Bug 21797 - REGRESSION: Crash in CFHTTPCookieStorageCopy beneath WebCore::cookies() when running fast/dom/document-attribute-js-null.html and http/tests/security/cookies/create-document.html
Summary: REGRESSION: Crash in CFHTTPCookieStorageCopy beneath WebCore::cookies() when ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows XP
: P1 Normal
Assignee: Sam Weinig
URL:
Keywords: InRadar, LayoutTestFailure
Depends on:
Blocks:
 
Reported: 2008-10-22 08:56 PDT by Adam Roben (:aroben)
Modified: 2008-12-29 13:43 PST (History)
0 users

See Also:


Attachments
patch (1.75 KB, patch)
2008-12-29 12:49 PST, Adele Peterson
beidson: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Adam Roben (:aroben) 2008-10-22 08:56:55 PDT
To reproduce:

1. Run fast/dom/document-attribute-js-null.html or http/tests/security/cookies/create-document.html

You'll crash in the call to CFHTTPCookieStorageCopy beneath WebCore::cookies(). The problem is that url is null. Here's the backtrace:

...CFNetwork frames elided...
>	WebKit_debug.dll!WebCore::cookies(const WebCore::Document * __formal=0x023a88a0, const WebCore::KURL & url={ReadArbitraryDebuggeeMemory failed (impl->characters()) = 0x80004005})  Line 82 + 0x19 bytes	C++
 	WebKit_debug.dll!WebCore::Document::cookie()  Line 2886 + 0x16 bytes	C++
 	WebKit_debug.dll!WebCore::jsDocumentCookie(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & __formal={...}, const JSC::PropertySlot & slot={...})  Line 330 + 0x10 bytes	C++
 	WebKit_debug.dll!JSC::PropertySlot::getValue(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & propertyName={...})  Line 62 + 0x19 bytes	C++
 	WebKit_debug.dll!JSC::JSValue::get(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & propertyName={...}, JSC::PropertySlot & slot={...})  Line 465 + 0x14 bytes	C++
 	WebKit_debug.dll!JSC::JSValue::get(JSC::ExecState * exec=0x03ba02a8, const JSC::Identifier & propertyName={...})  Line 451 + 0x18 bytes	C++
 	WebKit_debug.dll!JSC::Machine::cti_op_get_by_val(void * * args=0x0012ead8)  Line 5010 + 0x1b bytes	C++
 	WebKit_debug.dll!JSC::Machine::cti_op_convert_this()  + 0xff bytes	C++
 	WebKit_debug.dll!JSC::Machine::execute(JSC::FunctionBodyNode * functionBodyNode=0x022d1270, JSC::ExecState * callFrame=0x0236b6dc, JSC::JSFunction * function=0x02993d00, JSC::JSObject * thisObj=0x02990000, const JSC::ArgList & args={...}, JSC::ScopeChainNode * scopeChain=0x023a9bc8, JSC::JSValuePtr * exception=0x021ec91c)  Line 993 + 0x26 bytes	C++
 	WebKit_debug.dll!JSC::JSFunction::call(JSC::ExecState * exec=0x0236b6dc, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...})  Line 82 + 0x54 bytes	C++
 	WebKit_debug.dll!JSC::call(JSC::ExecState * exec=0x0236b6dc, JSC::JSValuePtr functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValuePtr thisValue={...}, const JSC::ArgList & args={...})  Line 39 + 0x23 bytes	C++
 	WebKit_debug.dll!WebCore::JSAbstractEventListener::handleEvent(WebCore::Event * event=0x023abf00, bool isWindowEvent=true)  Line 98 + 0x32 bytes	C++
 	WebKit_debug.dll!WebCore::Document::handleWindowEvent(WebCore::Event * evt=0x023abf00, bool useCapture=false)  Line 2714 + 0x2e bytes	C++
