RESOLVED FIXED 21797
REGRESSION: Crash in CFHTTPCookieStorageCopy beneath WebCore::cookies() when running fast/dom/document-attribute-js-null.html and http/tests/security/cookies/create-document.html 
https://bugs.webkit.org/show_bug.cgi?id=21797
Summary REGRESSION: Crash in CFHTTPCookieStorageCopy beneath WebCore::cookies() when ...
Adam Roben (:aroben)
Reported 2008-10-22 08:56:55 PDT
To reproduce: 1. Run fast/dom/document-attribute-js-null.html or http/tests/security/cookies/create-document.html You'll crash in the call to CFHTTPCookieStorageCopy beneath WebCore::cookies(). The problem is that url is null. Here's the backtrace: ...CFNetwork frames elided... > WebKit_debug.dll!WebCore::cookies(const WebCore::Document * __formal=0x023a88a0, const WebCore::KURL & url={ReadArbitraryDebuggeeMemory failed (impl->characters()) = 0x80004005}) Line 82 + 0x19 bytes C++ WebKit_debug.dll!WebCore::Document::cookie() Line 2886 + 0x16 bytes C++ WebKit_debug.dll!WebCore::jsDocumentCookie(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & __formal={...}, const JSC::PropertySlot & slot={...}) Line 330 + 0x10 bytes C++ WebKit_debug.dll!JSC::PropertySlot::getValue(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & propertyName={...}) Line 62 + 0x19 bytes C++ WebKit_debug.dll!JSC::JSValue::get(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...}) Line 465 + 0x14 bytes C++ WebKit_debug.dll!JSC::JSValue::get(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & propertyName={...}) Line 451 + 0x18 bytes C++ WebKit_debug.dll!JSC::Machine::cti_op_get_by_val(void * * args=0x0012ead8) Line 5010 + 0x1b bytes C++ WebKit_debug.dll!JSC::Machine::cti_op_convert_this() + 0xff bytes C++ WebKit_debug.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x022d1270, JSC::ExecState * callFrame=0x0236b6dc, JSC::JSFunction * function=0x02993d00, JSC::JSObject * thisObj=0x02990000, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x023a9bc8, JSC::JSValuePtr * exception=0x021ec91c) Line 993 + 0x26 bytes C++ WebKit_debug.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0236b6dc, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...}) Line 82 + 0x54 bytes C++ WebKit_debug.dll!JSC::call(JSC::ExecState * exec=0x0236b6dc, JSC::JSValuePtr functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...}) Line 39 + 0x23 bytes C++ WebKit_debug.dll!WebCore::JSAbstractEventListener::handleEvent(WebCore::Event * event=0x023abf00, bool isWindowEvent=true) Line 98 + 0x32 bytes C++ WebKit_debug.dll!WebCore::Document::handleWindowEvent(WebCore::Event * evt=0x023abf00, bool useCapture=false) Line 2714 + 0x2e bytes C++ WebKit_debug.dll!WebCore::EventTargetNode::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event> e={...}) Line 412 C++ WebKit_debug.dll!WebCore::EventTargetNode::dispatchWindowEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false) Line 420 C++ WebKit_debug.dll!WebCore::Document::implicitClose() Line 1581 C++ WebKit_debug.dll!WebCore::FrameLoader::checkCallImplicitClose() Line 1354 C++ WebKit_debug.dll!WebCore::FrameLoader::checkCompleted() Line 1309 C++ WebKit_debug.dll!WebCore::FrameLoader::finishedParsing() Line 1257 C++ WebKit_debug.dll!WebCore::Document::finishedParsing() Line 3837 C++ WebKit_debug.dll!WebCore::HTMLParser::finished() Line 1556 C++ WebKit_debug.dll!WebCore::HTMLTokenizer::end() Line 1854 C++ WebKit_debug.dll!WebCore::HTMLTokenizer::finish() Line 1894 C++ WebKit_debug.dll!WebCore::Document::finishParsing() Line 1723 + 0x15 bytes C++ WebKit_debug.dll!WebCore::FrameLoader::endIfNotLoadingMainResource() Line 1085 C++ WebKit_debug.dll!WebCore::FrameLoader::end() Line 1063 C++ WebKit_debug.dll!WebCore::DocumentLoader::finishedLoading() Line 345 C++ WebKit_debug.dll!WebCore::FrameLoader::finishedLoading() Line 2976 C++ WebKit_debug.dll!WebCore::MainResourceLoader::didFinishLoading() Line 334 C++ WebKit_debug.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x0222b880) Line 398 + 0xf bytes C++ WebKit_debug.dll!WebCore::didFinishLoading(_CFURLConnection * conn=0x0231a6e0, const void * clientInfo=0x0222b880) Line 119 + 0x1e bytes C++ ...CFNetwork frames elided... user32.dll!_InternalCallWinProc@20() + 0x28 bytes user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes user32.dll!_DispatchMessageWorker@8() + 0xdc bytes user32.dll!_DispatchMessageW@4() + 0xf bytes DumpRenderTree_debug.exe!runTest(const char * pathOrURL=0x0012f6e8) Line 751 + 0xc bytes C++ DumpRenderTree_debug.exe!main(int argc=2, char * * argv=0x01bf1208) Line 1088 + 0xc bytes C++ DumpRenderTree_debug.exe!__tmainCRTStartup() Line 597 + 0x19 bytes C DumpRenderTree_debug.exe!mainCRTStartup() Line 414 C kernel32.dll!_BaseProcessStart@4() + 0x23 bytes
Attachments
patch (1.75 KB, patch)
2008-12-29 12:49 PST, Adele Peterson 		beidson: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Roben (:aroben)
Comment 1 2008-10-22 08:57:09 PDT
Also affects http/tests/security/cookies/xmlhttprequest.html
Adam Roben (:aroben)
Comment 2 2008-10-22 09:05:52 PDT
<rdar://problem/6310682>
mitz
Comment 3 2008-10-22 10:27:22 PDT
Documents create with createDocument have an empty cookieURL(), which is then passed to cookies(), causing the crash. Perhaps Document::cookie() and Document::setCookie() should return early if the cookieURL() is empty.
Adele Peterson
Comment 4 2008-12-29 12:21:33 PST
I implemented Dan's suggestion. I'm now getting some other weird crashes in ThreadGlobalData.
Adele Peterson
Comment 5 2008-12-29 12:49:49 PST
Created attachment 26294 [details] patch I now think the ThreadGlobalData problem is unrelated. This is a pretty safe change which should prevent the cookie crashes.
Adele Peterson
Comment 6 2008-12-29 13:43:06 PST
Committed revision 39501
Note You need to log in before you can comment on or make changes to this bug.