[Webkit-unassigned] [Bug 26807] Crashes on 3 layout tests when XSS auditor is enabled

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 29 15:43:58 PDT 2009


------- Comment #4 from dbates at berkeley.edu  2009-06-29 15:43 PDT -------
Created an attachment (id=32023)
 --> (https://bugs.webkit.org/attachment.cgi?id=32023&action=view)
temporary workaround

Temporary workaround.

I have not been able to reproduce the crash for the test:

With respect to the other cases: fast/loader/javascript-url-encoding-2.html and
fast/loader/opaque-base-url.html, these eventually cause the
FrameLoader::m_decoder to be nullified and never set again before the
XSSAuditor is called. So, frame->document()->decoder() is a null pointer and we
were dereferencing it; hence the crashes.

Both of these tests call FrameLoader::executeIfJavaScriptURL, which calls
FrameLoader::write(const String& str). Unlike in FrameLoader::write(const char*
str, int len, bool flush), the field FrameLoader::m_decoder is never set in
FrameLoader::write(const String& str). Moreover, it looks like
FrameLoader::executeIfJavaScriptURL is only method that calls
FrameLoader::write(const String& str).

I am unclear of the purpose of FrameLoader::write(const String& str). Why
doesn't it just call FrameLoader::write(const char* str, int len, bool flush)
with the appropriate arguments? I take it that it has something to do with
parsing a strict document? I was not sure if I should set m_decoder (in a
similar fashion) as in FrameLoader::write(const char* str, int len, bool
flush), it seems kinda weird that someone left this out. Any suggestions?

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list