Skip to content

Correct nullptr dereference in DocumentLoader::responseReceived #47079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 24, 2025
Merged

Correct nullptr dereference in DocumentLoader::responseReceived #47079

merged 1 commit into from
Jun 24, 2025

Conversation

brentfulgham
Copy link
Contributor

@brentfulgham brentfulgham commented Jun 23, 2025
edited by webkit-early-warning-system
Loading

97054b3

Correct nullptr dereference in DocumentLoader::responseReceived
https://bugs.webkit.org/show_bug.cgi?id=294863
<rdar://problem/153030488>

Reviewed by Charlie Wolfe.

Telemetry from recent betas indicate nullptr crashes in
`DocumentLoader::responseReceived`. This patch corrects this error.

* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::responseReceived): Correct nullptr frame
checks. Also a Drive-by-fix to add missing call to the completion handler.
(WebCore::DocumentLoader::responseReceived): Correct nullptr checks.

Canonical link: https://commits.webkit.org/296582@main

8aa6908

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 ✅ 🛠 wpe-cairo
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 loading 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@brentfulgham brentfulgham requested a review from cdumez as a code owner June 23, 2025 21:44
@brentfulgham brentfulgham self-assigned this Jun 23, 2025
@brentfulgham brentfulgham added the New Bugs Unclassified bugs are placed in this component until the correct component can be determined. label Jun 23, 2025
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Jun 23, 2025
edited
Loading

EWS run on previous version of this PR (hash 5217f45)

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 ✅ 🛠 wpe-cairo
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 vision ❌ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@brentfulgham brentfulgham added the safe-merge-queue Applied to automatically send a pull-request to merge-queue after passing EWS checks label Jun 23, 2025
achristensen07
achristensen07 requested changes Jun 24, 2025
View reviewed changes
Source/WebCore/loader/DocumentLoader.cpp
@@ -1000,14 +1001,17 @@ void DocumentLoader::responseReceived(ResourceResponse&& response, CompletionHan
if (m_substituteData.isValid() || !platformStrategies()->loaderStrategy()->havePerformedSecurityChecks(response)) {
auto url = response.url();
RefPtr frame = m_frame.get();
ContentSecurityPolicy contentSecurityPolicy(URL { url }, this, frame->document());
ReportingClient* reportingClient = nullptr;
Copy link
Contributor

@achristensen07 achristensen07 Jun 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a step in the wrong direction. Why not just use a RefPtr<Document>?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don’t want to take ownership of the Document, so perhaps a WeakPtr. After looking at this yesterday, I think this argument to CSP was hacked in a bit poorly, and would need a larger patch to get this right.

I took the approach of matching the logic in the other overload of this method, and intend to follow up with a patch that addresses the ugly bare pointer used for this argument in current code.

@webkit-ews-buildbot webkit-ews-buildbot added the merging-blocked Applied to prevent a change from being merged label Jun 24, 2025
@webkit-ews-buildbot
Copy link
Collaborator

Failed mac-AS-debug-wk2 checks. Please resolve failures and re-apply safe-merge-queue label.

Rejecting #47079 from merge queue.

@webkit-ews-buildbot webkit-ews-buildbot removed the safe-merge-queue Applied to automatically send a pull-request to merge-queue after passing EWS checks label Jun 24, 2025
@webkit-ews-buildbot
Copy link
Collaborator

Safe-Merge-Queue: Build #61260.

cdumez
cdumez reviewed Jun 24, 2025
View reviewed changes
Source/WebCore/loader/DocumentLoader.cpp Outdated
@@ -1035,12 +1039,15 @@ void DocumentLoader::responseReceived(ResourceResponse&& response, CompletionHan
m_response = WTFMove(response);

if (m_identifierForLoadWithoutResourceLoader) {
RefPtr protectedFrameLoader { frameLoader() };
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do not call local variable protectedXXX anymore. This is pre-safer CPP style. This should be:

RefPtr frameLoader = this->frameLoader();

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, will fix.

Source/WebCore/loader/DocumentLoader.cpp Outdated
@@ -1053,18 +1060,24 @@ void DocumentLoader::responseReceived(ResourceResponse&& response, CompletionHan
return;
}

RefPtr protectedFrame { m_frame.get() };
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this? Why can't we reuse the frame local variable in this function?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not in scope?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, it's possible. It's hard to read diffs sometimes :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're moving it, we should name it frame, not protectedFrame.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do!

@brentfulgham brentfulgham removed the merging-blocked Applied to prevent a change from being merged label Jun 24, 2025
@brentfulgham brentfulgham force-pushed the eng/Correct-nullptr-dereference-in-DocumentLoader-responseReceived branch from 5217f45 to 8aa6908 Compare June 24, 2025 17:56
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Jun 24, 2025
edited
Loading

EWS run on current version of this PR (hash 8aa6908)

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 ✅ 🛠 wpe-cairo
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 loading 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@brentfulgham brentfulgham added the safe-merge-queue Applied to automatically send a pull-request to merge-queue after passing EWS checks label Jun 24, 2025
@webkit-ews-buildbot webkit-ews-buildbot added merge-queue Applied to send a pull request to merge-queue and removed safe-merge-queue Applied to automatically send a pull-request to merge-queue after passing EWS checks labels Jun 24, 2025
@webkit-ews-buildbot
Copy link
Collaborator

Safe-Merge-Queue: Build #61307.

@brentfulgham
Correct nullptr dereference in DocumentLoader::responseReceived
97054b3 
https://bugs.webkit.org/show_bug.cgi?id=294863
<rdar://problem/153030488>

Reviewed by Charlie Wolfe.

Telemetry from recent betas indicate nullptr crashes in
`DocumentLoader::responseReceived`. This patch corrects this error.

* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::responseReceived): Correct nullptr frame
checks. Also a Drive-by-fix to add missing call to the completion handler.
(WebCore::DocumentLoader::responseReceived): Correct nullptr checks.

Canonical link: https://commits.webkit.org/296582@main
@webkit-commit-queue webkit-commit-queue force-pushed the eng/Correct-nullptr-dereference-in-DocumentLoader-responseReceived branch from 8aa6908 to 97054b3 Compare June 24, 2025 21:04
@webkit-commit-queue
Copy link
Collaborator

Committed 296582@main (97054b3): https://commits.webkit.org/296582@main

Reviewed commits have been landed. Closing PR #47079 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit 97054b3 into WebKit:main Jun 24, 2025
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Jun 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdumez cdumez cdumez left review comments

@charliewolfe charliewolfe charliewolfe approved these changes

@achristensen07 achristensen07 achristensen07 requested changes

Assignees

@brentfulgham brentfulgham

Labels
New Bugs Unclassified bugs are placed in this component until the correct component can be determined.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@brentfulgham @webkit-early-warning-system @webkit-ews-buildbot @webkit-commit-queue @cdumez @achristensen07 @charliewolfe