Bug 67805

Summary: [Chromium] Crash in WebCore::DatabaseObserver
Product: WebKit Reporter: Stephen Chenney <schenney>
Component: WebKit Misc.Assignee: Stephen Chenney <schenney>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, dglazkov, levin, michaeln, schenney, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Other   
OS: All   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Stephen Chenney
Reported 2011-09-08 14:28:24 PDT
http://code.google.com/p/chromium/issues/detail?id=88042 WebFrameImpl::fromFrame may return null, and DatabaseObserver::canEstablishDatabase does not check for this, leading to potential crashes.
Attachments
Patch (1.78 KB, patch)
2011-09-15 14:11 PDT, Stephen Chenney 		no flags
DetailsFormatted DiffDiff
Patch (1.65 KB, patch)
2011-09-16 09:19 PDT, Stephen Chenney 		no flags
DetailsFormatted DiffDiff
Patch (1.86 KB, patch)
2011-09-23 08:45 PDT, Stephen Chenney 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Stephen Chenney
Comment 1 2011-09-15 14:11:27 PDT
Created attachment 107549 [details] Patch
Michael Nordman
Comment 2 2011-09-15 17:34:09 PDT
this looks reasonable to me i think changing the return value at the end to false is reasonable, but i don't know if there are chromium/webkit api users that are depending on the true return value at this time... are their any consumers that don't provide a permissionClient that this change would break? also, i'm noticing that 'true' is the default return value for the allowDatabase method in WebPermissionsClient.h maybe it's safer and more consistent to not change that return value at the end in this crash fixing patch wdyt?
Stephen Chenney
Comment 3 2011-09-16 09:15:12 PDT
I investigated further, looking for cases in the chromium code base where the WebPermissionsClient is set on the WebViewImpl. The only location is in chrome_render_view_observer, and the AllowDatabase setting for that ultimately comes from the browser's cookie settings. So it is certainly plausible that there exist other users of the database code that do not set any permissions client. There is also database related code in WebWorkerClientImpl, and it defaults to true when there is no permissions client (and the permissions client always returns true, as far as I can tell). Given this, and the default of true in the permissions client, I will change the return value.
Stephen Chenney
Comment 4 2011-09-16 09:19:46 PDT
Created attachment 107663 [details] Patch
Michael Nordman
Comment 5 2011-09-16 13:43:32 PDT
fwiw lgtm (but i dont have review rights)
Michael Nordman
Comment 6 2011-09-19 13:44:34 PDT
adding some webkit reviewers
David Levin
Comment 7 2011-09-19 14:19:52 PDT
Comment on attachment 107663 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=107663&action=review Is it possible to test this? Is it possible for webFrame->viewImpl() to be 0? What about document->frame()? > Source/WebKit/chromium/ChangeLog:10 > + null frame and return false when the frame is null. Investiagted typo: Investiagted
Stephen Chenney
Comment 8 2011-09-21 08:51:46 PDT
I have no idea how to test that this resolves the crash, but I will look into it. At the same time I'll try to figure out why one thing may be null but not another.
Stephen Chenney
Comment 9 2011-09-22 11:19:59 PDT
Is it possible to test this? There was no repro case in the original crash report. It clearly depends on having a script execution context with a valid document (if you have the context you have the document) but an invalid frame. I'll try to repro with that in mind. Is it possible for webFrame->viewImpl() to be 0? webFrame->viewImpl() may be 0 if the frame is 0 or the page for the frame is 0. That means it should be checked too. What about document->frame()? document->frame() is probably the 0 object in this situation, but that does not need to be checked because WebFrameImpl::fromFrame(document->frame()) is happy to return 0 when it gets 0.
Stephen Chenney
Comment 10 2011-09-23 08:45:14 PDT
Created attachment 108481 [details] Patch
Stephen Chenney
Comment 11 2011-09-23 08:52:10 PDT
I have no commit status at this time. Please do the honors for me.
David Levin
Comment 12 2011-09-23 08:53:02 PDT
Comment on attachment 108481 [details] Patch Feel free to mark your patch as cq? if you'd like it marked cq+ :)
WebKit Review Bot
Comment 13 2011-09-23 09:07:53 PDT
Comment on attachment 108481 [details] Patch Attachment 108481 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/9818156 New failing tests: svg/custom/svg-fonts-word-spacing.html
David Levin
Comment 14 2011-09-23 11:10:28 PDT
Comment on attachment 108481 [details] Patch If at first you don't succeed... that test failure in svg is totally unrelated to this change.
WebKit Review Bot
Comment 15 2011-09-23 15:33:23 PDT
Comment on attachment 108481 [details] Patch Clearing flags on attachment: 108481 Committed r95871: <http://trac.webkit.org/changeset/95871>
WebKit Review Bot
Comment 16 2011-09-23 15:33:29 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.