Bug 57140 - Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
Summary: Crash from null pointer dereference below WebCore::StorageAreaImpl::setItem()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Julien Chaffraix
URL:
Keywords: HasReduction, InRadar
Depends on:
Blocks: 42959
  Show dependency treegraph
 
Reported: 2011-03-25 22:24 PDT by David Kilzer (:ddkilzer)
Modified: 2011-05-24 07:16 PDT (History)
9 users (show)

See Also:

Attachments
Reduced test case (WILL CRASH!) (802 bytes, text/html)
2011-03-25 22:24 PDT, David Kilzer (:ddkilzer) 		no flags Details
Proposed fix: NULL-check for page like the rest of the code (3.84 KB, patch)
2011-05-23 13:09 PDT, Julien Chaffraix 		darin: review+
webkit.review.bot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ec2-cr-linux-01 (1.47 MB, application/zip)
2011-05-23 14:00 PDT, WebKit Review Bot 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Kilzer (:ddkilzer) 2011-03-25 22:24:01 PDT 
Created attachment 87009 [details]
Reduced test case (WILL CRASH!)

Null pointer dereference below WebCore::StorageAreaImpl::setItem() causes a crash with the attached test case.

Crashes WebKit nightly build r82003 with Safari 5.0.4 on SnowLeopard 10.6.7:

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001017f59d8 WebCore::privateBrowsingEnabled(WebCore::Frame*) + 8
1   com.apple.WebCore             	0x00000001017f6462 WebCore::StorageAreaImpl::setItem(WTF::String const&, WTF::String const&, int&, WebCore::Frame*) + 66
2   com.apple.WebCore             	0x00000001017f57d2 WebCore::Storage::setItem(WTF::String const&, WTF::String const&, int&) + 50
3   com.apple.WebCore             	0x00000001013db6bf WebCore::JSStorage::putDelegate(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 1695
4   com.apple.WebCore             	0x00000001013d8970 WebCore::JSStorage::put(JSC::ExecState*, JSC::Identifier const&, JSC::JSValue, JSC::PutPropertySlot&) + 48
5   com.apple.JavaScriptCore      	0x000000010081f87c cti_op_put_by_id + 108
6   ???                           	0x0000424d1061faf7 0 + 72898754771703
7   com.apple.JavaScriptCore      	0x00000001007d942f JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 847
8   com.apple.JavaScriptCore      	0x000000010079aa3d JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 45
9   com.apple.WebCore             	0x000000010129da41 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 2145
10  com.apple.WebCore             	0x0000000100f6cf80 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 240
11  com.apple.WebCore             	0x0000000100f6d842 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 146
12  com.apple.WebCore             	0x0000000100f1d086 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 278
13  com.apple.WebCore             	0x0000000100f1d19a WebCore::DOMWindow::dispatchTimedEvent(WTF::PassRefPtr<WebCore::Event>, WebCore::Document*, double*, double*) + 106
14  com.apple.WebCore             	0x0000000100f1f2bb WebCore::DOMWindow::dispatchLoadEvent() + 955
15  com.apple.WebCore             	0x0000000100e4efa4 WebCore::Document::implicitClose() + 260
16  com.apple.WebCore             	0x0000000100fb3972 WebCore::FrameLoader::checkCompleted() + 194
17  com.apple.WebCore             	0x0000000100fb40b3 WebCore::FrameLoader::finishedParsing() + 131
18  com.apple.WebCore             	0x0000000100e5b0cf WebCore::Document::finishedParsing() + 239
19  com.apple.WebCore             	0x00000001010655c7 WebCore::HTMLDocumentParser::prepareToStopParsing() + 87
20  com.apple.WebCore             	0x00000001010634dc WebCore::HTMLDocumentParser::finish() + 44
21  com.apple.WebCore             	0x0000000100e74618 WebCore::DocumentWriter::endIfNotLoadingMainResource() + 88
22  com.apple.WebCore             	0x0000000100fb377a WebCore::FrameLoader::finishedLoading() + 90
23  com.apple.WebCore             	0x000000010159ba93 WebCore::MainResourceLoader::didFinishLoading(double) + 147
24  com.apple.Foundation          	0x00007fff8365f608 _NSURLConnectionDidFinishLoading + 113
25  com.apple.CFNetwork           	0x00007fff80e631a0 URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 174
26  com.apple.CFNetwork           	0x00007fff80ec89ae URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 254
27  com.apple.CFNetwork           	0x00007fff80ec8c1a URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 874
28  com.apple.CFNetwork           	0x00007fff80e4f825 URLConnectionClient::processEvents() + 121
29  com.apple.CFNetwork           	0x00007fff80e4f600 MultiplexerSource::perform() + 160
30  com.apple.CoreFoundation      	0x00007fff888d8401 __CFRunLoopDoSources0 + 1361
31  com.apple.CoreFoundation      	0x00007fff888d65f9 __CFRunLoopRun + 873
32  com.apple.CoreFoundation      	0x00007fff888d5dbf CFRunLoopRunSpecific + 575
33  com.apple.HIToolbox           	0x00007fff86ea37ee RunCurrentEventLoopInMode + 333
34  com.apple.HIToolbox           	0x00007fff86ea35f3 ReceiveNextEventCommon + 310
35  com.apple.HIToolbox           	0x00007fff86ea34ac BlockUntilNextEventMatchingListInMode + 59
36  com.apple.AppKit              	0x00007fff83c00e64 _DPSNextEvent + 718
37  com.apple.AppKit              	0x00007fff83c007a9 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155
38  com.apple.Safari              	0x000000010001605a 0x100000000 + 90202
39  com.apple.AppKit              	0x00007fff83bc648b -[NSApplication run] + 395
40  com.apple.AppKit              	0x00007fff83bbf1a8 NSApplicationMain + 364
41  com.apple.Safari              	0x0000000100009f7c 0x100000000 + 40828
Comment 1 David Kilzer (:ddkilzer) 2011-03-25 22:24:28 PDT 
<rdar://problem/9191214>
Comment 2 Jeremy Orlow 2011-03-27 01:07:18 PDT 
FWIW, this doesn't crash even the renderer in Chrome.  I'm a little surprised there's a difference though.
Comment 3 Julien Chaffraix 2011-05-23 13:09:09 PDT 
Created attachment 94469 [details]
Proposed fix: NULL-check for page like the rest of the code
Comment 4 Darin Adler 2011-05-23 13:31:11 PDT 
Comment on attachment 94469 [details]
Proposed fix: NULL-check for page like the rest of the code

View in context: https://bugs.webkit.org/attachment.cgi?id=94469&action=review

> Source/WebCore/storage/StorageAreaImpl.cpp:106
> -    return frame->page()->settings()->privateBrowsingEnabled();
> +    return frame->page() ? frame->page()->settings()->privateBrowsingEnabled() : false;

I like writing these with && instead of ? : like this:

    return frame->page() && frame->page()->settings()->privateBrowsingEnabled();
Comment 5 WebKit Review Bot 2011-05-23 14:00:25 PDT 
Comment on attachment 94469 [details]
Proposed fix: NULL-check for page like the rest of the code

Attachment 94469 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/8726482

New failing tests:
fast/storage/storage-detached-iframe.html
Comment 6 WebKit Review Bot 2011-05-23 14:00:30 PDT 
Created attachment 94484 [details]
Archive of layout-test-results from ec2-cr-linux-01

The attached test failures were seen while running run-webkit-tests on the chromium-ews.
Bot: ec2-cr-linux-01  Port: Chromium  Platform: Linux-2.6.35-28-virtual-x86_64-with-Ubuntu-10.10-maverick
Comment 7 Julien Chaffraix 2011-05-23 17:30:56 PDT 
The failure is a crash on Chromium-Linux. However the stack-trace is not helpful so I will proceed to land the patch updating test_expectations.txt as I think it is unrelated. Filed bug 61326 to cover the crash.
Comment 8 Julien Chaffraix 2011-05-23 18:17:43 PDT 
Committed r87114: <http://trac.webkit.org/changeset/87114>
Comment 9 Ademar Reis 2011-05-24 07:16:40 PDT 
Revision r87114 cherry-picked into qtwebkit-2.2 with commit 6d4125a <http://gitorious.org/webkit/qtwebkit/commit/6d4125a>