Title: [87114] trunk
- Revision
- 87114
- Author
- [email protected]
- Date
- 2011-05-23 18:17:11 -0700 (Mon, 23 May 2011)
Log Message
2011-05-23 Julien Chaffraix <[email protected]>
Reviewed by Darin Adler.
Test for: Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
https://bugs.webkit.org/show_bug.cgi?id=57140
<rdar://problem/9191214>
* fast/storage/storage-detached-iframe-expected.txt: Added.
* fast/storage/storage-detached-iframe.html: Added.
* platform/chromium/test_expectations.txt: Marked the test as CRASH
on Chromium - Linux.
2011-05-23 Julien Chaffraix <[email protected]>
Reviewed by Darin Adler.
Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
https://bugs.webkit.org/show_bug.cgi?id=57140
Test: fast/storage/storage-detached-iframe.html
Access of localStorage on a detached iframe was causing a crash because a detached
iframe has a null m_page, and WebCore::privateBrowsingEnabled() wasn't testing for such.
* storage/StorageAreaImpl.cpp:
(WebCore::privateBrowsingEnabled): check that child->page() is non-null before
accessing it.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (87113 => 87114)
--- trunk/LayoutTests/ChangeLog 2011-05-24 01:02:37 UTC (rev 87113)
+++ trunk/LayoutTests/ChangeLog 2011-05-24 01:17:11 UTC (rev 87114)
@@ -1,3 +1,17 @@
+2011-05-23 Julien Chaffraix <[email protected]>
+
+ Reviewed by Darin Adler.
+
+ Test for: Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
+ https://bugs.webkit.org/show_bug.cgi?id=57140
+ <rdar://problem/9191214>
+
+ * fast/storage/storage-detached-iframe-expected.txt: Added.
+ * fast/storage/storage-detached-iframe.html: Added.
+
+ * platform/chromium/test_expectations.txt: Marked the test as CRASH
+ on Chromium - Linux.
+
2011-05-23 Chris Fleizach <[email protected]>
Reviewed by David Kilzer.
Added: trunk/LayoutTests/fast/storage/storage-detached-iframe-expected.txt (0 => 87114)
--- trunk/LayoutTests/fast/storage/storage-detached-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/storage/storage-detached-iframe-expected.txt 2011-05-24 01:17:11 UTC (rev 87114)
@@ -0,0 +1,7 @@
+Bug: https://bugs.webkit.org/show_bug.cgi?id=57140
+
+Description: Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
+
+Expect: passed
+
+Result: passed
Added: trunk/LayoutTests/fast/storage/storage-detached-iframe.html (0 => 87114)
--- trunk/LayoutTests/fast/storage/storage-detached-iframe.html (rev 0)
+++ trunk/LayoutTests/fast/storage/storage-detached-iframe.html 2011-05-24 01:17:11 UTC (rev 87114)
@@ -0,0 +1,51 @@
+<html>
+ <head>
+ <script>
+ function openIframe()
+ {
+ if (document.createElement && (iframe = document.createElement('iframe'))) {
+ document.body.appendChild(iframe);
+ return iframe;
+ }
+ }
+
+ function runTestReplaceWholeText()
+ {
+ t1 = openIframe();
+ var a = t1.contentWindow.frames;
+ var b = t1.contentDocument.defaultView.localStorage;
+ t1.outerText = "";
+ t1.src = ""
+ first_attr = t1.attributes.item(undefined, undefined, undefined, undefined);
+ first_attr_value_replaced = first_attr.firstChild.replaceWholeText(undefined, undefined, undefined, undefined);
+ first_attr_value_replaced.DOCUMENT_FRAGMENT_NODE = a;
+ first_attr.firstChild.DOCUMENT_FRAGMENT_NODE.localStorage.fuzz3_visited="test";
+ }
+
+ function runTestOuterText() {
+ t1 = openIframe();
+ var a = t1.contentWindow.frames;
+ var b = t1.contentDocument.defaultView.localStorage;
+
+ t1.outerText = "";
+ a.localStorage.fuzz3_visited="test";
+ }
+
+ function runTests() {
+ runTestReplaceWholeText();
+ runTestOuterText();
+ document.getElementById("result").innerHTML = "passed";
+ }
+
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ </script>
+ </head>
+ <body _onload_="runTests()">
+ <p>Bug: https://bugs.webkit.org/show_bug.cgi?id=57140
+ <p>Description: Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
+ <p>Expect: passed
+ <p>Result: <span id="result">failed</span>
+ </body>
+</html>
Modified: trunk/LayoutTests/platform/chromium/test_expectations.txt (87113 => 87114)
--- trunk/LayoutTests/platform/chromium/test_expectations.txt 2011-05-24 01:02:37 UTC (rev 87113)
+++ trunk/LayoutTests/platform/chromium/test_expectations.txt 2011-05-24 01:17:11 UTC (rev 87114)
@@ -4167,3 +4167,5 @@
// New test from WK r87026
BUGCR83555 WIN LINUX : fast/block/positioning/058.html = IMAGE+TEXT
+
+BUGWK61326 LINUX : fast/storage/storage-detached-iframe.html = PASS CRASH
Modified: trunk/Source/WebCore/ChangeLog (87113 => 87114)
--- trunk/Source/WebCore/ChangeLog 2011-05-24 01:02:37 UTC (rev 87113)
+++ trunk/Source/WebCore/ChangeLog 2011-05-24 01:17:11 UTC (rev 87114)
@@ -1,3 +1,19 @@
+2011-05-23 Julien Chaffraix <[email protected]>
+
+ Reviewed by Darin Adler.
+
+ Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
+ https://bugs.webkit.org/show_bug.cgi?id=57140
+
+ Test: fast/storage/storage-detached-iframe.html
+
+ Access of localStorage on a detached iframe was causing a crash because a detached
+ iframe has a null m_page, and WebCore::privateBrowsingEnabled() wasn't testing for such.
+
+ * storage/StorageAreaImpl.cpp:
+ (WebCore::privateBrowsingEnabled): check that child->page() is non-null before
+ accessing it.
+
2011-05-23 Chris Fleizach <[email protected]>
Reviewed by David Kilzer.
Modified: trunk/Source/WebCore/storage/StorageAreaImpl.cpp (87113 => 87114)
--- trunk/Source/WebCore/storage/StorageAreaImpl.cpp 2011-05-24 01:02:37 UTC (rev 87113)
+++ trunk/Source/WebCore/storage/StorageAreaImpl.cpp 2011-05-24 01:17:11 UTC (rev 87114)
@@ -103,7 +103,7 @@
ASSERT(!frame);
return false;
#else
- return frame->page()->settings()->privateBrowsingEnabled();
+ return frame->page() && frame->page()->settings()->privateBrowsingEnabled();
#endif
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
