Summary: | Fix null dereference in HTMLAnchorElement::sendPings when frame is not attached to a page | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Ryosuke Niwa <rniwa> | ||||||||
Component: | DOM | Assignee: | Ryosuke Niwa <rniwa> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | ap, commit-queue, darin, esprehn+autocc, jonlee, mjs, thorton, webkit-bug-importer | ||||||||
Priority: | P2 | Keywords: | BlinkMergeCandidate, InRadar | ||||||||
Version: | 528+ (Nightly build) | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Attachments: |
|
Description
Ryosuke Niwa
2013-08-12 20:09:16 PDT
Created attachment 208588 [details]
Fixes the bug
Comment on attachment 208588 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=208588&action=review The Blink change is quite suspicious, and I'd like to understand it better. Do you know why the bug is hidden? > Source/WebCore/ChangeLog:10 > + No new tests since the test in the Blink change doesn't reproduce crash on WebKit. Does it reproduce the crash in Blink? The test does a ton of weird things, and I'm not sure how those result in a frameless document. Perhaps they perform a synchronous navigation? I suggest to look into making a new test. What if one creates a new frameless document (with document.implementation.createHTMLDocument or with a parser), adds an anchor element with a ping attribute, and calls click() on it? Comment on attachment 208588 [details]
Fixes the bug
I agree that we should make a new test, but I also think adding the null check is fine and I trust Ryosuke to make the test.
Comment on attachment 208588 [details]
Fixes the bug
Let me try creating a test following ap's suggestion.
Comment on attachment 208588 [details] Fixes the bug Clearing flags on attachment: 208588 Committed r153975: <http://trac.webkit.org/changeset/153975> All reviewed patches have been landed. Closing bug. Oops, the commit queue outraced you! Sorry!!! Huh, it seems like cq landed it anyway :( I DID come up with a test case so let me upload it here. Created attachment 208598 [details]
Adds a test
Created attachment 208599 [details]
Adds a test with real -expected.txt
Committed r153982: <http://trac.webkit.org/changeset/153982> Note that I've confirmed that the landed test case will cause a crash if we didn't have my patch. The reason I have to detach the frame in href is that HTMLAnchorElement::click has a check for the nullity of document()->frame() at the beginning. So I had to fool this code and detach the frame inside urlSelected. |