[Content Filtering] Crash in DocumentLoader::notifyFinished() when allowing a media document to load
https://bugs.webkit.org/show_bug.cgi?id=151433
rdar://problem/23506594
Reviewed by Alexey Proskuryakov.
Source/WebCore:
When the main resource of a media document commits, WebKit cancels its load since the plug-in or media engine
will do its own loading. If content filtering is enabled, and the filter waits allow the load until the entire
resource is downloaded, then ContentFilter will attempt to call DocumentLoader::notifyFinished() immediately
after delivering the buffered resource data to DocumentLoader. However, delivering the data will have nulled out
DocumentLoader's m_mainResource when the load was cancelled, leading to a crash in notifyFinished().
To resolve this, add a new Stopped state to ContentFilter. Set this state if DocumentLoader clears its main
resource or detaches from its frame. If ContentFilter is in the Stopped state after calling
DocumentLoader::dataReceived(), do not proceed to call DocumentLoader::notifyFinished().
Test: contentfiltering/allow-media-document.html
* loader/ContentFilter.cpp:
(WebCore::ContentFilter::stopFilteringMainResource): Set m_state to Stopped. If m_mainResource is non-null,
removed ContentFilter as a client and set m_mainResource to null.
(WebCore::ContentFilter::notifyFinished): Stopped calling DocumentLoader::notifyFinished() if m_state is Stopped
after calling DocumentLoader::dataReceived().
* loader/ContentFilter.h:
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::detachFromFrame): Called ContentFilter::stopFilteringMainResource() instead of setting
m_contentFilter to null.
(WebCore::DocumentLoader::clearMainResource): Ditto.
LayoutTests:
* contentfiltering/allow-media-document-expected.txt: Added.
* contentfiltering/allow-media-document.html: Added.
* contentfiltering/resources/test.mp4: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@192772 268f45cc-cd09-0410-ab3c-d52691b4dbfc
8 files changed
