101119 – Crash calling is8Bit() in visitedLinkHash()

Bug 101119 - Crash calling is8Bit() in visitedLinkHash()

Summary: Crash calling is8Bit() in visitedLinkHash()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Platform (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P1 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2012-11-02 16:08 PDT by Michael Saboff
Modified:	2022-02-28 04:05 PST (History)
CC List:	0 users

See Also:

Attachments
Patch (1.37 KB, patch) 2012-11-02 16:12 PDT, Michael Saboff	fpizlo: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2012-11-02 16:08:56 PDT

Changeset r133334: <http://trac.webkit.org/changeset/133334> introduced a call to is8Bit() on a possibly null string.  Appropriate checks need to be added for both KURL and attributeURL.

From <rdar://problem/12628447> Crash calling is8Bit() in visitedLinkHash():


I just crashed at the stack below.

Was at <http://www.nationalmemo.com/why-do-so-many-republicans-really-hate-obama/>, went into Reader mode, tried to scroll.

attributeURL is a null string.

    frame #13: 0x00000001011a6bf5 WebKit2`WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::MessageDecoder&) + 149 at WebConnectionToUIProcess.cpp:71
    frame #14: 0x00000001011a6c3d WebKit2`non-virtual thunk to WebKit::WebConnectionToUIProcess::didReceiveMessage(CoreIPC::Connection*, CoreIPC::MessageID, CoreIPC::MessageDecoder&) + 61 at WebConnectionToUIProcess.cpp:72
    frame #15: 0x00000001010311f8 WebKit2`CoreIPC::Connection::dispatchMessage(CoreIPC::MessageID, CoreIPC::MessageDecoder&) + 72 at Connection.cpp:663
    frame #16: 0x000000010102eade WebKit2`CoreIPC::Connection::dispatchMessage(CoreIPC::Connection::Message<CoreIPC::MessageDecoder>&) + 318 at Connection.cpp:686
    frame #17: 0x00000001010311a9 WebKit2`CoreIPC::Connection::dispatchOneMessage() + 201 at Connection.cpp:712
    frame #18: 0x0000000101038040 WebKit2`WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>::operator()(CoreIPC::Connection*) + 112 at Functional.h:174
    frame #19: 0x0000000101037fc5 WebKit2`WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void (CoreIPC::Connection*)>::operator()() + 53 at Functional.h:406
    frame #20: 0x00000001046417c9 WebCore`WTF::Function<void ()>::operator()() const + 137 at Functional.h:614
    frame #21: 0x000000010464140f WebCore`WebCore::RunLoop::performWork() + 207 at RunLoop.cpp:87
    frame #22: 0x000000010464291e WebCore`WebCore::RunLoop::performWork(void*) + 62 at RunLoopCF.cpp:66
    frame #23: 0x00007fff88383101 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #24: 0x00007fff88382aed CoreFoundation`__CFRunLoopDoSources0 + 445
    frame #25: 0x00007fff883a5dc5 CoreFoundation`__CFRunLoopRun + 789
    frame #26: 0x00007fff883a56b2 CoreFoundation`CFRunLoopRunSpecific + 290
    frame #27: 0x00007fff8e6ba0a4 HIToolbox`RunCurrentEventLoopInMode + 209
    frame #28: 0x00007fff8e6b9e42 HIToolbox`ReceiveNextEventCommon + 356
    frame #29: 0x00007fff8e6b9cd3 HIToolbox`BlockUntilNextEventMatchingListInMode + 62
    frame #30: 0x00007fff83ef8613 AppKit`_DPSNextEvent + 685
    frame #31: 0x00007fff83ef7ed2 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
    frame #32: 0x00007fff83eef283 AppKit`-[NSApplication run] + 517
    frame #33: 0x000000010464359c WebCore`WebCore::RunLoop::run() + 92 at RunLoopMac.mm:36
    frame #34: 0x0000000101341449 WebKit2`WebKit::WebProcessMain(WebKit::CommandLine const&) + 4233 at WebProcessMainMac.mm:190
    frame #35: 0x0000000101239a7a WebKit2`WebKitMain + 202 at WebKitMain.cpp:58
    frame #36: 0x0000000101239989 WebKit2`WebKitMain + 153 at WebKitMain.cpp:88

Comment 1 Michael Saboff 2012-11-02 16:12:13 PDT

Created attachment 172169 [details]
Patch

Comment 2 Filip Pizlo 2012-11-02 16:19:03 PDT

Comment on attachment 172169 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=172169&action=review

> Source/WebCore/ChangeLog:8
> +        Added a length check to AttributeURL and a isEmpty() check to KURL.

Nit: they're both isEmpty() checks.

Comment 3 Michael Saboff 2012-11-02 17:02:55 PDT

Committed r133377: <http://trac.webkit.org/changeset/133377>