- Revision
- 182829
- Author
- cdu...@apple.com
- Date
- 2015-04-14 18:39:05 -0700 (Tue, 14 Apr 2015)
Log Message
Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
https://bugs.webkit.org/show_bug.cgi?id=143745
<rdar://problem/20243916>
Reviewed by Joseph Pecoraro.
Source/_javascript_Core:
Add assertion in ContentSearchUtilities::findMagicComment() to make
sure the content String is not null or we would crash in
JSC::Yarr::interpret() later.
* inspector/ContentSearchUtilities.cpp:
(Inspector::ContentSearchUtilities::findMagicComment):
Source/WebCore:
After r180020, we are stricter and no longer accept CSS resources that
are not served with a CSS MIME type. Showing Web inspector on a page
with such bad resource would crash because
InspectorPageAgent::cachedResourceContent() would return true but
the result String would be null. This null String would then later
be passed to the Yarr interpreter and crash on a String::is8Bit()
call.
cachedResourceContent() calls CachedCSSStyleSheet::sheetText(). Before
r180020, it would return the text, even if the MIME type was incorrect.
However, this is no longer the case and we now need to make sure that
cachedResourceContent() returns false if sheetText() returns a null
String.
Test: http/tests/inspector/css/bad-mime-type.html
* inspector/InspectorPageAgent.cpp:
(WebCore::InspectorPageAgent::cachedResourceContent):
LayoutTests:
Add layout test that shows the Web inspector on a page that has
a stylesheet with an invalid MIME type, to make sure we don't
crash.
* http/tests/inspector/css/bad-mime-type-expected.txt: Added.
* http/tests/inspector/css/bad-mime-type.html: Added.
* http/tests/misc/css-accept-any-type.html:
* http/tests/misc/css-reject-any-type-in-strict-mode.html:
* http/tests/misc/resources/stylesheet-bad-mime-type.php: Renamed from LayoutTests/http/tests/misc/resources/stylesheet.php.
Modified Paths
Added Paths
Removed Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (182828 => 182829)
--- trunk/LayoutTests/ChangeLog 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/LayoutTests/ChangeLog 2015-04-15 01:39:05 UTC (rev 182829)
@@ -1,3 +1,21 @@
+2015-04-14 Chris Dumez <cdu...@apple.com>
+
+ Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
+ https://bugs.webkit.org/show_bug.cgi?id=143745
+ <rdar://problem/20243916>
+
+ Reviewed by Joseph Pecoraro.
+
+ Add layout test that shows the Web inspector on a page that has
+ a stylesheet with an invalid MIME type, to make sure we don't
+ crash.
+
+ * http/tests/inspector/css/bad-mime-type-expected.txt: Added.
+ * http/tests/inspector/css/bad-mime-type.html: Added.
+ * http/tests/misc/css-accept-any-type.html:
+ * http/tests/misc/css-reject-any-type-in-strict-mode.html:
+ * http/tests/misc/resources/stylesheet-bad-mime-type.php: Renamed from LayoutTests/http/tests/misc/resources/stylesheet.php.
+
2015-04-14 Brady Eidson <beid...@apple.com>
Make sure media element loads hit content filter extensions.
Added: trunk/LayoutTests/http/tests/inspector/css/bad-mime-type-expected.txt (0 => 182829)
--- trunk/LayoutTests/http/tests/inspector/css/bad-mime-type-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/css/bad-mime-type-expected.txt 2015-04-15 01:39:05 UTC (rev 182829)
@@ -0,0 +1,3 @@
+Tests that showing Web Inspector on a page that has a stylesheet with an invalid MIME type does not crash.
+
+This test passes if it does not crash.
Added: trunk/LayoutTests/http/tests/inspector/css/bad-mime-type.html (0 => 182829)
--- trunk/LayoutTests/http/tests/inspector/css/bad-mime-type.html (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/css/bad-mime-type.html 2015-04-15 01:39:05 UTC (rev 182829)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script type="text/_javascript_" src=""
+
+<!-- This stylesheet is served with an invalid MIME type -->
+<link rel="stylesheet" href=""
+
+<script>
+function test()
+{
+ InspectorTest.completeTest();
+}
+</script>
+</head>
+<body _onload_="runTest()">
+<p>Tests that showing Web Inspector on a page that has a stylesheet with an invalid MIME type does not crash.</p>
+<p>This test passes if it does not crash.</p>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/misc/css-accept-any-type.html (182828 => 182829)
--- trunk/LayoutTests/http/tests/misc/css-accept-any-type.html 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/LayoutTests/http/tests/misc/css-accept-any-type.html 2015-04-15 01:39:05 UTC (rev 182829)
@@ -1,7 +1,7 @@
<html>
<head>
<title></title>
- <link rel="stylesheet" href=""
+ <link rel="stylesheet" href=""
<script>
function test()
{
Modified: trunk/LayoutTests/http/tests/misc/css-reject-any-type-in-strict-mode.html (182828 => 182829)
--- trunk/LayoutTests/http/tests/misc/css-reject-any-type-in-strict-mode.html 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/LayoutTests/http/tests/misc/css-reject-any-type-in-strict-mode.html 2015-04-15 01:39:05 UTC (rev 182829)
