Skip to site navigation (Press enter)

[webkit-changes] [167239] releases/WebKitGTK/webkit-2.4

carlosgc Mon, 14 Apr 2014 04:21:12 -0700

Title: [167239] releases/WebKitGTK/webkit-2.4

Revision: 167239
Author: carlo...@webkit.org
Date: 2014-04-14 04:20:37 -0700 (Mon, 14 Apr 2014)

Log Message

Merge r166090 - Source/WebCore: Fix a crash when assigning an object to document.location
https://bugs.webkit.org/show_bug.cgi?id=130213


Reviewed by Geoffrey Garen.

Convert location to string before we make use the document.
This prevents us from attempting to navigate a frame that
has already been removed.

Test: fast/dom/navigation-with-sideeffects-crash.html

* bindings/js/JSDocumentCustom.cpp:
(WebCore::JSDocument::location):
(WebCore::JSDocument::setLocation):

LayoutTests: Fix semantics of JS execution when assigning an object to document.location
https://bugs.webkit.org/show_bug.cgi?id=130213

Reviewed by Geoffrey Garen.

* fast/dom/navigation-with-sideeffects-expected.txt: Added.
* fast/dom/navigation-with-sideeffects.html: Added.

Modified Paths

releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog
releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-2.4/Source/WebCore/bindings/js/JSDocumentCustom.cpp

Added Paths

releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/navigation-with-sideeffects-expected.txt
releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/navigation-with-sideeffects.html

Diff

Modified: releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog (167238 => 167239)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog	2014-04-14 11:12:23 UTC (rev 167238)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/ChangeLog	2014-04-14 11:20:37 UTC (rev 167239)
@@ -1,3 +1,13 @@
+2014-03-21  Oliver Hunt  <oli...@apple.com>
+
+        Fix semantics of JS execution when assigning an object to document.location
+        https://bugs.webkit.org/show_bug.cgi?id=130213
+
+        Reviewed by Geoffrey Garen.
+
+        * fast/dom/navigation-with-sideeffects-expected.txt: Added.
+        * fast/dom/navigation-with-sideeffects.html: Added.
+
 2014-03-19  Antti Koivisto  <an...@apple.com>
 
         Crash with long selector list

Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/navigation-with-sideeffects-expected.txt (0 => 167239)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/navigation-with-sideeffects-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/navigation-with-sideeffects-expected.txt	2014-04-14 11:20:37 UTC (rev 167239)
@@ -0,0 +1,2 @@
+ALERT: completed o1.toString()
+ALERT: completed o2.toString

Added: releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/navigation-with-sideeffects.html (0 => 167239)


--- releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/navigation-with-sideeffects.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.4/LayoutTests/fast/dom/navigation-with-sideeffects.html	2014-04-14 11:20:37 UTC (rev 167239)
@@ -0,0 +1,49 @@
+<html>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+var i = 0;
+function test() {
+    try {
+        o1 = {
+            toString : function () {
+                i++;
+                if (i<50)
+                    document.getElementById("testFrame").contentDocument.location = o1;
+                else
+                    alert("completed o1.toString()");
+                document.open();
+                return "data:text/plain,o1-" + i;
+            }
+        }
+        o2 = {
+            get toString() {
+                i++;
+                if (i<50)
+                    document.getElementById("testFrame").contentDocument.location = o2
+                else
+                    alert("completed o2.toString");
+                document.open();
+                return function(){ return "data:text/plain,o2-" + i; }
+            }
+        }
+
+        tmp = document.getElementById("testFrame");
+        i = 0;
+        tmp.contentDocument.location = o1;
+        document.write("<iframe src='' id='testFrame'/>");
+        tmp = document.getElementById("testFrame");
+        i = 0;
+        tmp.contentDocument.location = o2;
+    } finally {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+}
+</script>
+<body id="log" _onload_="test()">
+<iframe src="" id="testFrame"/>
+</body>
+</html>

Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog (167238 => 167239)


--- releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog	2014-04-14 11:12:23 UTC (rev 167238)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/ChangeLog	2014-04-14 11:20:37 UTC (rev 167239)
@@ -1,3 +1,20 @@
+2014-03-21  Oliver Hunt  <oli...@apple.com>
+
+        Fix a crash when assigning an object to document.location
+        https://bugs.webkit.org/show_bug.cgi?id=130213
+
+        Reviewed by Geoffrey Garen.
+
+        Convert location to string before we make use the document.
+        This prevents us from attempting to navigate a frame that
+        has already been removed.
+
+        Test: fast/dom/navigation-with-sideeffects-crash.html
+
+        * bindings/js/JSDocumentCustom.cpp:
+        (WebCore::JSDocument::location):
+        (WebCore::JSDocument::setLocation):
+
 2014-03-19  Antti Koivisto  <an...@apple.com>
 
         Crash with long selector list

Modified: releases/WebKitGTK/webkit-2.4/Source/WebCore/bindings/js/JSDocumentCustom.cpp (167238 => 167239)


--- releases/WebKitGTK/webkit-2.4/Source/WebCore/bindings/js/JSDocumentCustom.cpp	2014-04-14 11:12:23 UTC (rev 167238)
+++ releases/WebKitGTK/webkit-2.4/Source/WebCore/bindings/js/JSDocumentCustom.cpp	2014-04-14 11:20:37 UTC (rev 167239)
@@ -51,30 +51,30 @@
 
 JSValue JSDocument::location(ExecState* exec) const
 {
-    Frame* frame = impl().frame();
+    RefPtr<Frame> frame = impl().frame();
     if (!frame)
         return jsNull();
 
-    Location* location = frame->document()->domWindow()->location();
-    if (JSObject* wrapper = getCachedWrapper(currentWorld(exec), location))
+    RefPtr<Location> location = frame->document()->domWindow()->location();
+    if (JSObject* wrapper = getCachedWrapper(currentWorld(exec), location.get()))
         return wrapper;
 
-    JSLocation* jsLocation = JSLocation::create(getDOMStructure<JSLocation>(exec->vm(), globalObject()), globalObject(), location);
-    cacheWrapper(currentWorld(exec), location, jsLocation);
+    JSLocation* jsLocation = JSLocation::create(getDOMStructure<JSLocation>(exec->vm(), globalObject()), globalObject(), location.get());
+    cacheWrapper(currentWorld(exec), location.get(), jsLocation);
     return jsLocation;
 }
 
 void JSDocument::setLocation(ExecState* exec, JSValue value)
 {
-    Frame* frame = impl().frame();
-    if (!frame)
-        return;
-
     String locationString = value.toString(exec)->value(exec);
     if (exec->hadException())
         return;
 
-    if (Location* location = frame->document()->domWindow()->location())
+    RefPtr<Frame> frame = impl().frame();
+    if (!frame)
+        return;
+
+    if (RefPtr<Location> location = frame->document()->domWindow()->location())
         location->setHref(locationString, activeDOMWindow(exec), firstDOMWindow(exec));
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes