Title: [228561] trunk
- Revision
- 228561
- Author
- [email protected]
- Date
- 2018-02-16 09:46:13 -0800 (Fri, 16 Feb 2018)
Log Message
fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
https://bugs.webkit.org/show_bug.cgi?id=172952
Patch by Fujii Hironori <[email protected]> on 2018-02-16
Reviewed by Michael Catanzaro.
Source/_javascript_Core:
Null dereference of VM::topCallFrame happens in
Inspector::createScriptCallStackForConsole if the ExecState has no
call frames.
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack): Do null check of topCallFrame.
(Inspector::createScriptCallStackForConsole): Ditto.
LayoutTests:
* platform/gtk/TestExpectations: Unmarked fast/frames/sandboxed-iframe-navigation-top-denied.html.
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (228560 => 228561)
--- trunk/LayoutTests/ChangeLog 2018-02-16 17:41:12 UTC (rev 228560)
+++ trunk/LayoutTests/ChangeLog 2018-02-16 17:46:13 UTC (rev 228561)
@@ -1,5 +1,14 @@
2018-02-16 Fujii Hironori <[email protected]>
+ fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
+ https://bugs.webkit.org/show_bug.cgi?id=172952
+
+ Reviewed by Michael Catanzaro.
+
+ * platform/gtk/TestExpectations: Unmarked fast/frames/sandboxed-iframe-navigation-top-denied.html.
+
+2018-02-16 Fujii Hironori <[email protected]>
+
IndexedDB: Several test crash in when destroying a IDBKeyData
https://bugs.webkit.org/show_bug.cgi?id=167576
Modified: trunk/LayoutTests/platform/gtk/TestExpectations (228560 => 228561)
--- trunk/LayoutTests/platform/gtk/TestExpectations 2018-02-16 17:41:12 UTC (rev 228560)
+++ trunk/LayoutTests/platform/gtk/TestExpectations 2018-02-16 17:46:13 UTC (rev 228561)
@@ -1302,7 +1302,6 @@
webkit.org/b/172951 editing/execCommand/crash-replacing-list-by-list.html [ Crash ]
webkit.org/b/172951 editing/inserting/insert-table-in-paragraph-crash.html [ Crash ]
-webkit.org/b/172952 fast/frames/sandboxed-iframe-navigation-top-denied.html [ Crash ]
webkit.org/b/172955 media/video-preload.html [ Crash Pass ]
Modified: trunk/Source/_javascript_Core/ChangeLog (228560 => 228561)
--- trunk/Source/_javascript_Core/ChangeLog 2018-02-16 17:41:12 UTC (rev 228560)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-02-16 17:46:13 UTC (rev 228561)
@@ -1,3 +1,18 @@
+2018-02-16 Fujii Hironori <[email protected]>
+
+ fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
+ https://bugs.webkit.org/show_bug.cgi?id=172952
+
+ Reviewed by Michael Catanzaro.
+
+ Null dereference of VM::topCallFrame happens in
+ Inspector::createScriptCallStackForConsole if the ExecState has no
+ call frames.
+
+ * inspector/ScriptCallStackFactory.cpp:
+ (Inspector::createScriptCallStack): Do null check of topCallFrame.
+ (Inspector::createScriptCallStackForConsole): Ditto.
+
2018-02-15 Filip Pizlo <[email protected]>
Objects that contain dangerous things should be allocated far away from objects that can do OOB
Modified: trunk/Source/_javascript_Core/inspector/ScriptCallStackFactory.cpp (228560 => 228561)
--- trunk/Source/_javascript_Core/inspector/ScriptCallStackFactory.cpp 2018-02-16 17:41:12 UTC (rev 228560)
+++ trunk/Source/_javascript_Core/inspector/ScriptCallStackFactory.cpp 2018-02-16 17:46:13 UTC (rev 228561)
@@ -92,6 +92,8 @@
Vector<ScriptCallFrame> frames;
CallFrame* frame = exec->vm().topCallFrame;
+ if (!frame)
+ return ScriptCallStack::create();
CreateScriptCallStackFunctor functor(false, frames, maxStackSize);
frame->iterate(functor);
@@ -107,6 +109,8 @@
Vector<ScriptCallFrame> frames;
CallFrame* frame = exec->vm().topCallFrame;
+ if (!frame)
+ return ScriptCallStack::create();
CreateScriptCallStackFunctor functor(true, frames, maxStackSize);
frame->iterate(functor);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
