Title: [271239] trunk
- Revision
- 271239
- Author
- [email protected]
- Date
- 2021-01-07 09:23:23 -0800 (Thu, 07 Jan 2021)
Log Message
Null check global object in Blob::stream
https://bugs.webkit.org/show_bug.cgi?id=220393
<rdar://problem/71626701>
Patch by Alex Christensen <[email protected]> on 2021-01-07
Reviewed by Chris Dumez.
Source/WebCore:
Sometimes during a frame teardown we could dereference null.
Attached a test that hit it about 10% of the time for me in WebKitTestRunner before this change.
Test: fast/files/blob-stream-crash.html
* fileapi/Blob.cpp:
(WebCore::Blob::stream):
LayoutTests:
* fast/files/blob-stream-crash-expected.txt: Added.
* fast/files/blob-stream-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (271238 => 271239)
--- trunk/LayoutTests/ChangeLog 2021-01-07 17:13:03 UTC (rev 271238)
+++ trunk/LayoutTests/ChangeLog 2021-01-07 17:23:23 UTC (rev 271239)
@@ -1,3 +1,14 @@
+2021-01-07 Alex Christensen <[email protected]>
+
+ Null check global object in Blob::stream
+ https://bugs.webkit.org/show_bug.cgi?id=220393
+ <rdar://problem/71626701>
+
+ Reviewed by Chris Dumez.
+
+ * fast/files/blob-stream-crash-expected.txt: Added.
+ * fast/files/blob-stream-crash.html: Added.
+
2021-01-07 Lauro Moura <[email protected]>
REGRESSION(r270425) [GTK] wheel scrolling stopped working
Added: trunk/LayoutTests/fast/files/blob-stream-crash-expected.txt (0 => 271239)
--- trunk/LayoutTests/fast/files/blob-stream-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/files/blob-stream-crash-expected.txt 2021-01-07 17:23:23 UTC (rev 271239)
@@ -0,0 +1 @@
+This test passes if it never crashes.
Added: trunk/LayoutTests/fast/files/blob-stream-crash.html (0 => 271239)
--- trunk/LayoutTests/fast/files/blob-stream-crash.html (rev 0)
+++ trunk/LayoutTests/fast/files/blob-stream-crash.html 2021-01-07 17:23:23 UTC (rev 271239)
@@ -0,0 +1,12 @@
+<script>
+ if (window.testRunner) { testRunner.dumpAsText(); }
+(async () => {
+ for (let i=0; i<1000; i++) {
+ try {
+ await new OfflineAudioContext({numberOfChannels: 1, length: 1, sampleRate: 3000}).decodeAudioData(new ArrayBuffer(1));
+ } catch {}
+ new Blob().stream();
+ }
+})()
+</script>
+This test passes if it never crashes.
Modified: trunk/Source/WebCore/ChangeLog (271238 => 271239)
--- trunk/Source/WebCore/ChangeLog 2021-01-07 17:13:03 UTC (rev 271238)
+++ trunk/Source/WebCore/ChangeLog 2021-01-07 17:23:23 UTC (rev 271239)
@@ -1,3 +1,19 @@
+2021-01-07 Alex Christensen <[email protected]>
+
+ Null check global object in Blob::stream
+ https://bugs.webkit.org/show_bug.cgi?id=220393
+ <rdar://problem/71626701>
+
+ Reviewed by Chris Dumez.
+
+ Sometimes during a frame teardown we could dereference null.
+ Attached a test that hit it about 10% of the time for me in WebKitTestRunner before this change.
+
+ Test: fast/files/blob-stream-crash.html
+
+ * fileapi/Blob.cpp:
+ (WebCore::Blob::stream):
+
2021-01-07 Lauro Moura <[email protected]>
REGRESSION(r270425) [GTK] wheel scrolling stopped working
Modified: trunk/Source/WebCore/fileapi/Blob.cpp (271238 => 271239)
--- trunk/Source/WebCore/fileapi/Blob.cpp 2021-01-07 17:13:03 UTC (rev 271238)
+++ trunk/Source/WebCore/fileapi/Blob.cpp 2021-01-07 17:23:23 UTC (rev 271239)
@@ -277,7 +277,10 @@
UniqueRef<FileReaderLoader> m_loader;
};
- return ReadableStream::create(*scriptExecutionContext.globalObject(), adoptRef(*new BlobStreamSource(scriptExecutionContext, *this)));
+ auto* globalObject = scriptExecutionContext.globalObject();
+ if (!globalObject)
+ return Exception { InvalidStateError };
+ return ReadableStream::create(*globalObject, adoptRef(*new BlobStreamSource(scriptExecutionContext, *this)));
}
#if ASSERT_ENABLED
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
