Skip to site navigation (Press enter)

[webkit-changes] [285747] trunk

cdumez Fri, 12 Nov 2021 15:18:05 -0800

Title: [285747] trunk

Revision: 285747
Author: cdu...@apple.com
Date: 2021-11-12 15:17:17 -0800 (Fri, 12 Nov 2021)

Log Message

Crash when accessing reason property of a newly created AbortSignal
https://bugs.webkit.org/show_bug.cgi?id=233066
<rdar://problem/85249306>


Reviewed by Geoffrey Garen.

Source/WebCore:

Make sure AbortSignal.reason get initialized to jsUndefined() by default
and not a default-constructed JSValue.

Test: fast/dom/AbortSignal-reason-crash.html

* dom/AbortSignal.cpp:
(WebCore::AbortSignal::AbortSignal):
* dom/AbortSignal.h:

LayoutTests:

Add layout test coverage.

* fast/dom/AbortSignal-reason-crash-expected.txt: Added.
* fast/dom/AbortSignal-reason-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/AbortSignal.cpp
trunk/Source/WebCore/dom/AbortSignal.h

Added Paths

trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-expected.txt
trunk/LayoutTests/fast/dom/AbortSignal-reason-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (285746 => 285747)


--- trunk/LayoutTests/ChangeLog	2021-11-12 23:11:42 UTC (rev 285746)
+++ trunk/LayoutTests/ChangeLog	2021-11-12 23:17:17 UTC (rev 285747)
@@ -1,3 +1,16 @@
+2021-11-12  Chris Dumez  <cdu...@apple.com>
+
+        Crash when accessing reason property of a newly created AbortSignal
+        https://bugs.webkit.org/show_bug.cgi?id=233066
+        <rdar://problem/85249306>
+
+        Reviewed by Geoffrey Garen.
+
+        Add layout test coverage.
+
+        * fast/dom/AbortSignal-reason-crash-expected.txt: Added.
+        * fast/dom/AbortSignal-reason-crash.html: Added.
+
 2021-11-12  Ryan Haddad  <ryanhad...@apple.com>
 
         Unreviewed, reverting r285583.

Added: trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-expected.txt (0 => 285747)


--- trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/AbortSignal-reason-crash-expected.txt	2021-11-12 23:17:17 UTC (rev 285747)
@@ -0,0 +1,10 @@
+Tests accessing the reason of a newly created AbortSignal.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS new AbortController().signal.reason is undefined.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/dom/AbortSignal-reason-crash.html (0 => 285747)


--- trunk/LayoutTests/fast/dom/AbortSignal-reason-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/AbortSignal-reason-crash.html	2021-11-12 23:17:17 UTC (rev 285747)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+description("Tests accessing the reason of a newly created AbortSignal.");
+
+shouldBeUndefined("new AbortController().signal.reason");
+</script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (285746 => 285747)


--- trunk/Source/WebCore/ChangeLog	2021-11-12 23:11:42 UTC (rev 285746)
+++ trunk/Source/WebCore/ChangeLog	2021-11-12 23:17:17 UTC (rev 285747)
@@ -1,3 +1,20 @@
+2021-11-12  Chris Dumez  <cdu...@apple.com>
+
+        Crash when accessing reason property of a newly created AbortSignal
+        https://bugs.webkit.org/show_bug.cgi?id=233066
+        <rdar://problem/85249306>
+
+        Reviewed by Geoffrey Garen.
+
+        Make sure AbortSignal.reason get initialized to jsUndefined() by default
+        and not a default-constructed JSValue.
+
+        Test: fast/dom/AbortSignal-reason-crash.html
+
+        * dom/AbortSignal.cpp:
+        (WebCore::AbortSignal::AbortSignal):
+        * dom/AbortSignal.h:
+
 2021-11-12  Ryan Haddad  <ryanhad...@apple.com>
 
         Unreviewed, reverting r285583.

Modified: trunk/Source/WebCore/dom/AbortSignal.cpp (285746 => 285747)


--- trunk/Source/WebCore/dom/AbortSignal.cpp	2021-11-12 23:11:42 UTC (rev 285746)
+++ trunk/Source/WebCore/dom/AbortSignal.cpp	2021-11-12 23:17:17 UTC (rev 285747)
@@ -57,6 +57,7 @@
     , m_aborted(aborted == Aborted::Yes)
     , m_reason(reason)
 {
+    ASSERT(reason);
 }
 
 // https://dom.spec.whatwg.org/#abortsignal-signal-abort

Modified: trunk/Source/WebCore/dom/AbortSignal.h (285746 => 285747)


--- trunk/Source/WebCore/dom/AbortSignal.h	2021-11-12 23:11:42 UTC (rev 285746)
+++ trunk/Source/WebCore/dom/AbortSignal.h	2021-11-12 23:17:17 UTC (rev 285747)
@@ -64,7 +64,7 @@
 
 private:
     enum class Aborted : bool { No, Yes };
-    explicit AbortSignal(ScriptExecutionContext&, Aborted = Aborted::No, JSC::JSValue reason = { });
+    explicit AbortSignal(ScriptExecutionContext&, Aborted = Aborted::No, JSC::JSValue reason = JSC::jsUndefined());
 
     // EventTarget.
     EventTargetInterface eventTargetInterface() const final { return AbortSignalEventTargetInterfaceType; }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes