[webkit-changes] [293819] trunk

[commit-queue]

Title: [293819] trunk

Revision

293819

Author

commit-qu...@webkit.org

Date

2022-05-04 21:45:27 -0700 (Wed, 04 May 2022)

Log Message

Crash in WindowProxy::setDOMWindow
https://bugs.webkit.org/show_bug.cgi?id=232763

Patch by Alex Christensen <achristen...@webkit.org> on 2022-05-04
Reviewed by Chris Dumez.

Source/WebCore:

Add a few null checks here and there.

Test: fast/dom/set-dom-window-without-page.html

* bindings/js/WindowProxy.cpp:
(WebCore::WindowProxy::setDOMWindow):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::findFrameForNavigation):

LayoutTests:

* fast/dom/set-dom-window-without-page-expected.txt: Added.
* fast/dom/set-dom-window-without-page.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/bindings/js/WindowProxy.cpp
• trunk/Source/WebCore/loader/FrameLoader.cpp

Added Paths

• trunk/LayoutTests/fast/dom/set-dom-window-without-page-expected.txt
• trunk/LayoutTests/fast/dom/set-dom-window-without-page.html

Diff

Modified: trunk/LayoutTests/ChangeLog (293818 => 293819)

--- trunk/LayoutTests/ChangeLog	2022-05-05 04:23:39 UTC (rev 293818)
+++ trunk/LayoutTests/ChangeLog	2022-05-05 04:45:27 UTC (rev 293819)
@@ -1,3 +1,13 @@
+2022-05-04  Alex Christensen  <achristen...@webkit.org>
+
+        Crash in WindowProxy::setDOMWindow
+        https://bugs.webkit.org/show_bug.cgi?id=232763
+
+        Reviewed by Chris Dumez.
+
+        * fast/dom/set-dom-window-without-page-expected.txt: Added.
+        * fast/dom/set-dom-window-without-page.html: Added.
+
 2022-05-04  Simon Fraser  <simon.fra...@apple.com>
 
         Improve logging of display list items in IPC messages

Added: trunk/LayoutTests/fast/dom/set-dom-window-without-page-expected.txt (0 => 293819)

--- trunk/LayoutTests/fast/dom/set-dom-window-without-page-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/set-dom-window-without-page-expected.txt	2022-05-05 04:45:27 UTC (rev 293819)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: this test passes if it does not crash
+

Added: trunk/LayoutTests/fast/dom/set-dom-window-without-page.html (0 => 293819)

--- trunk/LayoutTests/fast/dom/set-dom-window-without-page.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/set-dom-window-without-page.html	2022-05-05 04:45:27 UTC (rev 293819)
@@ -0,0 +1,13 @@
+<script>
+if (window.testRunner) { testRunner.dumpAsText(); console.log("this test passes if it does not crash") }
+function start() {
+  window.firstFrame = document.createElement('iframe');
+  document.body.appendChild(window.firstFrame);
+  window.secondFrame = document.createElement('iframe');
+  window.firstFrame.contentDocument.documentElement.appendChild(window.secondFrame);
+  window.secondFrame.contentWindow._onunload_ = function() {
+    document.documentElement.removeChild(window.bodyEl);
+  };
+  window.firstFrame.src = '';
+}
+</script><body id="bodyEl"_onload_="start()">

Modified: trunk/Source/WebCore/ChangeLog (293818 => 293819)

--- trunk/Source/WebCore/ChangeLog	2022-05-05 04:23:39 UTC (rev 293818)
+++ trunk/Source/WebCore/ChangeLog	2022-05-05 04:45:27 UTC (rev 293819)
@@ -1,3 +1,19 @@
+2022-05-04  Alex Christensen  <achristen...@webkit.org>
+
+        Crash in WindowProxy::setDOMWindow
+        https://bugs.webkit.org/show_bug.cgi?id=232763
+
+        Reviewed by Chris Dumez.
+
+        Add a few null checks here and there.
+
+        Test: fast/dom/set-dom-window-without-page.html
+
+        * bindings/js/WindowProxy.cpp:
+        (WebCore::WindowProxy::setDOMWindow):
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::findFrameForNavigation):
+
 2022-05-04  Simon Fraser  <simon.fra...@apple.com>
 
         Improve logging of display list items in IPC messages

Modified: trunk/Source/WebCore/bindings/js/WindowProxy.cpp (293818 => 293819)

--- trunk/Source/WebCore/bindings/js/WindowProxy.cpp	2022-05-05 04:23:39 UTC (rev 293818)
+++ trunk/Source/WebCore/bindings/js/WindowProxy.cpp	2022-05-05 04:45:27 UTC (rev 293819)
@@ -186,9 +186,10 @@
             cacheableBindingRootObject->updateGlobalObject(windowProxy->window());
 
         windowProxy->attachDebugger(page ? page->debugger() : nullptr);
-        if (page)
+        if (page) {
             windowProxy->window()->setProfileGroup(page->group().identifier());
-        windowProxy->window()->setConsoleClient(page->console());
+            windowProxy->window()->setConsoleClient(page->console());
+        }
     }
 }
 

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (293818 => 293819)

--- trunk/Source/WebCore/loader/FrameLoader.cpp	2022-05-05 04:23:39 UTC (rev 293818)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2022-05-05 04:45:27 UTC (rev 293819)
@@ -3744,6 +3744,9 @@
     if (!activeDocument)
         activeDocument = m_frame.document();
 
+    if (!activeDocument)
+        return nullptr;
+
     auto* frame = m_frame.tree().find(name, activeDocument->frame() ? *activeDocument->frame() : m_frame);
 
     if (!activeDocument->canNavigate(frame))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes