Crash under WebExtensionContextProxy::enumerateFramesAndNamespaceObje…

…cts. https://webkit.org/b/276337 rdar://129820399 Reviewed by Chris Dumez and Brian Weinstein. Use forEach() when iterating m_extensionContentFrames, since it might be mutated during the iteration as frames are added or removed. * Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.cpp: (WebKit::WebExtensionContextProxy::enumerateFramesAndNamespaceObjects): * Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.h: Canonical link: https://commits.webkit.org/280753@main
dhecht · Jul 8, 2024 · 0f7c9d3 · 0f7c9d3
1 parent aef586e
commit 0f7c9d3
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.cpp b/Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.cpp
@@ -182,12 +182,12 @@ void WebExtensionContextProxy::setStorageAccessLevel(bool allowedInContentScript
 
 void WebExtensionContextProxy::enumerateFramesAndNamespaceObjects(const Function<void(WebFrame&, WebExtensionAPINamespace&)>& function, DOMWrapperWorld& world)
 {
-    for (Ref frame : m_extensionContentFrames) {
-        RefPtr page = frame->page() ? frame->page()->corePage() : nullptr;
+    m_extensionContentFrames.forEach([&](auto& frame) {
+        RefPtr page = frame.page() ? frame.page()->corePage() : nullptr;
         if (!page)
-            continue;
+            return;
 
-        auto context = page->isServiceWorkerPage() ? frame->jsContextForServiceWorkerWorld(world) : frame->jsContextForWorld(world);
+        auto context = page->isServiceWorkerPage() ? frame.jsContextForServiceWorkerWorld(world) : frame.jsContextForWorld(world);
         auto globalObject = JSContextGetGlobalObject(context);
 
         RefPtr<WebExtensionAPINamespace> namespaceObjectImpl;
@@ -202,10 +202,10 @@ void WebExtensionContextProxy::enumerateFramesAndNamespaceObjects(const Function
         }
 
         if (!namespaceObjectImpl)
-            continue;
+            return;
 
         function(frame, *namespaceObjectImpl);
-    }
+    });
 }
 
 } // namespace WebKit

diff --git a/Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.h b/Source/WebKit/WebProcess/Extensions/WebExtensionContextProxy.h
@@ -64,7 +64,6 @@ class WebExtensionContextProxy final : public RefCounted<WebExtensionContextProx
     ~WebExtensionContextProxy();
 
     using WeakFrameSet = WeakHashSet<WebFrame>;
-    using WeakPageSet = WeakHashSet<WebPage>;
     using TabWindowIdentifierPair = std::pair<std::optional<WebExtensionTabIdentifier>, std::optional<WebExtensionWindowIdentifier>>;
     using WeakPageTabWindowMap = WeakHashMap<WebPage, TabWindowIdentifierPair>;
     using PermissionsMap = WebExtensionContext::PermissionsMap;