 	WebKit_debug.dll!WebCore::EventTargetNode::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event> e={...})  Line 412	C++
 	WebKit_debug.dll!WebCore::EventTargetNode::dispatchWindowEvent(const WebCore::AtomicString & eventType={...}, bool canBubbleArg=false, bool cancelableArg=false)  Line 420	C++
 	WebKit_debug.dll!WebCore::Document::implicitClose()  Line 1581	C++
 	WebKit_debug.dll!WebCore::FrameLoader::checkCallImplicitClose()  Line 1354	C++
 	WebKit_debug.dll!WebCore::FrameLoader::checkCompleted()  Line 1309	C++
 	WebKit_debug.dll!WebCore::FrameLoader::finishedParsing()  Line 1257	C++
 	WebKit_debug.dll!WebCore::Document::finishedParsing()  Line 3837	C++
 	WebKit_debug.dll!WebCore::HTMLParser::finished()  Line 1556	C++
 	WebKit_debug.dll!WebCore::HTMLTokenizer::end()  Line 1854	C++
 	WebKit_debug.dll!WebCore::HTMLTokenizer::finish()  Line 1894	C++
 	WebKit_debug.dll!WebCore::Document::finishParsing()  Line 1723 + 0x15 bytes	C++
 	WebKit_debug.dll!WebCore::FrameLoader::endIfNotLoadingMainResource()  Line 1085	C++
 	WebKit_debug.dll!WebCore::FrameLoader::end()  Line 1063	C++
 	WebKit_debug.dll!WebCore::DocumentLoader::finishedLoading()  Line 345	C++
 	WebKit_debug.dll!WebCore::FrameLoader::finishedLoading()  Line 2976	C++
 	WebKit_debug.dll!WebCore::MainResourceLoader::didFinishLoading()  Line 334	C++
 	WebKit_debug.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x0222b880)  Line 398 + 0xf bytes	C++
 	WebKit_debug.dll!WebCore::didFinishLoading(_CFURLConnection * conn=0x0231a6e0, const void * clientInfo=0x0222b880)  Line 119 + 0x1e bytes	C++
...CFNetwork frames elided...
 	user32.dll!_InternalCallWinProc@20()  + 0x28 bytes	
 	user32.dll!_UserCallWinProcCheckWow@32()  + 0xb7 bytes	
 	user32.dll!_DispatchMessageWorker@8()  + 0xdc bytes	
 	user32.dll!_DispatchMessageW@4()  + 0xf bytes	
 	DumpRenderTree_debug.exe!runTest(const char * pathOrURL=0x0012f6e8)  Line 751 + 0xc bytes	C++
 	DumpRenderTree_debug.exe!main(int argc=2, char * * argv=0x01bf1208)  Line 1088 + 0xc bytes	C++
 	DumpRenderTree_debug.exe!__tmainCRTStartup()  Line 597 + 0x19 bytes	C
 	DumpRenderTree_debug.exe!mainCRTStartup()  Line 414	C
 	kernel32.dll!_BaseProcessStart@4()  + 0x23 bytes
Comment 1 Adam Roben (:aroben) 2008-10-22 08:57:09 PDT
Also affects http/tests/security/cookies/xmlhttprequest.html
Comment 2 Adam Roben (:aroben) 2008-10-22 09:05:52 PDT
<rdar://problem/6310682>
Comment 3 mitz 2008-10-22 10:27:22 PDT
Documents create with createDocument have an empty cookieURL(), which is then passed to cookies(), causing the crash. Perhaps Document::cookie() and Document::setCookie() should return early if the cookieURL() is empty.
Comment 4 Adele Peterson 2008-12-29 12:21:33 PST
I implemented Dan's suggestion.  I'm now getting some other weird crashes in ThreadGlobalData.
Comment 5 Adele Peterson 2008-12-29 12:49:49 PST
Created attachment 26294 [details]
patch

I now think the ThreadGlobalData problem is unrelated.  This is a pretty safe change which should prevent the cookie crashes.
Comment 6 Adele Peterson 2008-12-29 13:43:06 PST
Committed revision 39501