21797 2008-10-22 08:56:55 -0700 REGRESSION: Crash in CFHTTPCookieStorageCopy beneath WebCore::cookies() when running fast/dom/document-attribute-js-null.html and http/tests/security/cookies/create-document.html 2008-12-29 13:43:06 -0800 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) PC Windows XP RESOLVED FIXED InRadar, LayoutTestFailure P1 Normal --- 1 aroben sam oldest_to_newest 96174 0 aroben 2008-10-22 08:56:55 -0700 To reproduce: 1. Run fast/dom/document-attribute-js-null.html or http/tests/security/cookies/create-document.html You'll crash in the call to CFHTTPCookieStorageCopy beneath WebCore::cookies(). The problem is that url is null. Here's the backtrace: ...CFNetwork frames elided... > WebKit_debug.dll!WebCore::cookies(const WebCore::Document * __formal=0x023a88a0, const WebCore::KURL & url={ReadArbitraryDebuggeeMemory failed (impl->characters()) = 0x80004005}) Line 82 + 0x19 bytes C++ WebKit_debug.dll!WebCore::Document::cookie() Line 2886 + 0x16 bytes C++ WebKit_debug.dll!WebCore::jsDocumentCookie(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & __formal={...}, const JSC::PropertySlot & slot={...}) Line 330 + 0x10 bytes C++ WebKit_debug.dll!JSC::PropertySlot::getValue(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & propertyName={...}) Line 62 + 0x19 bytes C++ WebKit_debug.dll!JSC::JSValue::get(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 465 + 0x14 bytes C++ WebKit_debug.dll!JSC::JSValue::get(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & propertyName={...}) Line 451 + 0x18 bytes C++ WebKit_debug.dll!JSC::Machine::cti_op_get_by_val(void * * args=0x0012ead8) Line 5010 + 0x1b bytes C++ WebKit_debug.dll!JSC::Machine::cti_op_convert_this() + 0xff bytes C++ WebKit_debug.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x022d1270, JSC::ExecState * callFrame=0x0236b6dc, JSC::JSFunction * function=0x02993d00, JSC::JSObject * thisObj=0x02990000, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x023a9bc8, JSC::JSValuePtr * exception=0x021ec91c) Line 993 + 0x26 bytes C++ WebKit_debug.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0236b6dc, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...}) Line 82 + 0x54 bytes C++ WebKit_debug.dll!JSC::call(JSC::ExecState * exec=0x0236b6dc, JSC::JSValuePtr functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...}) Line 39 + 0x23 bytes C++ WebKit_debug.dll!WebCore::JSAbstractEventListener::handleEvent(WebCore::Event * event=0x023abf00, bool isWindowEvent=true) Line 98 + 0x32 bytes C++ WebKit_debug.dll!WebCore::Document::handleWindowEvent(WebCore::Event * evt=0x023abf00, bool useCapture=false) Line 2714 + 0x2e bytes C++ WebKit_debug.dll!WebCore::EventTargetNode::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event> e={...}) Line 412 C++ WebKit_debug.dll!WebCore::EventTargetNode::dispatchWindowEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false) Line 420 C++ WebKit_debug.dll!WebCore::Document::implicitClose() Line 1581 C++ WebKit_debug.dll!WebCore::FrameLoader::checkCallImplicitClose() Line 1354 C++ WebKit_debug.dll!WebCore::FrameLoader::checkCompleted() Line 1309 C++ WebKit_debug.dll!WebCore::FrameLoader::finishedParsing() Line 1257 C++ WebKit_debug.dll!WebCore::Document::finishedParsing() Line 3837 C++ WebKit_debug.dll!WebCore::HTMLParser::finished() Line 1556 C++ WebKit_debug.dll!WebCore::HTMLTokenizer::end() Line 1854 C++ WebKit_debug.dll!WebCore::HTMLTokenizer::finish() Line 1894 C++ WebKit_debug.dll!WebCore::Document::finishParsing() Line 1723 + 0x15 bytes C++ WebKit_debug.dll!WebCore::FrameLoader::endIfNotLoadingMainResource() Line 1085 C++ WebKit_debug.dll!WebCore::FrameLoader::end() Line 1063 C++ WebKit_debug.dll!WebCore::DocumentLoader::finishedLoading() Line 345 C++ WebKit_debug.dll!WebCore::FrameLoader::finishedLoading() Line 2976 C++ WebKit_debug.dll!WebCore::MainResourceLoader::didFinishLoading() Line 334 C++ WebKit_debug.