Let AssociatedURLLoader listen to destruction of the Document used for loading

third_party/WebKit/Source/web/AssociatedURLLoader.cpp

 /*
  * Copyright (C) 2010, 2011, 2012 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 12 matching lines @@
  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #include "web/AssociatedURLLoader.h"
 
+#include "core/dom/ContextLifecycleObserver.h"
 #include "core/fetch/CrossOriginAccessControl.h"
 #include "core/fetch/FetchUtils.h"
 #include "core/loader/DocumentThreadableLoader.h"
 #include "core/loader/DocumentThreadableLoaderClient.h"
 #include "platform/Timer.h"
 #include "platform/exported/WrappedResourceRequest.h"
 #include "platform/exported/WrappedResourceResponse.h"
 #include "platform/network/HTTPParsers.h"
 #include "platform/network/ResourceError.h"
 #include "public/platform/WebHTTPHeaderVisitor.h"
@@ skipping 197 matching lines @@
         return;
 
     m_client->didReceiveCachedMetadata(m_loader, data, dataLength);
 }
 
 void AssociatedURLLoader::ClientAdapter::didFinishLoading(unsigned long identifier, double finishTime)
 {
     if (!m_client)
         return;
 
+    m_loader->disposeObserver();
+
     m_client->didFinishLoading(m_loader, finishTime, WebURLLoaderClient::kUnknownEncodedDataLength);
 }
 
 void AssociatedURLLoader::ClientAdapter::didFail(const ResourceError& error)
 {
     if (!m_client)
         return;
 
+    m_loader->disposeObserver();
+
     m_didFail = true;
     m_error = WebURLError(error);
     if (m_enableErrorNotifications)
         notifyError(&m_errorTimer);
 }
 
 void AssociatedURLLoader::ClientAdapter::didFailRedirectCheck()
 {
     didFail(ResourceError());
 }
 
-void AssociatedURLLoader::ClientAdapter::setDelayedError(const ResourceError& error)
-{
-    didFail(error);
-}
-
 void AssociatedURLLoader::ClientAdapter::enableErrorNotifications()
 {
     m_enableErrorNotifications = true;
     // If an error has already been received, start a timer to report it to the client
     // after AssociatedURLLoader::loadAsynchronously has returned to the caller.
     if (m_didFail)
         m_errorTimer.startOneShot(0, BLINK_FROM_HERE);
 }
 
 void AssociatedURLLoader::ClientAdapter::notifyError(Timer<ClientAdapter>* timer)
 {
     ASSERT_UNUSED(timer, timer == &m_errorTimer);
 
+    if (!m_client)
+        return;
+
     m_client->didFail(m_loader, m_error);
 }
 
+class AssociatedURLLoader::Observer final : public GarbageCollectedFinalized<Observer>, public ContextLifecycleObserver {
+    USING_GARBAGE_COLLECTED_MIXIN(Observer);
+public:
+    Observer(AssociatedURLLoader* parent, Document* document)
+        : ContextLifecycleObserver(document)
+        , m_parent(parent)
+    {
+    }
+
+    void dispose()
+    {
+        m_parent = nullptr;
+        clearContext();
+    }
+
+    void contextDestroyed() override
+    {
+        if (m_parent)
+            m_parent->documentDestroyed();
+    }
+
+    DEFINE_INLINE_VIRTUAL_TRACE()
+    {
+        ContextLifecycleObserver::trace(visitor);
+    }
+
+    AssociatedURLLoader* m_parent;
+};
+
 AssociatedURLLoader::AssociatedURLLoader(RawPtr<WebLocalFrameImpl> frameImpl, const WebURLLoaderOptions& options)
-    : m_frameImpl(frameImpl)
-    , m_options(options)
-    , m_client(0)
+    : m_options(options)
+    , m_observer(new Observer(this, frameImpl->frame()->document()))
 {
-    DCHECK(m_frameImpl);
 }
 
 AssociatedURLLoader::~AssociatedURLLoader()
 {
     cancel();
 }
 
 #define STATIC_ASSERT_ENUM(a, b)                              \
     static_assert(static_cast<int>(a) == static_cast<int>(b), \
         "mismatching enum: " #a)
 
 STATIC_ASSERT_ENUM(WebURLLoaderOptions::CrossOriginRequestPolicyDeny, DenyCrossOriginRequests);
 STATIC_ASSERT_ENUM(WebURLLoaderOptions::CrossOriginRequestPolicyUseAccessControl, UseAccessControl);
 STATIC_ASSERT_ENUM(WebURLLoaderOptions::CrossOriginRequestPolicyAllow, AllowCrossOriginRequests);
 
 STATIC_ASSERT_ENUM(WebURLLoaderOptions::ConsiderPreflight, ConsiderPreflight);
 STATIC_ASSERT_ENUM(WebURLLoaderOptions::ForcePreflight, ForcePreflight);
 STATIC_ASSERT_ENUM(WebURLLoaderOptions::PreventPreflight, PreventPreflight);
 
 void AssociatedURLLoader::loadSynchronously(const WebURLRequest& request, WebURLResponse& response, WebURLError& error, WebData& data)
 {
     DCHECK(0); // Synchronous loading is not supported.
 }
 
 void AssociatedURLLoader::loadAsynchronously(const WebURLRequest& request, WebURLLoaderClient* client)
 {
     DCHECK(!m_loader);
-    DCHECK(!m_client);
+    DCHECK(!m_clientAdapter);
 
