Title: [125077] trunk/Source
- Revision
- 125077
- Author
- aba...@webkit.org
- Date
- 2012-08-08 13:03:37 -0700 (Wed, 08 Aug 2012)
Log Message
Crash when reloading a Chromium "platform" app
https://bugs.webkit.org/show_bug.cgi?id=93497
Reviewed by Eric Seidel.
Source/WebCore:
The framework for Chromium "platform" apps executes a big blob of
script during the didCreateScriptContext callback. This blob of scripts
interacts with a bunch of _javascript_ objects and triggers a number of
security checks.
When reloading a frame, the didCreateScriptContext is called during
Frame::setDocument (as a consequence of calling
ScriptController::updateDocument). At that time, the SecurityOrigin
object hasn't yet been copied over to the DOMWindow, and we crash
trying to grab it.
The long-term fix for this bug is to fix
https://bugs.webkit.org/show_bug.cgi?id=75793, at which point there
will no longer be a SecurityOrigin object on DOMWindow. In the
meantime, however, we can fix this crash by null checking the
DOMWindow's SecurityOrigin object.
* bindings/generic/BindingSecurity.cpp:
(WebCore::canAccessDocument):
Source/WebKit/chromium:
Test that we don't crash when executing script during the
didCreateScriptContext callback.
* tests/WebFrameTest.cpp:
* tests/data/hello_world.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (125076 => 125077)
--- trunk/Source/WebCore/ChangeLog 2012-08-08 19:55:37 UTC (rev 125076)
+++ trunk/Source/WebCore/ChangeLog 2012-08-08 20:03:37 UTC (rev 125077)
@@ -1,3 +1,30 @@
+2012-08-08 Adam Barth <aba...@webkit.org>
+
+ Crash when reloading a Chromium "platform" app
+ https://bugs.webkit.org/show_bug.cgi?id=93497
+
+ Reviewed by Eric Seidel.
+
+ The framework for Chromium "platform" apps executes a big blob of
+ script during the didCreateScriptContext callback. This blob of scripts
+ interacts with a bunch of _javascript_ objects and triggers a number of
+ security checks.
+
+ When reloading a frame, the didCreateScriptContext is called during
+ Frame::setDocument (as a consequence of calling
+ ScriptController::updateDocument). At that time, the SecurityOrigin
+ object hasn't yet been copied over to the DOMWindow, and we crash
+ trying to grab it.
+
+ The long-term fix for this bug is to fix
+ https://bugs.webkit.org/show_bug.cgi?id=75793, at which point there
+ will no longer be a SecurityOrigin object on DOMWindow. In the
+ meantime, however, we can fix this crash by null checking the
+ DOMWindow's SecurityOrigin object.
+
+ * bindings/generic/BindingSecurity.cpp:
+ (WebCore::canAccessDocument):
+
2012-08-08 Dean Jackson <d...@apple.com>
Unreviewed build fix for Mac port after http://trac.webkit.org/changeset/125051
Modified: trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp (125076 => 125077)
--- trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp 2012-08-08 19:55:37 UTC (rev 125076)
+++ trunk/Source/WebCore/bindings/generic/BindingSecurity.cpp 2012-08-08 20:03:37 UTC (rev 125077)
@@ -51,6 +51,16 @@
if (!active)
return false;
+ // If the embedder executes _javascript_ synchronously during the didCreateScriptContext callback,
+ // in some cases the active SecurityOrigin will not yet be copied to the DOMWindow. For example,
+ // Frame::setDocument can trigger didCreateScriptContext during ScriptController::updateDocument.
+ //
+ // FIXME: Remove this branch once we manage to delete DOMWindow::m_securityOrigin. Ideally, we'd
+ // get the SecurityOrigin from the Document rather than the DOMWindow. In that case, there
+ // shouldn't ever be a chance to execute script before the SecurityOrigin object is created.
+ if (!active->securityOrigin())
+ return false;
+
if (active->securityOrigin()->canAccess(targetDocument->securityOrigin()))
return true;
Modified: trunk/Source/WebKit/chromium/ChangeLog (125076 => 125077)
--- trunk/Source/WebKit/chromium/ChangeLog 2012-08-08 19:55:37 UTC (rev 125076)
+++ trunk/Source/WebKit/chromium/ChangeLog 2012-08-08 20:03:37 UTC (rev 125077)
@@ -1,3 +1,16 @@
+2012-08-08 Adam Barth <aba...@webkit.org>
+
+ Crash when reloading a Chromium "platform" app
+ https://bugs.webkit.org/show_bug.cgi?id=93497
+
+ Reviewed by Eric Seidel.
+
+ Test that we don't crash when executing script during the
+ didCreateScriptContext callback.
+
+ * tests/WebFrameTest.cpp:
+ * tests/data/hello_world.html: Added.
+
2012-08-07 Joshua Bell <jsb...@chromium.org>
Layout Test storage/indexeddb/intversion-omit-parameter.html is flaky
Modified: trunk/Source/WebKit/chromium/tests/WebFrameTest.cpp (125076 => 125077)
--- trunk/Source/WebKit/chromium/tests/WebFrameTest.cpp 2012-08-08 19:55:37 UTC (rev 125076)
+++ trunk/Source/WebKit/chromium/tests/WebFrameTest.cpp 2012-08-08 20:03:37 UTC (rev 125077)
@@ -804,6 +804,25 @@
EXPECT_TRUE(selectionHtml.isEmpty());
}
+class TestExecuteScriptDuringDidCreateScriptContext : public WebFrameClient {
+public:
+ virtual void didCreateScriptContext(WebFrame* frame, v8::Handle<v8::Context> context, int extensionGroup, int worldId) OVERRIDE
+ {
+ frame->executeScript(WebScriptSource("window.history = 'replaced';"));
+ }
+};
+
+TEST_F(WebFrameTest, ExecuteScriptDuringDidCreateScriptContext)
+{
+ registerMockedHttpURLLoad("hello_world.html");
+
+ TestExecuteScriptDuringDidCreateScriptContext webFrameClient;
+ WebView* webView = FrameTestHelpers::createWebViewAndLoad(m_baseURL + "hello_world.html", true, &webFrameClient);
+
+ webView->mainFrame()->reload();
+ webkit_support::ServeAsynchronousMockedRequests();
+}
+
class TestDidCreateFrameWebFrameClient : public WebFrameClient {
public:
TestDidCreateFrameWebFrameClient() : m_frameCount(0), m_parent(0)
Added: trunk/Source/WebKit/chromium/tests/data/hello_world.html (0 => 125077)
--- trunk/Source/WebKit/chromium/tests/data/hello_world.html (rev 0)
+++ trunk/Source/WebKit/chromium/tests/data/hello_world.html 2012-08-08 20:03:37 UTC (rev 125077)
@@ -0,0 +1,3 @@
+<script>
+document.write("Hello, world.");
+</script>
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