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x0222b880) Line 398 + 0xf bytes C++ WebKit_debug.dll!WebCore::didFinishLoading(_CFURLConnection * conn=0x0231a6e0, const void * clientInfo=0x0222b880) Line 119 + 0x1e bytes C++ ...CFNetwork frames elided... user32.dll!_InternalCallWinProc@20() + 0x28 bytes user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes user32.dll!_DispatchMessageWorker@8() + 0xdc bytes user32.dll!_DispatchMessageW@4() + 0xf bytes DumpRenderTree_debug.exe!runTest(const char * pathOrURL=0x0012f6e8) Line 751 + 0xc bytes C++ DumpRenderTree_debug.exe!main(int argc=2, char * * argv=0x01bf1208) Line 1088 + 0xc bytes C++ DumpRenderTree_debug.exe!__tmainCRTStartup() Line 597 + 0x19 bytes C DumpRenderTree_debug.exe!mainCRTStartup() Line 414 C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes 96175 1 aroben 2008-10-22 08:57:09 -0700 Also affects http/tests/security/cookies/xmlhttprequest.html 96180 2 aroben 2008-10-22 09:05:52 -0700 <rdar://problem/6310682> 96194 3 mitz 2008-10-22 10:27:22 -0700 Documents create with createDocument have an empty cookieURL(), which is then passed to cookies(), causing the crash. Perhaps Document::cookie() and Document::setCookie() should return early if the cookieURL() is empty. 103717 4 adele 2008-12-29 12:21:33 -0800 I implemented Dan's suggestion. I'm now getting some other weird crashes in ThreadGlobalData. 103720 5 26294 adele 2008-12-29 12:49:49 -0800 Created attachment 26294 patch I now think the ThreadGlobalData problem is unrelated. This is a pretty safe change which should prevent the cookie crashes. 103724 6 adele 2008-12-29 13:43:06 -0800 Committed revision 39501 26294 2008-12-29 12:49:49 -0800 2008-12-29 13:36:30 -0800 patch patch.txt text/plain 1792 adele SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiAzOTUwMCkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTcgQEAKKzIwMDgtMTItMjkgIEFkZWxlIFBldGVyc29uICA8YWRlbGVAYXBwbGUu Y29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEZp eCBmb3IgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIxNzk3CisgICAg ICAgIDxyZGFyOi8vcHJvYmxlbS82MzEwNjgyPiBSRUdSRVNTSU9OOiBDcmFzaCBpbiBDRkhUVFBD b29raWVTdG9yYWdlQ29weSBiZW5lYXRoIFdlYkNvcmU6OmNvb2tpZXMoKSB3aGVuIAorICAgICAg ICBydW5uaW5nIGZhc3QvZG9tL2RvY3VtZW50LWF0dHJpYnV0ZS1qcy1udWxsLmh0bWwgYW5kIGh0 dHAvdGVzdHMvc2VjdXJpdHkvY29va2llcy9jcmVhdGUtZG9jdW1lbnQuaHRtbAorICAgICAgICAK KyAgICAgICAgUmV0dXJuIGVhcmx5IGlmIHRoZSBkb2N1bWVudCBpcyB0cnlpbmcgdG8gZ2V0IG9y IHNldCBhIGNvb2tpZSB3aXRoIGFuIGVtcHR5IGNvb2tpZSB1cmwuCisKKyAgICAgICAgKiBkb20v RG9jdW1lbnQuY3BwOgorICAgICAgICAoV2ViQ29yZTo6RG9jdW1lbnQ6OmNvb2tpZSk6CisgICAg ICAgIChXZWJDb3JlOjpEb2N1bWVudDo6c2V0Q29va2llKToKKwogMjAwOC0xMi0yOCAgQ2FtZXJv biBad2FyaWNoICA8Y3d6d2FyaWNoQHV3YXRlcmxvby5jYT4KIAogICAgICAgICBSZXZpZXdlZCBi eSBTYW0gV2VpbmlnLgpJbmRleDogV2ViQ29yZS9kb20vRG9jdW1lbnQuY3BwCj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIFdlYkNvcmUvZG9tL0RvY3VtZW50LmNwcAkocmV2aXNpb24gMzk1MDApCisrKyBXZWJDb3Jl L2RvbS9Eb2N1bWVudC5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTI5MDIsNyArMjkwMiwxMSBAQCBT dHJpbmcgRG9jdW1lbnQ6OmNvb2tpZSgpIGNvbnN0CiAgICAgaWYgKHBhZ2UoKSAmJiAhcGFnZSgp LT5jb29raWVFbmFibGVkKCkpCiAgICAgICAgIHJldHVybiBTdHJpbmcoKTsKIAotICAgIHJldHVy biBjb29raWVzKHRoaXMsIGNvb2tpZVVSTCgpKTsKKyAgICBLVVJMIGNvb2tpZVVSTCA9IHRoaXMt PmNvb2tpZVVSTCgpOworICAgIGlmIChjb29raWVVUkwuaXNFbXB0eSgpKQorICAgICAgICByZXR1 cm4gU3RyaW5nKCk7CisKKyAgICByZXR1cm4gY29va2llcyh0aGlzLCBjb29raWVVUkwpOwogfQog CiB2b2lkIERvY3VtZW50OjpzZXRDb29raWUoY29uc3QgU3RyaW5nJiB2YWx1ZSkKQEAgLTI5MTAs NyArMjkxNCwxMSBAQCB2b2lkIERvY3VtZW50OjpzZXRDb29raWUoY29uc3QgU3RyaW5nJiB2CiAg ICAgaWYgKHBhZ2UoKSAmJiAhcGFnZSgpLT5jb29raWVFbmFibGVkKCkpCiAgICAgICAgIHJldHVy bjsKIAotICAgIHNldENvb2tpZXModGhpcywgY29va2llVVJMKCksIHBvbGljeUJhc2VVUkwoKSwg dmFsdWUpOworICAgIEtVUkwgY29va2llVVJMID0gdGhpcy0+Y29va2llVVJMKCk7CisgICAgaWYg KGNvb2tpZVVSTC5pc0VtcHR5KCkpCisgICAgICAgIHJldHVybjsKKworICAgIHNldENvb2tpZXMo dGhpcywgY29va2llVVJMLCBwb2xpY3lCYXNlVVJMKCksIHZhbHVlKTsKIH0KIAogU3RyaW5nIERv Y3VtZW50OjpyZWZlcnJlcigpIGNvbnN0Cg==