-    m_client = client;
-    DCHECK(m_client);
+    DCHECK(client);
 
     bool allowLoad = true;
     WebURLRequest newRequest(request);
     if (m_options.untrustedHTTP) {
         WebString method = newRequest.httpMethod();
-        allowLoad = isValidHTTPToken(method) && FetchUtils::isUsefulMethod(method);
+        allowLoad = m_observer && isValidHTTPToken(method) && FetchUtils::isUsefulMethod(method);
         if (allowLoad) {
             newRequest.setHTTPMethod(FetchUtils::normalizeMethod(method));
             HTTPRequestHeaderValidator validator;
             newRequest.visitHTTPHeaderFields(&validator);
             allowLoad = validator.isSafe();
         }
     }
 
-    m_clientAdapter = ClientAdapter::create(this, m_client, m_options);
+    m_clientAdapter = ClientAdapter::create(this, client, m_options);
 
     if (allowLoad) {
         ThreadableLoaderOptions options;
         options.preflightPolicy = static_cast<PreflightPolicy>(m_options.preflightPolicy);
         options.crossOriginRequestPolicy = static_cast<CrossOriginRequestPolicy>(m_options.crossOriginRequestPolicy);
 
         ResourceLoaderOptions resourceLoaderOptions;
         resourceLoaderOptions.allowCredentials = m_options.allowCredentials ? AllowStoredCredentials : DoNotAllowStoredCredentials;
         resourceLoaderOptions.dataBufferingPolicy = DoNotBufferData;
 
         const ResourceRequest& webcoreRequest = newRequest.toResourceRequest();
         if (webcoreRequest.requestContext() == WebURLRequest::RequestContextUnspecified) {
             // FIXME: We load URLs without setting a TargetType (and therefore a request context) in several
             // places in content/ (P2PPortAllocatorSession::AllocateLegacyRelaySession, for example). Remove
             // this once those places are patched up.
             newRequest.setRequestContext(WebURLRequest::RequestContextInternal);
         }
 
-        Document* webcoreDocument = m_frameImpl->frame()->document();
-        DCHECK(webcoreDocument);
-        m_loader = DocumentThreadableLoader::create(*webcoreDocument, m_clientAdapter.get(), options, resourceLoaderOptions);
+        Document* document = toDocument(m_observer->lifecycleContext());
+        DCHECK(document);
+        m_loader = DocumentThreadableLoader::create(*document, m_clientAdapter.get(), options, resourceLoaderOptions);
         m_loader->start(webcoreRequest);
     }
 
     if (!m_loader) {
         // FIXME: return meaningful error codes.
-        m_clientAdapter->setDelayedError(ResourceError());
+        m_clientAdapter->didFail(ResourceError());
     }
     m_clientAdapter->enableErrorNotifications();
 }
 
 void AssociatedURLLoader::cancel()
 {
-    if (m_clientAdapter)
-        m_clientAdapter->clearClient();
-    if (m_loader)
+    disposeObserver();
+
+    if (!m_clientAdapter)
+        return;
+
+    // Prevent invocation of the WebURLLoaderClient methods.
+    m_clientAdapter->clearClient();
+
+    if (m_loader) {
         m_loader->cancel();
+        m_loader.clear();
+    }
+    m_clientAdapter.clear();
 }
 
 void AssociatedURLLoader::setDefersLoading(bool defersLoading)
 {
     if (m_loader)
         m_loader->setDefersLoading(defersLoading);
 }
 
 void AssociatedURLLoader::setLoadingTaskRunner(blink::WebTaskRunner*)
 {
     // TODO(alexclarke): Maybe support this one day if it proves worthwhile.
 }
 
+void AssociatedURLLoader::documentDestroyed()
+{
+    cancel();
+
+    m_client->didFail(this, ResourceError());
+    // |this| may be dead here.
+}
+
+void AssociatedURLLoader::disposeObserver()
+{
+    if (!m_observer)
+        return;
+
+    // The method of detecting Document destruction implemented here doesn't

[haraken, 2016/04/08 07:34:13]

Add TODO.

[tyoshino (SeeGerritForStatus), 2016/04/08 07:56:58]

Done.

+    // work for all kinds of Documents. In case we reached here after the
+    // Oilpan is destroyed, we just crash the renderer process to prevent UaF.

[haraken, 2016/04/08 07:34:13]

Sorry, how does this cause UaF?

[tyoshino (SeeGerritForStatus), 2016/04/08 07:56:58]

m_observer is on-heap. If the Oilpan is already shutdown, we shouldn't touch
m_observer.

We could consider the way that we just ignore the rest of the algorithm. But the
fact that we were not notified of destruction of the context means that we
haven't cleaned up the ThreadableLoader. ThreadableLoader involves some other
non-Blink instances e.g. WebURLLoader. It may be still facing the on-heap
objects, so we should kill the process for safety.

Improved the comment.

+    RELEASE_ASSERT(ThreadState::current());
+
+    m_observer->dispose();
+    m_observer = nullptr;
+}
+
 } // namespace blink