[webkit-changes] [294840] branches/safari-613-branch

Wed, 25 May 2022 16:50:16 -0700

Title: [294840] branches/safari-613-branch
Revision
294840
Author
alanc...@apple.com
Date
2022-05-25 16:49:41 -0700 (Wed, 25 May 2022)

Log Message

Cherry-pick r293819. rdar://problem/93602086

    Crash in WindowProxy::setDOMWindow
    https://bugs.webkit.org/show_bug.cgi?id=232763

    Patch by Alex Christensen <achristen...@webkit.org> on 2022-05-04
    Reviewed by Chris Dumez.

    Source/WebCore:

    Add a few null checks here and there.

    Test: fast/dom/set-dom-window-without-page.html

    * bindings/js/WindowProxy.cpp:
    (WebCore::WindowProxy::setDOMWindow):
    * loader/FrameLoader.cpp:
    (WebCore::FrameLoader::findFrameForNavigation):

    LayoutTests:

    * fast/dom/set-dom-window-without-page-expected.txt: Added.
    * fast/dom/set-dom-window-without-page.html: Added.

    Canonical link: https://commits.webkit.org/250292@main
    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@293819 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-613-branch/LayoutTests/ChangeLog (294839 => 294840)


--- branches/safari-613-branch/LayoutTests/ChangeLog	2022-05-25 23:49:37 UTC (rev 294839)
+++ branches/safari-613-branch/LayoutTests/ChangeLog	2022-05-25 23:49:41 UTC (rev 294840)
@@ -1,3 +1,42 @@
+2022-05-19  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r293819. rdar://problem/93602086
+
+    Crash in WindowProxy::setDOMWindow
+    https://bugs.webkit.org/show_bug.cgi?id=232763
+    
+    Patch by Alex Christensen <achristen...@webkit.org> on 2022-05-04
+    Reviewed by Chris Dumez.
+    
+    Source/WebCore:
+    
+    Add a few null checks here and there.
+    
+    Test: fast/dom/set-dom-window-without-page.html
+    
+    * bindings/js/WindowProxy.cpp:
+    (WebCore::WindowProxy::setDOMWindow):
+    * loader/FrameLoader.cpp:
+    (WebCore::FrameLoader::findFrameForNavigation):
+    
+    LayoutTests:
+    
+    * fast/dom/set-dom-window-without-page-expected.txt: Added.
+    * fast/dom/set-dom-window-without-page.html: Added.
+    
+    Canonical link: https://commits.webkit.org/250292@main
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@293819 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2022-05-04  Alex Christensen  <achristen...@webkit.org>
+
+            Crash in WindowProxy::setDOMWindow
+            https://bugs.webkit.org/show_bug.cgi?id=232763
+
+            Reviewed by Chris Dumez.
+
+            * fast/dom/set-dom-window-without-page-expected.txt: Added.
+            * fast/dom/set-dom-window-without-page.html: Added.
+
 2022-05-16  Alan Coon  <alanc...@apple.com>
 
         Cherry-pick r294012. rdar://problem/92425915

Added: branches/safari-613-branch/LayoutTests/fast/dom/set-dom-window-without-page-expected.txt (0 => 294840)


--- branches/safari-613-branch/LayoutTests/fast/dom/set-dom-window-without-page-expected.txt	                        (rev 0)
+++ branches/safari-613-branch/LayoutTests/fast/dom/set-dom-window-without-page-expected.txt	2022-05-25 23:49:41 UTC (rev 294840)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: this test passes if it does not crash
+

Added: branches/safari-613-branch/LayoutTests/fast/dom/set-dom-window-without-page.html (0 => 294840)


--- branches/safari-613-branch/LayoutTests/fast/dom/set-dom-window-without-page.html	                        (rev 0)
+++ branches/safari-613-branch/LayoutTests/fast/dom/set-dom-window-without-page.html	2022-05-25 23:49:41 UTC (rev 294840)
@@ -0,0 +1,13 @@
+<script>
+if (window.testRunner) { testRunner.dumpAsText(); console.log("this test passes if it does not crash") }
+function start() {
+  window.firstFrame = document.createElement('iframe');
+  document.body.appendChild(window.firstFrame);
+  window.secondFrame = document.createElement('iframe');
+  window.firstFrame.contentDocument.documentElement.appendChild(window.secondFrame);
+  window.secondFrame.contentWindow._onunload_ = function() {
+    document.documentElement.removeChild(window.bodyEl);
+  };
+  window.firstFrame.src = '';
+}
+</script><body id="bodyEl"_onload_="start()">

