[webkit-changes] [276530] trunk/Source/WebCore

[rniwa]

Title: [276530] trunk/Source/WebCore

Revision

276530

Author

rn...@webkit.org

Date

2021-04-23 16:45:57 -0700 (Fri, 23 Apr 2021)

Log Message

Crash in constructCustomElementSynchronously
https://bugs.webkit.org/show_bug.cgi?id=224992
<rdar://66988026>

Reviewed by Tadeu Zagallo.

Exit early when the global object is nullptr although this shouldn't happen.

No new tests since we have no reproductions.

* bindings/js/JSCustomElementInterface.cpp:
(WebCore::JSCustomElementInterface::tryToConstructCustomElement): Added a null check.

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/bindings/js/JSCustomElementInterface.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (276529 => 276530)

--- trunk/Source/WebCore/ChangeLog	2021-04-23 23:38:34 UTC (rev 276529)
+++ trunk/Source/WebCore/ChangeLog	2021-04-23 23:45:57 UTC (rev 276530)
@@ -1,3 +1,18 @@
+2021-04-23  Ryosuke Niwa  <rn...@webkit.org>
+
+        Crash in constructCustomElementSynchronously
+        https://bugs.webkit.org/show_bug.cgi?id=224992
+        <rdar://66988026>
+
+        Reviewed by Tadeu Zagallo.
+
+        Exit early when the global object is nullptr although this shouldn't happen.
+
+        No new tests since we have no reproductions.
+
+        * bindings/js/JSCustomElementInterface.cpp:
+        (WebCore::JSCustomElementInterface::tryToConstructCustomElement): Added a null check.
+
 2021-04-23  Don Olmstead  <don.olmst...@sony.com>
 
         Add additional guards around USE_ANGLE

Modified: trunk/Source/WebCore/bindings/js/JSCustomElementInterface.cpp (276529 => 276530)

--- trunk/Source/WebCore/bindings/js/JSCustomElementInterface.cpp	2021-04-23 23:38:34 UTC (rev 276529)
+++ trunk/Source/WebCore/bindings/js/JSCustomElementInterface.cpp	2021-04-23 23:45:57 UTC (rev 276530)
@@ -99,13 +99,16 @@
         return nullptr;
 
     ASSERT(&document == scriptExecutionContext());
-    auto& lexicalGlobalObject = *document.globalObject();
-    auto element = constructCustomElementSynchronously(document, vm, lexicalGlobalObject, m_constructor.get(), localName);
+    auto* lexicalGlobalObject = document.globalObject();
+    ASSERT(lexicalGlobalObject);
+    if (!lexicalGlobalObject)
+        return nullptr;
+    auto element = constructCustomElementSynchronously(document, vm, *lexicalGlobalObject, m_constructor.get(), localName);
     EXCEPTION_ASSERT(!!scope.exception() == !element);
     if (!element) {
         auto* exception = scope.exception();
         scope.clearException();
-        reportException(&lexicalGlobalObject, exception);
+        reportException(lexicalGlobalObject, exception);
         return nullptr;
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes