RESOLVED FIXED 45880
createBlobURL with no argument causes crash 
https://bugs.webkit.org/show_bug.cgi?id=45880
Summary createBlobURL with no argument causes crash
Berend-Jan Wever
Reported 2010-09-16 04:28:58 PDT
Created attachment 67779 [details] Repro <script>createBlobURL()</script> Results fro latest Chromium: id: WebKit::WebCString::WebCString ReadAV@NULL (633fb021372abb6fa84401694bab542d) description: Attempt to read from NULL pointer (+0x50) in WebKit::WebCString::WebCString stack: WebKit::WebCString::WebCString WebKit::WebURL::WebURL WebCore::BlobRegistryProxy::registerBlobURL WebCore::ThreadableBlobRegistry::registerBlobURL WebCore::ScriptExecutionContext::createPublicBlobURL WebCore::DOMWindow::createBlobURL WebCore::DOMWindowInternal::createBlobURLCallback v8::internal::HandleApiCallHelper<...> v8::internal::Builtin_HandleApiCall v8::internal::Invoke v8::internal::Execution::Call v8::Function::Call WebCore::V8Proxy::callFunction WebCore::ScheduledAction::execute WebCore::ScheduledAction::execute WebCore::DOMTimer::fired WebCore::ThreadTimers::sharedTimerFiredInternal MessageLoop::RunTask MessageLoop::DeferOrRunPendingTask MessageLoop::DoDelayedWork base::MessagePumpDefault::Run MessageLoop::RunInternal MessageLoop::Run RendererMain ChromeMain MainDllLoader::Launch wWinMain __tmainCRTStartup BaseProcessStart
Attachments
Repro (32 bytes, text/html)
2010-09-16 04:28 PDT, Berend-Jan Wever 		no flags
Details
Proposed Patch (2.60 KB, patch)
2010-09-17 11:01 PDT, Jian Li 		jianli: commit-queue-
DetailsFormatted DiffDiff
Proposed Patch (3.60 KB, patch)
2010-09-17 11:39 PDT, Jian Li 		dimich: review+
jianli: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Jian Li
Comment 1 2010-09-17 11:01:13 PDT
Created attachment 67922 [details] Proposed Patch
Dmitry Titov
Comment 2 2010-09-17 11:19:07 PDT
Comment on attachment 67922 [details] Proposed Patch View in context: https://bugs.webkit.org/attachment.cgi?id=67922&action=prettypatch > WebCore/dom/ScriptExecutionContext.cpp:266 > + return KURL(); Would be nice to make sure that JS object returned is undefined, not a valid empty string.
Jian Li
Comment 3 2010-09-17 11:39:40 PDT
Created attachment 67926 [details] Proposed Patch Add attribute to convert null string to undefined. Also update the test to verify it.
Dmitry Titov
Comment 4 2010-09-17 11:45:53 PDT
Comment on attachment 67926 [details] Proposed Patch r+ with 2 nits View in context: https://bugs.webkit.org/attachment.cgi?id=67926&action=prettypatch > LayoutTests/fast/files/create-blob-url-crash.html:3 > +<body> I think by moving 'script' tag before the body and just setting the <body onload="test()"> it's possible to get rid of need to use notifyDone(). > LayoutTests/fast/files/create-blob-url-crash.html:23 > +if (window.eventSender) { you don't use eventSender, so the check could be just "if (window.layoutTestController) ..."
Jian Li
Comment 5 2010-09-17 12:01:51 PDT
Committed as http://trac.webkit.org/changeset/67734.
Note You need to log in before you can comment on or make changes to this bug.