Bug 119716

Summary: Fix null dereference in HTMLAnchorElement::sendPings when frame is not attached to a page
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, commit-queue, darin, esprehn+autocc, jonlee, mjs, thorton, webkit-bug-importer
Priority: P2 Keywords: BlinkMergeCandidate, InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fixes the bug
none
Adds a test
none
Adds a test with real -expected.txt darin: review+

Attachments
Fixes the bug (1.50 KB, patch)
2013-08-12 20:10 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Adds a test (2.05 KB, patch)
2013-08-12 23:32 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Adds a test with real -expected.txt (2.41 KB, patch)
2013-08-12 23:34 PDT, Ryosuke Niwa 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2013-08-12 20:10:49 PDT
Created attachment 208588 [details] Fixes the bug
Alexey Proskuryakov
Comment 2 2013-08-12 20:55:52 PDT
Comment on attachment 208588 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=208588&action=review The Blink change is quite suspicious, and I'd like to understand it better. Do you know why the bug is hidden? > Source/WebCore/ChangeLog:10 > + No new tests since the test in the Blink change doesn't reproduce crash on WebKit. Does it reproduce the crash in Blink? The test does a ton of weird things, and I'm not sure how those result in a frameless document. Perhaps they perform a synchronous navigation? I suggest to look into making a new test. What if one creates a new frameless document (with document.implementation.createHTMLDocument or with a parser), adds an anchor element with a ping attribute, and calls click() on it?
Darin Adler
Comment 3 2013-08-12 22:23:57 PDT
Comment on attachment 208588 [details] Fixes the bug I agree that we should make a new test, but I also think adding the null check is fine and I trust Ryosuke to make the test.
Ryosuke Niwa
Comment 4 2013-08-12 22:46:36 PDT
Comment on attachment 208588 [details] Fixes the bug Let me try creating a test following ap's suggestion.
WebKit Commit Bot
Comment 5 2013-08-12 22:47:25 PDT
Comment on attachment 208588 [details] Fixes the bug Clearing flags on attachment: 208588 Committed r153975: <http://trac.webkit.org/changeset/153975>
WebKit Commit Bot
Comment 6 2013-08-12 22:47:28 PDT
All reviewed patches have been landed. Closing bug.
Darin Adler
Comment 7 2013-08-12 22:52:06 PDT
Oops, the commit queue outraced you! Sorry!!!
Ryosuke Niwa
Comment 8 2013-08-12 22:54:46 PDT
Huh, it seems like cq landed it anyway :(
Ryosuke Niwa
Comment 9 2013-08-12 22:55:28 PDT
I DID come up with a test case so let me upload it here.
Ryosuke Niwa
Comment 10 2013-08-12 23:32:39 PDT
Created attachment 208598 [details] Adds a test
Ryosuke Niwa
Comment 11 2013-08-12 23:34:58 PDT
Created attachment 208599 [details] Adds a test with real -expected.txt
Ryosuke Niwa
Comment 12 2013-08-12 23:37:41 PDT
Committed r153982: <http://trac.webkit.org/changeset/153982>
Radar WebKit Bug Importer
Comment 13 2013-08-12 23:37:51 PDT
<rdar://problem/14721165>
Radar WebKit Bug Importer
Comment 14 2013-08-12 23:37:55 PDT
<rdar://problem/14721167>
Ryosuke Niwa
Comment 15 2013-08-13 00:09:57 PDT
Note that I've confirmed that the landed test case will cause a crash if we didn't have my patch. The reason I have to detach the frame in href is that HTMLAnchorElement::click has a check for the nullity of document()->frame() at the beginning. So I had to fool this code and detach the frame inside urlSelected.
Note You need to log in before you can comment on or make changes to this bug.