<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[182829] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/182829">182829</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2015-04-14 18:39:05 -0700 (Tue, 14 Apr 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Regression(<a href="http://trac.webkit.org/projects/webkit/changeset/180020">r180020</a>): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
https://bugs.webkit.org/show_bug.cgi?id=143745
<rdar://problem/20243916>
Reviewed by Joseph Pecoraro.
Source/JavaScriptCore:
Add assertion in ContentSearchUtilities::findMagicComment() to make
sure the content String is not null or we would crash in
JSC::Yarr::interpret() later.
* inspector/ContentSearchUtilities.cpp:
(Inspector::ContentSearchUtilities::findMagicComment):
Source/WebCore:
After <a href="http://trac.webkit.org/projects/webkit/changeset/180020">r180020</a>, we are stricter and no longer accept CSS resources that
are not served with a CSS MIME type. Showing Web inspector on a page
with such bad resource would crash because
InspectorPageAgent::cachedResourceContent() would return true but
the result String would be null. This null String would then later
be passed to the Yarr interpreter and crash on a String::is8Bit()
call.
cachedResourceContent() calls CachedCSSStyleSheet::sheetText(). Before
<a href="http://trac.webkit.org/projects/webkit/changeset/180020">r180020</a>, it would return the text, even if the MIME type was incorrect.
However, this is no longer the case and we now need to make sure that
cachedResourceContent() returns false if sheetText() returns a null
String.
Test: http/tests/inspector/css/bad-mime-type.html
* inspector/InspectorPageAgent.cpp:
(WebCore::InspectorPageAgent::cachedResourceContent):
LayoutTests:
Add layout test that shows the Web inspector on a page that has
a stylesheet with an invalid MIME type, to make sure we don't
crash.
* http/tests/inspector/css/bad-mime-type-expected.txt: Added.
* http/tests/inspector/css/bad-mime-type.html: Added.
* http/tests/misc/css-accept-any-type.html:
* http/tests/misc/css-reject-any-type-in-strict-mode.html:
* http/tests/misc/resources/stylesheet-bad-mime-type.php: Renamed from LayoutTests/http/tests/misc/resources/stylesheet.php.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttptestsmisccssacceptanytypehtml">trunk/LayoutTests/http/tests/misc/css-accept-any-type.html</a></li>
<li><a href="#trunkLayoutTestshttptestsmisccssrejectanytypeinstrictmodehtml">trunk/LayoutTests/http/tests/misc/css-reject-any-type-in-strict-mode.html</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreinspectorContentSearchUtilitiescpp">trunk/Source/JavaScriptCore/inspector/ContentSearchUtilities.cpp</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreinspectorInspectorPageAgentcpp">trunk/Source/WebCore/inspector/InspectorPageAgent.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li>trunk/LayoutTests/http/tests/inspector/css/</li>
<li><a href="#trunkLayoutTestshttptestsinspectorcssbadmimetypeexpectedtxt">trunk/LayoutTests/http/tests/inspector/css/bad-mime-type-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsinspectorcssbadmimetypehtml">trunk/LayoutTests/http/tests/inspector/css/bad-mime-type.html</a></li>
<li><a href="#trunkLayoutTestshttptestsmiscresourcesstylesheetbadmimetypephp">trunk/LayoutTests/http/tests/misc/resources/stylesheet-bad-mime-type.php</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestsmiscresourcesstylesheetphp">trunk/LayoutTests/http/tests/misc/resources/stylesheet.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (182828 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/LayoutTests/ChangeLog 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2015-04-14 Chris Dumez <cdumez@apple.com>
+
+ Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
+ https://bugs.webkit.org/show_bug.cgi?id=143745
+ <rdar://problem/20243916>
+
+ Reviewed by Joseph Pecoraro.
+
+ Add layout test that shows the Web inspector on a page that has
+ a stylesheet with an invalid MIME type, to make sure we don't
+ crash.
+
+ * http/tests/inspector/css/bad-mime-type-expected.txt: Added.
