Title: [293819] trunk
- Revision
- 293819
- Author
- commit-qu...@webkit.org
- Date
- 2022-05-04 21:45:27 -0700 (Wed, 04 May 2022)
Log Message
Crash in WindowProxy::setDOMWindow
https://bugs.webkit.org/show_bug.cgi?id=232763
Patch by Alex Christensen <achristen...@webkit.org> on 2022-05-04
Reviewed by Chris Dumez.
Source/WebCore:
Add a few null checks here and there.
Test: fast/dom/set-dom-window-without-page.html
* bindings/js/WindowProxy.cpp:
(WebCore::WindowProxy::setDOMWindow):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::findFrameForNavigation):
LayoutTests:
* fast/dom/set-dom-window-without-page-expected.txt: Added.
* fast/dom/set-dom-window-without-page.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (293818 => 293819)
--- trunk/LayoutTests/ChangeLog 2022-05-05 04:23:39 UTC (rev 293818)
+++ trunk/LayoutTests/ChangeLog 2022-05-05 04:45:27 UTC (rev 293819)
@@ -1,3 +1,13 @@
+2022-05-04 Alex Christensen <achristen...@webkit.org>
+
+ Crash in WindowProxy::setDOMWindow
+ https://bugs.webkit.org/show_bug.cgi?id=232763
+
+ Reviewed by Chris Dumez.
+
+ * fast/dom/set-dom-window-without-page-expected.txt: Added.
+ * fast/dom/set-dom-window-without-page.html: Added.
+
2022-05-04 Simon Fraser <simon.fra...@apple.com>
Improve logging of display list items in IPC messages
Added: trunk/LayoutTests/fast/dom/set-dom-window-without-page-expected.txt (0 => 293819)
--- trunk/LayoutTests/fast/dom/set-dom-window-without-page-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/set-dom-window-without-page-expected.txt 2022-05-05 04:45:27 UTC (rev 293819)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: this test passes if it does not crash
+
Added: trunk/LayoutTests/fast/dom/set-dom-window-without-page.html (0 => 293819)
--- trunk/LayoutTests/fast/dom/set-dom-window-without-page.html (rev 0)
+++ trunk/LayoutTests/fast/dom/set-dom-window-without-page.html 2022-05-05 04:45:27 UTC (rev 293819)
@@ -0,0 +1,13 @@
+<script>
+if (window.testRunner) { testRunner.dumpAsText(); console.log("this test passes if it does not crash") }
+function start() {
+ window.firstFrame = document.createElement('iframe');
+ document.body.appendChild(window.firstFrame);
+ window.secondFrame = document.createElement('iframe');
+ window.firstFrame.contentDocument.documentElement.appendChild(window.secondFrame);
+ window.secondFrame.contentWindow._onunload_ = function() {
+ document.documentElement.removeChild(window.bodyEl);
+ };
+ window.firstFrame.src = '';
+}
+</script><body id="bodyEl"_onload_="start()">
Modified: trunk/Source/WebCore/ChangeLog (293818 => 293819)
--- trunk/Source/WebCore/ChangeLog 2022-05-05 04:23:39 UTC (rev 293818)
+++ trunk/Source/WebCore/ChangeLog 2022-05-05 04:45:27 UTC (rev 293819)
@@ -1,3 +1,19 @@
+2022-05-04 Alex Christensen <achristen...@webkit.org>
+
+ Crash in WindowProxy::setDOMWindow
+ https://bugs.webkit.org/show_bug.cgi?id=232763
+
+ Reviewed by Chris Dumez.
+
+ Add a few null checks here and there.
+
+ Test: fast/dom/set-dom-window-without-page.html
+
+ * bindings/js/WindowProxy.cpp:
+ (WebCore::WindowProxy::setDOMWindow):
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::findFrameForNavigation):
+
2022-05-04 Simon Fraser <simon.fra...@apple.com>
Improve logging of display list items in IPC messages
Modified: trunk/Source/WebCore/bindings/js/WindowProxy.cpp (293818 => 293819)
--- trunk/Source/WebCore/bindings/js/WindowProxy.cpp 2022-05-05 04:23:39 UTC (rev 293818)
+++ trunk/Source/WebCore/bindings/js/WindowProxy.cpp 2022-05-05 04:45:27 UTC (rev 293819)
@@ -186,9 +186,10 @@
cacheableBindingRootObject->updateGlobalObject(windowProxy->window());
windowProxy->attachDebugger(page ? page->debugger() : nullptr);
- if (page)
+ if (page) {
windowProxy->window()->setProfileGroup(page->group().identifier());
- windowProxy->window()->setConsoleClient(page->console());
+ windowProxy->window()->setConsoleClient(page->console());
+ }
}
}
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (293818 => 293819)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2022-05-05 04:23:39 UTC (rev 293818)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2022-05-05 04:45:27 UTC (rev 293819)
@@ -3744,6 +3744,9 @@
if (!activeDocument)
activeDocument = m_frame.document();
+ if (!activeDocument)
+ return nullptr;
+
auto* frame = m_frame.tree().find(name, activeDocument->frame() ? *activeDocument->frame() : m_frame);
if (!activeDocument->canNavigate(frame))
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes