Diff
Modified: releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog (214799 => 214800)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-04-03 16:11:27 UTC (rev 214799)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/ChangeLog 2017-04-03 16:22:16 UTC (rev 214800)
@@ -1,3 +1,16 @@
+2017-03-24 Brady Eidson <beid...@apple.com>
+
+ A null compound index value crashes the Databases process.
+ <rdar://problem/30499831> and https://bugs.webkit.org/show_bug.cgi?id=170000
+
+ Reviewed by Alex Christensen.
+
+ * storage/indexeddb/modern/resources/single-entry-index-invalid-key-crash.js: Added.
+ * storage/indexeddb/modern/single-entry-index-invalid-key-crash-expected.txt: Added.
+ * storage/indexeddb/modern/single-entry-index-invalid-key-crash-private-expected.txt: Added.
+ * storage/indexeddb/modern/single-entry-index-invalid-key-crash-private.html: Added.
+ * storage/indexeddb/modern/single-entry-index-invalid-key-crash.html: Added.
+
2017-03-24 Daniel Bates <daba...@apple.com>
Prevent new navigations during document unload
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/resources/single-entry-index-invalid-key-crash.js (0 => 214800)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/resources/single-entry-index-invalid-key-crash.js (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/resources/single-entry-index-invalid-key-crash.js 2017-04-03 16:22:16 UTC (rev 214800)
@@ -0,0 +1,29 @@
+description("Tests that adding to an object store, with a single-entry Index, where the index key is an array that is not entirely valid... does not crash.");
+
+indexedDBTest(prepareDatabase);
+
+function log(message)
+{
+ debug(message);
+}
+
+function prepareDatabase(event)
+{
+ db = event.target.result;
+ os = db.createObjectStore("friends", { keyPath: "id", autoIncrement: true });
+ idx = os.createIndex("[age+shoeSize]", ["age", "shoeSize"]);
+ os.add({ name: "Mark", age: 29, shoeSize: null });
+
+ idx.openCursor()._onsuccess_ = function(event) {
+ if (event.target.result)
+ log("Index unexpectedly has an entry");
+ else
+ log("Index has no entries");
+ };
+
+ event.target.transaction._oncomplete_ = function() {
+ finishJSTest();
+ };
+}
+
+
\ No newline at end of file
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-expected.txt (0 => 214800)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-expected.txt 2017-04-03 16:22:16 UTC (rev 214800)
@@ -0,0 +1,14 @@
+Tests that adding to an object store, with a single-entry Index, where the index key is an array that is not entirely valid... does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+indexedDB = self.indexedDB || self.webkitIndexedDB || self.mozIndexedDB || self.msIndexedDB || self.OIndexedDB;
+
+indexedDB.deleteDatabase(dbname)
+indexedDB.open(dbname)
+Index has no entries
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-private-expected.txt (0 => 214800)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-private-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-private-expected.txt 2017-04-03 16:22:16 UTC (rev 214800)
@@ -0,0 +1,14 @@
+Tests that adding to an object store, with a single-entry Index, where the index key is an array that is not entirely valid... does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+indexedDB = self.indexedDB || self.webkitIndexedDB || self.mozIndexedDB || self.msIndexedDB || self.OIndexedDB;
+
+indexedDB.deleteDatabase(dbname)
+indexedDB.open(dbname)
+Index has no entries
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-private.html (0 => 214800)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-private.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash-private.html 2017-04-03 16:22:16 UTC (rev 214800)
@@ -0,0 +1,10 @@
+<html>
+<head>
+<script src=""
+<script src=""
+</head>
+<body>
+
+<script src=""
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash.html (0 => 214800)
--- releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.16/LayoutTests/storage/indexeddb/modern/single-entry-index-invalid-key-crash.html 2017-04-03 16:22:16 UTC (rev 214800)
@@ -0,0 +1,10 @@
+<html>
+<head>
+<script src=""
+<script src=""
+</head>
+<body>
+
+<script src=""
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog (214799 => 214800)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-04-03 16:11:27 UTC (rev 214799)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/ChangeLog 2017-04-03 16:22:16 UTC (rev 214800)
@@ -1,3 +1,24 @@
+2017-03-24 Brady Eidson <beid...@apple.com>
+
+ A null compound index value crashes the Databases process.
+ <rdar://problem/30499831> and https://bugs.webkit.org/show_bug.cgi?id=170000
+
+ Reviewed by Alex Christensen.
+
+ Test: storage/indexeddb/modern/single-entry-index-invalid-key-crash.html
+
+ * bindings/js/IDBBindingUtilities.cpp:
+ (WebCore::createKeyPathArray): Fix the bug by rejecting arrays with any invalid keys in them.