+ * http/tests/inspector/css/bad-mime-type.html: Added.
+ * http/tests/misc/css-accept-any-type.html:
+ * http/tests/misc/css-reject-any-type-in-strict-mode.html:
+ * http/tests/misc/resources/stylesheet-bad-mime-type.php: Renamed from LayoutTests/http/tests/misc/resources/stylesheet.php.
+
</ins><span class="cx"> 2015-04-14 Brady Eidson <beidson@apple.com>
</span><span class="cx">
</span><span class="cx"> Make sure media element loads hit content filter extensions.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsinspectorcssbadmimetypeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/inspector/css/bad-mime-type-expected.txt (0 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/inspector/css/bad-mime-type-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/css/bad-mime-type-expected.txt 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+Tests that showing Web Inspector on a page that has a stylesheet with an invalid MIME type does not crash.
+
+This test passes if it does not crash.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsinspectorcssbadmimetypehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/inspector/css/bad-mime-type.html (0 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/inspector/css/bad-mime-type.html (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/css/bad-mime-type.html 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script type="text/javascript" src="../inspector-test.js"></script>
+
+<!-- This stylesheet is served with an invalid MIME type -->
+<link rel="stylesheet" href="/misc/resources/stylesheet-bad-mime-type.php">
+
+<script>
+function test()
+{
+ InspectorTest.completeTest();
+}
+</script>
+</head>
+<body onload="runTest()">
+<p>Tests that showing Web Inspector on a page that has a stylesheet with an invalid MIME type does not crash.</p>
+<p>This test passes if it does not crash.</p>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsmisccssacceptanytypehtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/misc/css-accept-any-type.html (182828 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/misc/css-accept-any-type.html 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/LayoutTests/http/tests/misc/css-accept-any-type.html 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><span class="cx"> <title></title>
</span><del>- <link rel="stylesheet" href="resources/stylesheet.php">
</del><ins>+ <link rel="stylesheet" href="resources/stylesheet-bad-mime-type.php">
</ins><span class="cx"> <script>
</span><span class="cx"> function test()
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsmisccssrejectanytypeinstrictmodehtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/misc/css-reject-any-type-in-strict-mode.html (182828 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/misc/css-reject-any-type-in-strict-mode.html 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/LayoutTests/http/tests/misc/css-reject-any-type-in-strict-mode.html 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -2,7 +2,7 @@
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><span class="cx"> <title></title>
</span><del>- <link rel="stylesheet" href="resources/stylesheet.php">
</del><ins>+ <link rel="stylesheet" href="resources/stylesheet-bad-mime-type.php">
</ins><span class="cx"> <script>
</span><span class="cx"> function test()
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsmiscresourcesstylesheetbadmimetypephpfromrev182828trunkLayoutTestshttptestsmiscresourcesstylesheetphp"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/misc/resources/stylesheet-bad-mime-type.php (from rev 182828, trunk/LayoutTests/http/tests/misc/resources/stylesheet.php) (0 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/misc/resources/stylesheet-bad-mime-type.php (rev 0)
+++ trunk/LayoutTests/http/tests/misc/resources/stylesheet-bad-mime-type.php 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<?php
+ if (preg_match("/\*\/\*/", $_SERVER["HTTP_ACCEPT"])) {
+?>
+ p#target { position: relative; }
+ /* This stylesheet is served as text/html */
+<?php
+ } else {
+ header("Not acceptable", true, 406);
+ }
+?>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsmiscresourcesstylesheetphp"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/misc/resources/stylesheet.php (182828 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/misc/resources/stylesheet.php 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/LayoutTests/http/tests/misc/resources/stylesheet.php 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -1,10 +0,0 @@
</span><del>-<?php
- if (preg_match("/\*\/\*/", $_SERVER["HTTP_ACCEPT"])) {
-?>
- p#target { position: relative; }
- /* This stylesheet is served as text/html */
-<?php
- } else {
- header("Not acceptable", true, 406);
- }
-?>
</del></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (182828 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -1,3 +1,18 @@
</span><ins>+2015-04-14 Chris Dumez <cdumez@apple.com>
+
+ Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
+ https://bugs.webkit.org/show_bug.cgi?id=143745
+ <rdar://problem/20243916>
+
+ Reviewed by Joseph Pecoraro.
