Changeset 41484 in webkit

Timestamp:

Mar 6, 2009, 9:22:07 AM (16 years ago)

Author:

Darin Adler

Message:

WebCore:

2009-03-06 Darin Adler <Darin Adler>

Reviewed by Darin Fisher.

Bug 24422: REGRESSION: null-URL crash in FrameLoader setting location.hash on new window
​https://bugs.webkit.org/show_bug.cgi?id=24422
rdar://problem/6402208

Test: fast/dom/location-new-window-no-crash.html

The issue here is empty (or null) URLs. I picked the "schedule navigation" bottleneck
to add some checks for empty URLs. We could also put the empty URL checks at some
other bottleneck level and add more assertions over time. I tried adding a few more
assertions to functions like loadURL and hit them while running the regression tests,
so it's probably going to be a bit tricky to clean this up throughout the loader.

• loader/FrameLoader.cpp: (WebCore::ScheduledRedirection::ScheduledRedirection): Explicitly marked this struct immutable by making all its members const. Added assertions about the arguments, including that the URL is not empty. Initialized one uninitialized member in one of the constructors. (WebCore::FrameLoader::scheduleHTTPRedirection): Added an early exit to make this a no-op if passed an empty URL. (WebCore::FrameLoader::scheduleLocationChange): Ditto. (WebCore::FrameLoader::scheduleRefresh): Ditto.

LayoutTests:

2009-03-06 Darin Adler <Darin Adler>

Reviewed by Darin Fisher.

Bug 24422: REGRESSION: null-URL crash in FrameLoader setting location.hash on new window
​https://bugs.webkit.org/show_bug.cgi?id=24422
rdar://problem/6402208

The new test manipulates all the properties of the location object on a new window which
has no location yet. I tested Firefox too and added comments about how its behavior differs
from WebKit. At some point we may want to tweak our behavior to be a bit closer to theirs,
or check IE's behavior or if HTML 5 or some other W3 specification has something to say
about this, but for now the main purpose of the test is to verify we don't crash.

• fast/dom/location-new-window-no-crash-expected.txt: Added.
• fast/dom/location-new-window-no-crash.html: Added.
• fast/dom/resources/location-new-window-no-crash.js: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/location-new-window-no-crash-expected.txt (added)
• LayoutTests/fast/dom/location-new-window-no-crash.html (added)
• LayoutTests/fast/dom/resources/location-new-window-no-crash.js (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/loader/FrameLoader.cpp (modified) (10 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2009-03-06  Darin Adler  <darin@apple.com>
+
+        Reviewed by Darin Fisher.
+
+        Bug 24422: REGRESSION: null-URL crash in FrameLoader setting location.hash on new window
+        https://bugs.webkit.org/show_bug.cgi?id=24422
+        rdar://problem/6402208
+
+        The new test manipulates all the properties of the location object on a new window which
+        has no location yet. I tested Firefox too and added comments about how its behavior differs
+        from WebKit. At some point we may want to tweak our behavior to be a bit closer to theirs,
+        or check IE's behavior or if HTML 5 or some other W3 specification has something to say
+        about this, but for now the main purpose of the test is to verify we don't crash.
+
+        * fast/dom/location-new-window-no-crash-expected.txt: Added.
+        * fast/dom/location-new-window-no-crash.html: Added.
+        * fast/dom/resources/location-new-window-no-crash.js: Added.
+
 2009-03-06  Darin Adler  <darin@apple.com>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-03-06  Darin Adler  <darin@apple.com>
+
+        Reviewed by Darin Fisher.
+
+        Bug 24422: REGRESSION: null-URL crash in FrameLoader setting location.hash on new window
+        https://bugs.webkit.org/show_bug.cgi?id=24422
+        rdar://problem/6402208
+
+        Test: fast/dom/location-new-window-no-crash.html
+
+        The issue here is empty (or null) URLs. I picked the "schedule navigation" bottleneck
+        to add some checks for empty URLs. We could also put the empty URL checks at some
+        other bottleneck level and add more assertions over time. I tried adding a few more
+        assertions to functions like loadURL and hit them while running the regression tests,
+        so it's probably going to be a bit tricky to clean this up throughout the loader.
+
+        * loader/FrameLoader.cpp:
+        (WebCore::ScheduledRedirection::ScheduledRedirection): Explicitly marked this struct
+        immutable by making all its members const. Added assertions about the arguments,
+        including that the URL is not empty. Initialized one uninitialized member in one of
+        the constructors.
+        (WebCore::FrameLoader::scheduleHTTPRedirection): Added an early exit to make this
+        a no-op if passed an empty URL.
+        (WebCore::FrameLoader::scheduleLocationChange): Ditto.
+        (WebCore::FrameLoader::scheduleRefresh): Ditto.
+
 2009-03-06  Gustavo Noronha Silva  <gns@gnome.org>
 

trunk/WebCore/loader/FrameLoader.cpp

@@ -145 +145 @@
 struct ScheduledRedirection {
     enum Type { redirection, locationChange, historyNavigation, locationChangeDuringLoad };
-    Type type;
-    double delay;
-    String url;
-    String referrer;
-    int historySteps;
-    bool lockHistory;
-    bool lockBackForwardList;
-    bool wasUserGesture;
-    bool wasRefresh;
+
+    const Type type;
+    const double delay;
+    const String url;
+    const String referrer;
+    const int historySteps;
+    const bool lockHistory;
+    const bool lockBackForwardList;
+    const bool wasUserGesture;
+    const bool wasRefresh;
 
     ScheduledRedirection(double delay, const String& url, bool lockHistory, bool lockBackForwardList, bool wasUserGesture, bool refresh)
@@ -165 +166 @@
         , wasRefresh(refresh)
     {
+        ASSERT(!url.isEmpty());
     }
 
@@ -178 +180 @@
         , wasRefresh(refresh)
     {
+        ASSERT(locationChangeType == locationChange || locationChangeType == locationChangeDuringLoad);
+        ASSERT(!url.isEmpty());
     }
 
@@ -185 +189 @@
         , historySteps(historyNavigationSteps)
         , lockHistory(false)
+        , lockBackForwardList(false)
         , wasUserGesture(false)
         , wasRefresh(false)
@@ -373 +378 @@
 }
 
-
 void FrameLoader::changeLocation(const KURL& url, const String& referrer, bool lockHistory, bool lockBackForwardList, bool userGesture, bool refresh)
 {
@@ -1314 +1318 @@
         return;
 
+    if (url.isEmpty())
+        return;
+
     // We want a new history item if the refresh timeout is > 1 second.
     if (!m_scheduledRedirection || delay <= m_scheduledRedirection->delay)
@@ -1322 +1329 @@
 {
     if (!m_frame->page())
+        return;
+
+    if (url.isEmpty())
         return;
 
@@ -1353 +1363 @@
 {
     if (!m_frame->page())
+        return;
+
+    if (m_URL.isEmpty())
         return;
 
@@ -1466 +1479 @@
 {
     ASSERT(childFrame);
+
     HistoryItem* parentItem = currentHistoryItem();
     FrameLoadType loadType = this->loadType();
@@ -1472 +1486 @@
     KURL workingURL = url;
     
-    // If we're moving in the backforward list, we might want to replace the content
+    // If we're moving in the back/forward list, we might want to replace the content
     // of this child frame with whatever was there at that point.
     if (parentItem && parentItem->children().size() && isBackForwardLoadType(loadType)) {