Modified: branches/safari-613-branch/Source/WebCore/ChangeLog (294839 => 294840)


--- branches/safari-613-branch/Source/WebCore/ChangeLog	2022-05-25 23:49:37 UTC (rev 294839)
+++ branches/safari-613-branch/Source/WebCore/ChangeLog	2022-05-25 23:49:41 UTC (rev 294840)
@@ -1,5 +1,50 @@
 2022-05-19  Alan Coon  <alanc...@apple.com>
 
+        Cherry-pick r293819. rdar://problem/93602086
+
+    Crash in WindowProxy::setDOMWindow
+    https://bugs.webkit.org/show_bug.cgi?id=232763
+    
+    Patch by Alex Christensen <achristen...@webkit.org> on 2022-05-04
+    Reviewed by Chris Dumez.
+    
+    Source/WebCore:
+    
+    Add a few null checks here and there.
+    
+    Test: fast/dom/set-dom-window-without-page.html
+    
+    * bindings/js/WindowProxy.cpp:
+    (WebCore::WindowProxy::setDOMWindow):
+    * loader/FrameLoader.cpp:
+    (WebCore::FrameLoader::findFrameForNavigation):
+    
+    LayoutTests:
+    
+    * fast/dom/set-dom-window-without-page-expected.txt: Added.
+    * fast/dom/set-dom-window-without-page.html: Added.
+    
+    Canonical link: https://commits.webkit.org/250292@main
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@293819 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2022-05-04  Alex Christensen  <achristen...@webkit.org>
+
+            Crash in WindowProxy::setDOMWindow
+            https://bugs.webkit.org/show_bug.cgi?id=232763
+
+            Reviewed by Chris Dumez.
+
+            Add a few null checks here and there.
+
+            Test: fast/dom/set-dom-window-without-page.html
+
+            * bindings/js/WindowProxy.cpp:
+            (WebCore::WindowProxy::setDOMWindow):
+            * loader/FrameLoader.cpp:
+            (WebCore::FrameLoader::findFrameForNavigation):
+
+2022-05-19  Alan Coon  <alanc...@apple.com>
+
         Cherry-pick r293728. rdar://problem/92362769
 
     Fix buggy assert in CoreAudioSharedUnit::configureSpeakerProc

Modified: branches/safari-613-branch/Source/WebCore/bindings/js/WindowProxy.cpp (294839 => 294840)


--- branches/safari-613-branch/Source/WebCore/bindings/js/WindowProxy.cpp	2022-05-25 23:49:37 UTC (rev 294839)
+++ branches/safari-613-branch/Source/WebCore/bindings/js/WindowProxy.cpp	2022-05-25 23:49:41 UTC (rev 294840)
@@ -186,9 +186,10 @@
             cacheableBindingRootObject->updateGlobalObject(windowProxy->window());
 
         windowProxy->attachDebugger(page ? page->debugger() : nullptr);
-        if (page)
+        if (page) {
             windowProxy->window()->setProfileGroup(page->group().identifier());
-        windowProxy->window()->setConsoleClient(page->console());
+            windowProxy->window()->setConsoleClient(page->console());
+        }
     }
 }

Modified: branches/safari-613-branch/Source/WebCore/loader/FrameLoader.cpp (294839 => 294840)


--- branches/safari-613-branch/Source/WebCore/loader/FrameLoader.cpp	2022-05-25 23:49:37 UTC (rev 294839)
+++ branches/safari-613-branch/Source/WebCore/loader/FrameLoader.cpp	2022-05-25 23:49:41 UTC (rev 294840)
@@ -3748,6 +3748,9 @@
     if (!activeDocument)
         activeDocument = m_frame.document();
 
+    if (!activeDocument)
+        return nullptr;
+
     auto* frame = m_frame.tree().find(name, activeDocument->frame() ? *activeDocument->frame() : m_frame);
 
     if (!activeDocument->canNavigate(frame))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to