Merge r228561 - fast/frames/sandboxed-iframe-navigation-top-denied.ht…

…ml is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK https://bugs.webkit.org/show_bug.cgi?id=172952 Patch by Fujii Hironori <Hironori.Fujii@sony.com> on 2018-02-16 Reviewed by Michael Catanzaro. Source/JavaScriptCore: Null dereference of VM::topCallFrame happens in Inspector::createScriptCallStackForConsole if the ExecState has no call frames. * inspector/ScriptCallStackFactory.cpp: (Inspector::createScriptCallStack): Do null check of topCallFrame. (Inspector::createScriptCallStackForConsole): Ditto. LayoutTests: * platform/gtk/TestExpectations: Unmarked fast/frames/sandboxed-iframe-navigation-top-denied.html.
WebKit · Feb 20, 2018 · 2da2ce5 · 2da2ce5
1 parent 7e4ffd4
commit 2da2ce5
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 1 deletion.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,12 @@
+2018-02-16  Fujii Hironori  <Hironori.Fujii@sony.com>
+
+        fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
+        https://bugs.webkit.org/show_bug.cgi?id=172952
+
+        Reviewed by Michael Catanzaro.
+
+        * platform/gtk/TestExpectations: Unmarked fast/frames/sandboxed-iframe-navigation-top-denied.html.
+
 2018-02-16  Fujii Hironori  <Hironori.Fujii@sony.com>
 
         IndexedDB: Several test crash in when destroying a IDBKeyData

diff --git a/LayoutTests/platform/gtk/TestExpectations b/LayoutTests/platform/gtk/TestExpectations
@@ -1285,7 +1285,6 @@ webkit.org/b/172281 accessibility/insert-children-assert.html [ Crash ]
 
 webkit.org/b/172951 editing/execCommand/crash-replacing-list-by-list.html [ Crash ]
 webkit.org/b/172951 editing/inserting/insert-table-in-paragraph-crash.html [ Crash ]
-webkit.org/b/172952 fast/frames/sandboxed-iframe-navigation-top-denied.html [ Crash ]
 
 webkit.org/b/172955 media/video-preload.html [ Crash Pass ]
 

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,18 @@
+2018-02-16  Fujii Hironori  <Hironori.Fujii@sony.com>
+
+        fast/frames/sandboxed-iframe-navigation-top-denied.html is crashing in Inspector::createScriptCallStackForConsole::Exec for GTK
+        https://bugs.webkit.org/show_bug.cgi?id=172952
+
+        Reviewed by Michael Catanzaro.
+
+        Null dereference of VM::topCallFrame happens in
+        Inspector::createScriptCallStackForConsole if the ExecState has no
+        call frames.
+
+        * inspector/ScriptCallStackFactory.cpp:
+        (Inspector::createScriptCallStack): Do null check of topCallFrame.
+        (Inspector::createScriptCallStackForConsole): Ditto.
+
 2018-02-18  Dominik Inführ  <dominik.infuehr@gmail.com>
 
         Offlineasm/MIPS: immediates need to be within 16-bit signed values

diff --git a/Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp b/Source/JavaScriptCore/inspector/ScriptCallStackFactory.cpp
@@ -93,6 +93,8 @@ Ref<ScriptCallStack> createScriptCallStack(JSC::ExecState* exec, size_t maxStack
     Vector<ScriptCallFrame> frames;
 
     CallFrame* frame = exec->vm().topCallFrame;
+    if (!frame)
+        return ScriptCallStack::create();
     CreateScriptCallStackFunctor functor(false, frames, maxStackSize);
     frame->iterate(functor);
 
@@ -108,6 +110,8 @@ Ref<ScriptCallStack> createScriptCallStackForConsole(JSC::ExecState* exec, size_
     Vector<ScriptCallFrame> frames;
 
     CallFrame* frame = exec->vm().topCallFrame;
+    if (!frame)
+        return ScriptCallStack::create();
     CreateScriptCallStackFunctor functor(true, frames, maxStackSize);
     frame->iterate(functor);