+
+ Add some logging:
+ * Modules/indexeddb/IDBKeyPath.cpp:
+ (WebCore::loggingString):
+ * Modules/indexeddb/IDBKeyPath.h:
+ * Modules/indexeddb/IDBObjectStore.cpp:
+ (WebCore::IDBObjectStore::createIndex):
+ * Modules/indexeddb/shared/IDBIndexInfo.cpp:
+ (WebCore::IDBIndexInfo::loggingString):
+
2017-03-24 Daniel Bates <daba...@apple.com>
Prevent new navigations during document unload
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBKeyPath.cpp (214799 => 214800)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBKeyPath.cpp 2017-04-03 16:11:27 UTC (rev 214799)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBKeyPath.cpp 2017-04-03 16:22:16 UTC (rev 214800)
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2010 Google Inc. All rights reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,6 +31,7 @@
#include <wtf/ASCIICType.h>
#include <wtf/dtoa.h>
+#include <wtf/text/StringBuilder.h>
namespace WebCore {
@@ -221,6 +223,31 @@
return WTF::visit(visitor, keyPath);
}
+#ifndef NDEBUG
+String loggingString(const IDBKeyPath& path)
+{
+ auto visitor = WTF::makeVisitor([](const String& string) {
+ return makeString("< ", string, " >");
+ }, [](const Vector<String>& strings) {
+ if (strings.isEmpty())
+ return String("< >");
+
+ StringBuilder builder;
+ builder.append("< ");
+ for (size_t i = 0; i < strings.size() - 1; ++i) {
+ builder.append(strings[i]);
+ builder.append(", ");
+ }
+ builder.append(strings.last());
+ builder.append(" >");
+
+ return builder.toString();
+ });
+
+ return WTF::visit(visitor, path);
+}
+#endif
+
} // namespace WebCore
#endif // ENABLE(INDEXED_DATABASE)
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBKeyPath.h (214799 => 214800)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBKeyPath.h 2017-04-03 16:11:27 UTC (rev 214799)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBKeyPath.h 2017-04-03 16:22:16 UTC (rev 214800)
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2010 Google Inc. All rights reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -52,6 +53,10 @@
return isolatedCopy(variant.value());
}
+#ifndef NDEBUG
+String loggingString(const IDBKeyPath&);
+#endif
+
} // namespace WebCore
#endif
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBObjectStore.cpp (214799 => 214800)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBObjectStore.cpp 2017-04-03 16:11:27 UTC (rev 214799)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/IDBObjectStore.cpp 2017-04-03 16:22:16 UTC (rev 214800)
@@ -424,7 +424,7 @@
ExceptionOr<Ref<IDBIndex>> IDBObjectStore::createIndex(ExecState&, const String& name, IDBKeyPath&& keyPath, const IndexParameters& parameters)
{
- LOG(IndexedDB, "IDBObjectStore::createIndex %s", name.utf8().data());
+ LOG(IndexedDB, "IDBObjectStore::createIndex %s (keyPath: %s, unique: %i, multiEntry: %i)", name.utf8().data(), loggingString(keyPath).utf8().data(), parameters.unique, parameters.multiEntry);
ASSERT(currentThread() == m_transaction.database().originThreadID());
if (!m_transaction.isVersionChange())
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/shared/IDBIndexInfo.cpp (214799 => 214800)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/shared/IDBIndexInfo.cpp 2017-04-03 16:11:27 UTC (rev 214799)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/Modules/indexeddb/shared/IDBIndexInfo.cpp 2017-04-03 16:22:16 UTC (rev 214800)
@@ -56,7 +56,7 @@
for (int i = 0; i < indent; ++i)
indentString.append(" ");
- return makeString(indentString, "Index: ", m_name, String::format(" (%" PRIu64 ") \n", m_identifier));
+ return makeString(indentString, "Index: ", m_name, String::format(" (%" PRIu64 ") keyPath: %s\n", m_identifier, WebCore::loggingString(m_keyPath).utf8().data()));
}
String IDBIndexInfo::condensedLoggingString() const
Modified: releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/js/IDBBindingUtilities.cpp (214799 => 214800)
--- releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/js/IDBBindingUtilities.cpp 2017-04-03 16:11:27 UTC (rev 214799)
+++ releases/WebKitGTK/webkit-2.16/Source/WebCore/bindings/js/IDBBindingUtilities.cpp 2017-04-03 16:22:16 UTC (rev 214800)
@@ -393,7 +393,7 @@
Vector<IDBKeyData> keys;
for (auto& entry : vector) {
auto key = internalCreateIDBKeyFromScriptValueAndKeyPath(exec, value, entry);
- if (!key)
+ if (!key || !key->isValid())
return { };
keys.append(key.get());
}
