Bug 98624 - Null-check for DOMWindow before feeding it to FeatureObserver.
Summary: Null-check for DOMWindow before feeding it to FeatureObserver.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mike West
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-07 13:02 PDT by Mike West
Modified: 2012-10-08 11:15 PDT (History)
3 users (show)

See Also:

Attachments
Patch (1.73 KB, patch)
2012-10-07 13:04 PDT, Mike West 		no flags Details | Formatted Diff | Diff
Patch (2.46 KB, patch)
2012-10-07 13:12 PDT, Mike West 		no flags Details | Formatted Diff | Diff
Patch (5.63 KB, patch)
2012-10-07 14:24 PDT, Mike West 		no flags Details | Formatted Diff | Diff
Assert. (5.49 KB, patch)
2012-10-07 21:00 PDT, Mike West 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike West 2012-10-07 13:02:38 PDT 
Null-check for DOMWindow before feeding it to FeatureObserver.
Comment 1 Mike West 2012-10-07 13:04:31 PDT 
Created attachment 167485 [details]
Patch
Comment 2 Geoffrey Garen 2012-10-07 13:10:28 PDT 
Comment on attachment 167485 [details]
Patch

Is it possible to write a regression test for this?

How did you discover this issue?
Comment 3 Mike West 2012-10-07 13:12:26 PDT 
Created attachment 167486 [details]
Patch
Comment 4 Mike West 2012-10-07 13:13:18 PDT 
Hey Adam! This patch follows up on http://crbug.com/154484. WDYT?
Comment 5 Mike West 2012-10-07 13:17:26 PDT 
(In reply to comment #2)
> (From update of attachment 167485 [details])
> Is it possible to write a regression test for this?

I'll see what I can do. The bug would only occur when a document without a frame instantiates a Content Security Policy. Adam suggested that this might happen in documents created via XMLHttpRequest, so I'll start there...

> How did you discover this issue?

Crash report in http://crbug.com/154484
Comment 6 Mike West 2012-10-07 14:24:25 PDT 
Created attachment 167489 [details]
Patch
Comment 7 Mike West 2012-10-07 14:25:49 PDT 
(In reply to comment #2)
> (From update of attachment 167485 [details])
> Is it possible to write a regression test for this?

The latest patch has a test that crashes reliably without the patch. Thanks for the nudge.
Comment 8 Adam Barth 2012-10-07 14:44:16 PDT 
Comment on attachment 167489 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=167489&action=review

> Source/WebCore/page/FeatureObserver.cpp:58
> +    if (!domWindow)
> +        return;

Presumably we don't need this null check in both places.  It's better to have it in ContentSecurityPolicy.cpp since most callers will already know that the DOMWindow is non-0.
Comment 9 Mike West 2012-10-07 19:56:37 PDT 
(In reply to comment #8)
> (From update of attachment 167489 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=167489&action=review
> 
> > Source/WebCore/page/FeatureObserver.cpp:58
> > +    if (!domWindow)
> > +        return;
> 
> Presumably we don't need this null check in both places.  It's better to have it in ContentSecurityPolicy.cpp since most callers will already know that the DOMWindow is non-0.

I agree that the check is redundant, but wouldn't it be better to have it in FeatureObserver? It wasn't obvious to me that I was creating a crasher at the time I wrote the code; I'd rather gracefully handle such oversight.

If you'd prefer that it remain in the caller, how would you feel about an ASSERT in FeatureObserver? If we're going to crash, we might as well mean it. :)
Comment 10 Adam Barth 2012-10-07 20:48:43 PDT 
Sure.  An assert is fine.
Comment 11 Mike West 2012-10-07 21:00:17 PDT 
Created attachment 167499 [details]
Assert.
Comment 12 Adam Barth 2012-10-08 11:08:22 PDT 
Comment on attachment 167499 [details]
Assert.

Thanks.
Comment 13 WebKit Review Bot 2012-10-08 11:14:56 PDT 
Comment on attachment 167499 [details]
Assert.

Clearing flags on attachment: 167499

Committed r130657: <http://trac.webkit.org/changeset/130657>
Comment 14 WebKit Review Bot 2012-10-08 11:15:00 PDT 
All reviewed patches have been landed.  Closing bug.