+
+ Add assertion in ContentSearchUtilities::findMagicComment() to make
+ sure the content String is not null or we would crash in
+ JSC::Yarr::interpret() later.
+
+ * inspector/ContentSearchUtilities.cpp:
+ (Inspector::ContentSearchUtilities::findMagicComment):
+
</ins><span class="cx"> 2015-04-14 Michael Saboff <msaboff@apple.com>
</span><span class="cx">
</span><span class="cx"> DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinspectorContentSearchUtilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/inspector/ContentSearchUtilities.cpp (182828 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/inspector/ContentSearchUtilities.cpp 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/Source/JavaScriptCore/inspector/ContentSearchUtilities.cpp 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -180,6 +180,7 @@
</span><span class="cx">
</span><span class="cx"> static String findMagicComment(const String& content, const String& patternString)
</span><span class="cx"> {
</span><ins>+ ASSERT(!content.isNull());
</ins><span class="cx"> const char* error = nullptr;
</span><span class="cx"> JSC::Yarr::YarrPattern pattern(patternString, false, true, &error);
</span><span class="cx"> ASSERT(!error);
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (182828 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/Source/WebCore/ChangeLog 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -1,3 +1,30 @@
</span><ins>+2015-04-14 Chris Dumez <cdumez@apple.com>
+
+ Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
+ https://bugs.webkit.org/show_bug.cgi?id=143745
+ <rdar://problem/20243916>
+
+ Reviewed by Joseph Pecoraro.
+
+ After r180020, we are stricter and no longer accept CSS resources that
+ are not served with a CSS MIME type. Showing Web inspector on a page
+ with such bad resource would crash because
+ InspectorPageAgent::cachedResourceContent() would return true but
+ the result String would be null. This null String would then later
+ be passed to the Yarr interpreter and crash on a String::is8Bit()
+ call.
+
+ cachedResourceContent() calls CachedCSSStyleSheet::sheetText(). Before
+ r180020, it would return the text, even if the MIME type was incorrect.
+ However, this is no longer the case and we now need to make sure that
+ cachedResourceContent() returns false if sheetText() returns a null
+ String.
+
+ Test: http/tests/inspector/css/bad-mime-type.html
+
+ * inspector/InspectorPageAgent.cpp:
+ (WebCore::InspectorPageAgent::cachedResourceContent):
+
</ins><span class="cx"> 2015-04-14 Said Abou-Hallawa <sabouhallawa@apple.com>
</span><span class="cx">
</span><span class="cx"> textPath layout performance improvement.
</span></span></pre></div>
<a id="trunkSourceWebCoreinspectorInspectorPageAgentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/inspector/InspectorPageAgent.cpp (182828 => 182829)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/inspector/InspectorPageAgent.cpp 2015-04-15 01:34:25 UTC (rev 182828)
+++ trunk/Source/WebCore/inspector/InspectorPageAgent.cpp 2015-04-15 01:39:05 UTC (rev 182829)
</span><span class="lines">@@ -155,8 +155,9 @@
</span><span class="cx"> if (cachedResource) {
</span><span class="cx"> switch (cachedResource->type()) {
</span><span class="cx"> case CachedResource::CSSStyleSheet:
</span><ins>+ // This can return a null String if the MIME type is invalid.
</ins><span class="cx"> *result = downcast<CachedCSSStyleSheet>(*cachedResource).sheetText();
</span><del>- return true;
</del><ins>+ return !result->isNull();
</ins><span class="cx"> case CachedResource::Script:
</span><span class="cx"> *result = downcast<CachedScript>(*cachedResource).script();
</span><span class="cx"> return true;
</span></span></pre>
</div>
</div>
</body>
</html>