45880 – createBlobURL with no argument causes crash

Bug 45880 - createBlobURL with no argument causes crash

Summary: createBlobURL with no argument causes crash

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Windows Vista

Importance:	P1 Normal
Assignee:	Jian Li

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-09-16 04:28 PDT by Berend-Jan Wever
Modified:	2010-09-17 12:01 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Repro (32 bytes, text/html) 2010-09-16 04:28 PDT, Berend-Jan Wever	no flags	Details
Proposed Patch (2.60 KB, patch) 2010-09-17 11:01 PDT, Jian Li	jianli: commit-queue-	Details \| Formatted Diff \| Diff
Proposed Patch (3.60 KB, patch) 2010-09-17 11:39 PDT, Jian Li	dimich: review+ jianli: commit-queue-	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Berend-Jan Wever 2010-09-16 04:28:58 PDT

Created attachment 67779 [details]
Repro

<script>createBlobURL()</script>

Results fro latest Chromium:
id:             WebKit::WebCString::WebCString ReadAV@NULL (633fb021372abb6fa84401694bab542d)
description:    Attempt to read from NULL pointer (+0x50) in WebKit::WebCString::WebCString
stack:          WebKit::WebCString::WebCString
                WebKit::WebURL::WebURL
                WebCore::BlobRegistryProxy::registerBlobURL
                WebCore::ThreadableBlobRegistry::registerBlobURL
                WebCore::ScriptExecutionContext::createPublicBlobURL
                WebCore::DOMWindow::createBlobURL
                WebCore::DOMWindowInternal::createBlobURLCallback
                v8::internal::HandleApiCallHelper<...>
                v8::internal::Builtin_HandleApiCall
                v8::internal::Invoke
                v8::internal::Execution::Call
                v8::Function::Call
                WebCore::V8Proxy::callFunction
                WebCore::ScheduledAction::execute
                WebCore::ScheduledAction::execute
                WebCore::DOMTimer::fired
                WebCore::ThreadTimers::sharedTimerFiredInternal
                MessageLoop::RunTask
                MessageLoop::DeferOrRunPendingTask
                MessageLoop::DoDelayedWork
                base::MessagePumpDefault::Run
                MessageLoop::RunInternal
                MessageLoop::Run
                RendererMain
                ChromeMain
                MainDllLoader::Launch
                wWinMain
                __tmainCRTStartup
                BaseProcessStart

Comment 1 Jian Li 2010-09-17 11:01:13 PDT

Created attachment 67922 [details]
Proposed Patch

Comment 2 Dmitry Titov 2010-09-17 11:19:07 PDT

Comment on attachment 67922 [details]
Proposed Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=67922&action=prettypatch

> WebCore/dom/ScriptExecutionContext.cpp:266
> +        return KURL();

Would be nice to make sure that JS object returned is undefined, not a valid empty string.

Comment 3 Jian Li 2010-09-17 11:39:40 PDT

Created attachment 67926 [details]
Proposed Patch

Add attribute to convert null string to undefined. Also update the test to verify it.

Comment 4 Dmitry Titov 2010-09-17 11:45:53 PDT

Comment on attachment 67926 [details]
Proposed Patch

r+ with 2 nits

View in context: https://bugs.webkit.org/attachment.cgi?id=67926&action=prettypatch

> LayoutTests/fast/files/create-blob-url-crash.html:3
> +<body>

I think by moving 'script' tag before the body and just setting the <body onload="test()"> it's possible to get rid of need to use notifyDone().

> LayoutTests/fast/files/create-blob-url-crash.html:23
> +if (window.eventSender) {

you don't use eventSender, so the check could be just "if (window.layoutTestController) ..."

Comment 5 Jian Li 2010-09-17 12:01:51 PDT

Committed as http://trac.webkit.org/changeset/67734.