Skip to content
Permalink
Browse files
Flaky crash with JavaScript URLs
https://bugs.webkit.org/show_bug.cgi?id=66360

Reviewed by Nate Chapin.

Source/WebCore:

This patch teaches DocumentWriter::begin to make a copy of the URL
before beginning a new document to avoid a crash.

Test: fast/loader/javascript-url-iframe-crash.html

* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin):

LayoutTests:

* fast/loader/javascript-url-iframe-crash-expected.txt: Added.
* fast/loader/javascript-url-iframe-crash.html: Added.


Canonical link: https://commits.webkit.org/83040@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@94112 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
Adam Barth committed Aug 30, 2011
1 parent a167577 commit 5da0bf3c6973914d8572633f3722338bf0f3a22f
@@ -1,3 +1,13 @@
2011-08-30 Adam Barth <abarth@webkit.org>

Flaky crash with JavaScript URLs
https://bugs.webkit.org/show_bug.cgi?id=66360

Reviewed by Nate Chapin.

* fast/loader/javascript-url-iframe-crash-expected.txt: Added.
* fast/loader/javascript-url-iframe-crash.html: Added.

2011-08-30 Tony Gentilcore <tonyg@chromium.org>

PreloadScanner shouldn't load images inside noscript via doc.write
@@ -0,0 +1,7 @@





This test passes if it doesn't crash.

@@ -0,0 +1,9 @@
<iframe src="javascript:''"></iframe>
<a><summary><pre><pre><pre><pre><pre><iframe src="javascript:''"></iframe>

<a>
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
This test passes if it doesn't crash.
@@ -1,3 +1,18 @@
2011-08-30 Adam Barth <abarth@webkit.org>

Flaky crash with JavaScript URLs
https://bugs.webkit.org/show_bug.cgi?id=66360

Reviewed by Nate Chapin.

This patch teaches DocumentWriter::begin to make a copy of the URL
before beginning a new document to avoid a crash.

Test: fast/loader/javascript-url-iframe-crash.html

* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin):

2011-08-30 Tony Gentilcore <tonyg@chromium.org>

PreloadScanner shouldn't load images inside noscript via doc.write
@@ -106,12 +106,17 @@ PassRefPtr<Document> DocumentWriter::createDocument(const KURL& url)
return DOMImplementation::createDocument(m_mimeType, m_frame, url, m_frame->inViewSourceMode());
}

void DocumentWriter::begin(const KURL& url, bool dispatch, SecurityOrigin* origin)
void DocumentWriter::begin(const KURL& urlReference, bool dispatch, SecurityOrigin* origin)
{
// We need to take a reference to the security origin because |clear|
// might destroy the document that owns it.
RefPtr<SecurityOrigin> forcedSecurityOrigin = origin;

// We grab a local copy of the URL because it's easy for callers to supply
// a URL that will be deallocated during the execution of this function.
// For example, see <https://bugs.webkit.org/show_bug.cgi?id=66360>.
KURL url = urlReference;

// Create a new document before clearing the frame, because it may need to
// inherit an aliased security context.
RefPtr<Document> document = createDocument(url);

0 comments on commit 5da0bf3

Please sign in to comment.