@@ -2,7 +2,7 @@
<html>
<head>
<title></title>
- <link rel="stylesheet" href=""
+ <link rel="stylesheet" href=""
<script>
function test()
{
Copied: trunk/LayoutTests/http/tests/misc/resources/stylesheet-bad-mime-type.php (from rev 182828, trunk/LayoutTests/http/tests/misc/resources/stylesheet.php) (0 => 182829)
--- trunk/LayoutTests/http/tests/misc/resources/stylesheet-bad-mime-type.php (rev 0)
+++ trunk/LayoutTests/http/tests/misc/resources/stylesheet-bad-mime-type.php 2015-04-15 01:39:05 UTC (rev 182829)
@@ -0,0 +1,10 @@
+<?php
+ if (preg_match("/\*\/\*/", $_SERVER["HTTP_ACCEPT"])) {
+?>
+ p#target { position: relative; }
+ /* This stylesheet is served as text/html */
+<?php
+ } else {
+ header("Not acceptable", true, 406);
+ }
+?>
Deleted: trunk/LayoutTests/http/tests/misc/resources/stylesheet.php (182828 => 182829)
--- trunk/LayoutTests/http/tests/misc/resources/stylesheet.php 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/LayoutTests/http/tests/misc/resources/stylesheet.php 2015-04-15 01:39:05 UTC (rev 182829)
@@ -1,10 +0,0 @@
-<?php
- if (preg_match("/\*\/\*/", $_SERVER["HTTP_ACCEPT"])) {
-?>
- p#target { position: relative; }
- /* This stylesheet is served as text/html */
-<?php
- } else {
- header("Not acceptable", true, 406);
- }
-?>
Modified: trunk/Source/_javascript_Core/ChangeLog (182828 => 182829)
--- trunk/Source/_javascript_Core/ChangeLog 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-04-15 01:39:05 UTC (rev 182829)
@@ -1,3 +1,18 @@
+2015-04-14 Chris Dumez <cdu...@apple.com>
+
+ Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
+ https://bugs.webkit.org/show_bug.cgi?id=143745
+ <rdar://problem/20243916>
+
+ Reviewed by Joseph Pecoraro.
+
+ Add assertion in ContentSearchUtilities::findMagicComment() to make
+ sure the content String is not null or we would crash in
+ JSC::Yarr::interpret() later.
+
+ * inspector/ContentSearchUtilities.cpp:
+ (Inspector::ContentSearchUtilities::findMagicComment):
+
2015-04-14 Michael Saboff <msab...@apple.com>
DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
Modified: trunk/Source/_javascript_Core/inspector/ContentSearchUtilities.cpp (182828 => 182829)
--- trunk/Source/_javascript_Core/inspector/ContentSearchUtilities.cpp 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/Source/_javascript_Core/inspector/ContentSearchUtilities.cpp 2015-04-15 01:39:05 UTC (rev 182829)
@@ -180,6 +180,7 @@
static String findMagicComment(const String& content, const String& patternString)
{
+ ASSERT(!content.isNull());
const char* error = nullptr;
JSC::Yarr::YarrPattern pattern(patternString, false, true, &error);
ASSERT(!error);
Modified: trunk/Source/WebCore/ChangeLog (182828 => 182829)
--- trunk/Source/WebCore/ChangeLog 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/Source/WebCore/ChangeLog 2015-04-15 01:39:05 UTC (rev 182829)
@@ -1,3 +1,30 @@
+2015-04-14 Chris Dumez <cdu...@apple.com>
+
+ Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
+ https://bugs.webkit.org/show_bug.cgi?id=143745
+ <rdar://problem/20243916>
+
+ Reviewed by Joseph Pecoraro.
+
+ After r180020, we are stricter and no longer accept CSS resources that
+ are not served with a CSS MIME type. Showing Web inspector on a page
+ with such bad resource would crash because
+ InspectorPageAgent::cachedResourceContent() would return true but
+ the result String would be null. This null String would then later
+ be passed to the Yarr interpreter and crash on a String::is8Bit()
+ call.
+
+ cachedResourceContent() calls CachedCSSStyleSheet::sheetText(). Before
+ r180020, it would return the text, even if the MIME type was incorrect.
+ However, this is no longer the case and we now need to make sure that
+ cachedResourceContent() returns false if sheetText() returns a null
+ String.
+
+ Test: http/tests/inspector/css/bad-mime-type.html
+
+ * inspector/InspectorPageAgent.cpp:
+ (WebCore::InspectorPageAgent::cachedResourceContent):
+
2015-04-14 Said Abou-Hallawa <sabouhall...@apple.com>
textPath layout performance improvement.
Modified: trunk/Source/WebCore/inspector/InspectorPageAgent.cpp (182828 => 182829)
--- trunk/Source/WebCore/inspector/InspectorPageAgent.cpp 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/Source/WebCore/inspector/InspectorPageAgent.cpp 2015-04-15 01:39:05 UTC (rev 182829)
@@ -155,8 +155,9 @@
if (cachedResource) {
switch (cachedResource->type()) {
case CachedResource::CSSStyleSheet:
+ // This can return a null String if the MIME type is invalid.
*result = downcast<CachedCSSStyleSheet>(*cachedResource).sheetText();
- return true;
+ return !result->isNull();
case CachedResource::Script:
*result = downcast<CachedScript>(*cachedResource).script();
return true;