Flaky crash with JavaScript URLs

https://bugs.webkit.org/show_bug.cgi?id=66360 Reviewed by Nate Chapin. Source/WebCore: This patch teaches DocumentWriter::begin to make a copy of the URL before beginning a new document to avoid a crash. Test: fast/loader/javascript-url-iframe-crash.html * loader/DocumentWriter.cpp: (WebCore::DocumentWriter::begin): LayoutTests: * fast/loader/javascript-url-iframe-crash-expected.txt: Added. * fast/loader/javascript-url-iframe-crash.html: Added. Canonical link: https://commits.webkit.org/83040@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@94112 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Aug 30, 2011 · 5da0bf3c6973914d8572633f3722338bf0f3a22f · 5da0bf3
1 parent a167577
commit 5da0bf3c6973914d8572633f3722338bf0f3a22f
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2011-08-30  Adam Barth  <abarth@webkit.org>
+
+        Flaky crash with JavaScript URLs
+        https://bugs.webkit.org/show_bug.cgi?id=66360
+
+        Reviewed by Nate Chapin.
+
+        * fast/loader/javascript-url-iframe-crash-expected.txt: Added.
+        * fast/loader/javascript-url-iframe-crash.html: Added.
+
 2011-08-30  Tony Gentilcore  <tonyg@chromium.org>
 
         PreloadScanner shouldn't load images inside noscript via doc.write

diff --git a/LayoutTests/fast/loader/javascript-url-iframe-crash-expected.txt b/LayoutTests/fast/loader/javascript-url-iframe-crash-expected.txt
@@ -0,0 +1,7 @@
+
+
+
+
+
+This test passes if it doesn't crash.
+
diff --git a/LayoutTests/fast/loader/javascript-url-iframe-crash.html b/LayoutTests/fast/loader/javascript-url-iframe-crash.html
@@ -0,0 +1,9 @@
+<iframe src="javascript:''"></iframe>
+<a><summary><pre><pre><pre><pre><pre><iframe src="javascript:''"></iframe>
+
+<a>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+This test passes if it doesn't crash.
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2011-08-30  Adam Barth  <abarth@webkit.org>
+
+        Flaky crash with JavaScript URLs
+        https://bugs.webkit.org/show_bug.cgi?id=66360
+
+        Reviewed by Nate Chapin.
+
+        This patch teaches DocumentWriter::begin to make a copy of the URL
+        before beginning a new document to avoid a crash.
+
+        Test: fast/loader/javascript-url-iframe-crash.html
+
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::begin):
+
 2011-08-30  Tony Gentilcore  <tonyg@chromium.org>
 
         PreloadScanner shouldn't load images inside noscript via doc.write

diff --git a/Source/WebCore/loader/DocumentWriter.cpp b/Source/WebCore/loader/DocumentWriter.cpp
@@ -106,12 +106,17 @@ PassRefPtr<Document> DocumentWriter::createDocument(const KURL& url)
     return DOMImplementation::createDocument(m_mimeType, m_frame, url, m_frame->inViewSourceMode());
 }
 
-void DocumentWriter::begin(const KURL& url, bool dispatch, SecurityOrigin* origin)
+void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOrigin* origin)
 {
     // We need to take a reference to the security origin because |clear|
     // might destroy the document that owns it.
     RefPtr<SecurityOrigin> forcedSecurityOrigin = origin;
 
+    // We grab a local copy of the URL because it's easy for callers to supply
+    // a URL that will be deallocated during the execution of this function.
+    // For example, see <https://bugs.webkit.org/show_bug.cgi?id=66360>.
+    KURL url = urlReference;
+
     // Create a new document before clearing the frame, because it may need to
     // inherit an aliased security context.
     RefPtr<Document> document = createDocument(url);