

Nit: clean up this TODO as well, it doesn't really apply if the provisional
document loader can't go away.

[Charlie Harrison, 2016/02/24 17:09:15]

Done.

     // m_provisionalDocumentLoader hasn't changed.
     if (!m_frame->client())
         return false;
+    ASSERT(m_provisionalDocumentLoader == pdl);
     // No more events will be dispatched so detach the Document.
     // TODO(yoav): Should we also be nullifying domWindow's document (or domWindow) since the doc is now detached?
     if (m_frame->document())
         m_frame->document()->detach();
     m_documentLoader = m_provisionalDocumentLoader.release();
 
     return true;
 }
 
 void FrameLoader::commitProvisionalLoad()
@@ skipping 475 matching lines @@
     // FIXME: We need a way to propagate insecure requests policy flags to
     // out-of-process frames. For now, we'll always use default behavior.
     if (!parentFrame->isLocalFrame())
         return nullptr;
 
     ASSERT(toLocalFrame(parentFrame)->document());
     return toLocalFrame(parentFrame)->document()->insecureNavigationsToUpgrade();
 }
 
 } // namespace blink