Bug 34722

Summary: [Chromium] Confirm index is valid in BackForwardListClientImpl::itemAtIndex() before returning non-null
Product: WebKit Reporter: Nate Chapin <japhet>
Component: WebCore Misc.Assignee: Nate Chapin <japhet>
Status: RESOLVED FIXED    
Severity: Normal CC: scarybeasts
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
patch
none
layout test abarth: review+

Nate Chapin
Reported 2010-02-08 13:17:54 PST
Chromium bug: http://crbug.com/33929 If a history.forward() call occurs, for example, at the start of a page load, we will end up cancelling the original load because itemAtIndex() is returning non-null even though the forward list is empty.
Attachments
patch (1.17 KB, patch)
2010-02-08 13:52 PST, Nate Chapin 		no flags
DetailsFormatted DiffDiff
layout test (1.61 KB, patch)
2010-02-08 16:25 PST, Nate Chapin 		abarth: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Nate Chapin
Comment 1 2010-02-08 13:52:44 PST
Created attachment 48364 [details] patch
Darin Fisher (:fishd, Google)
Comment 2 2010-02-08 14:00:45 PST
Comment on attachment 48364 [details] patch Please add a link to this bug in the ChangeLog entry. > Index: WebKit/chromium/src/BackForwardListClientImpl.cpp > =================================================================== > --- WebKit/chromium/src/BackForwardListClientImpl.cpp (revision 54505) > +++ WebKit/chromium/src/BackForwardListClientImpl.cpp (working copy) > @@ -90,7 +90,7 @@ > > HistoryItem* BackForwardListClientImpl::itemAtIndex(int index) > { > - if (!m_webView->client()) > + if (!m_webView->client() || index > forwardListCount() || index < (backListCount() * -1)) It might read slightly better as: if (!m_webView->client() || index > forwardListCount() || -index > backListCount()) Either way, R=me Please file a bug about adding a layout test per our discussion. For those reading at home, Nate's initial attempts at creating a test didn't pan out, and this bug is a release blocker for Chrome, so we are splitting the task into two bugs. He'll work on completing the layout test next.
Nate Chapin
Comment 3 2010-02-08 14:47:50 PST
Comment on attachment 48364 [details] patch http://trac.webkit.org/changeset/54511 If it's alright, I'll leave this bug open for the layout test that I will be submitting ASAP.
Eric Seidel (no email)
Comment 4 2010-02-08 15:12:15 PST
Comment on attachment 48364 [details] patch Cleared Darin Fisher's review+ from obsolete attachment 48364 [details] so that this bug does not appear in http://webkit.org/pending-commit.
Nate Chapin
Comment 5 2010-02-08 16:25:10 PST
Created attachment 48375 [details] layout test Sorry for the delay in getting this test out.
Chris Evans
Comment 6 2010-02-08 17:07:52 PST
Do we know what revision broke this?
Adam Barth
Comment 7 2010-02-09 12:31:02 PST
Comment on attachment 48375 [details] layout test I support all passing tests.
Nate Chapin
Comment 8 2010-02-10 09:02:15 PST
http://trac.webkit.org/changeset/54600
Note You need to log in before you can comment on or make changes to this bug.