Skip to content
Permalink
Browse files
Crash in WindowProxy::setDOMWindow
https://bugs.webkit.org/show_bug.cgi?id=232763

Patch by Alex Christensen <achristensen@webkit.org> on 2022-05-04
Reviewed by Chris Dumez.

Source/WebCore:

Add a few null checks here and there.

Test: fast/dom/set-dom-window-without-page.html

* bindings/js/WindowProxy.cpp:
(WebCore::WindowProxy::setDOMWindow):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::findFrameForNavigation):

LayoutTests:

* fast/dom/set-dom-window-without-page-expected.txt: Added.
* fast/dom/set-dom-window-without-page.html: Added.

Canonical link: https://commits.webkit.org/250292@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@293819 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
Alex Christensen authored and webkit-commit-queue committed May 5, 2022
1 parent 2932923 commit a6fcf79f03242628d4a197bead1a7a065cebce51
Showing 6 changed files with 47 additions and 2 deletions.
@@ -1,3 +1,13 @@
2022-05-04 Alex Christensen <achristensen@webkit.org>

Crash in WindowProxy::setDOMWindow
https://bugs.webkit.org/show_bug.cgi?id=232763

Reviewed by Chris Dumez.

* fast/dom/set-dom-window-without-page-expected.txt: Added.
* fast/dom/set-dom-window-without-page.html: Added.

2022-05-04 Simon Fraser <simon.fraser@apple.com>

Improve logging of display list items in IPC messages
@@ -0,0 +1,2 @@
CONSOLE MESSAGE: this test passes if it does not crash

@@ -0,0 +1,13 @@
<script>
if (window.testRunner) { testRunner.dumpAsText(); console.log("this test passes if it does not crash") }
function start() {
window.firstFrame = document.createElement('iframe');
document.body.appendChild(window.firstFrame);
window.secondFrame = document.createElement('iframe');
window.firstFrame.contentDocument.documentElement.appendChild(window.secondFrame);
window.secondFrame.contentWindow.onunload = function() {
document.documentElement.removeChild(window.bodyEl);
};
window.firstFrame.src = 'javascript:"";';
}
</script><body id="bodyEl"onload="start()">
@@ -1,3 +1,19 @@
2022-05-04 Alex Christensen <achristensen@webkit.org>

Crash in WindowProxy::setDOMWindow
https://bugs.webkit.org/show_bug.cgi?id=232763

Reviewed by Chris Dumez.

Add a few null checks here and there.

Test: fast/dom/set-dom-window-without-page.html

* bindings/js/WindowProxy.cpp:
(WebCore::WindowProxy::setDOMWindow):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::findFrameForNavigation):

2022-05-04 Simon Fraser <simon.fraser@apple.com>

Improve logging of display list items in IPC messages
@@ -186,9 +186,10 @@ void WindowProxy::setDOMWindow(AbstractDOMWindow* newDOMWindow)
cacheableBindingRootObject->updateGlobalObject(windowProxy->window());

windowProxy->attachDebugger(page ? page->debugger() : nullptr);
if (page)
if (page) {
windowProxy->window()->setProfileGroup(page->group().identifier());
windowProxy->window()->setConsoleClient(page->console());
windowProxy->window()->setConsoleClient(page->console());
}
}
}

@@ -3744,6 +3744,9 @@ Frame* FrameLoader::findFrameForNavigation(const AtomString& name, Document* act
if (!activeDocument)
activeDocument = m_frame.document();

if (!activeDocument)
return nullptr;

auto* frame = m_frame.tree().find(name, activeDocument->frame() ? *activeDocument->frame() : m_frame);

if (!activeDocument->canNavigate(frame))

0 comments on commit a6fcf79

Please sign in to comment.