Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an...
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 15 Apr 2015 01:39:05 +0000 (01:39 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 15 Apr 2015 01:39:05 +0000 (01:39 +0000)
https://bugs.webkit.org/show_bug.cgi?id=143745
<rdar://problem/20243916>

Reviewed by Joseph Pecoraro.

Source/JavaScriptCore:

Add assertion in ContentSearchUtilities::findMagicComment() to make
sure the content String is not null or we would crash in
JSC::Yarr::interpret() later.

* inspector/ContentSearchUtilities.cpp:
(Inspector::ContentSearchUtilities::findMagicComment):

Source/WebCore:

After r180020, we are stricter and no longer accept CSS resources that
are not served with a CSS MIME type. Showing Web inspector on a page
with such bad resource would crash because
InspectorPageAgent::cachedResourceContent() would return true but
the result String would be null. This null String would then later
be passed to the Yarr interpreter and crash on a String::is8Bit()
call.

cachedResourceContent() calls CachedCSSStyleSheet::sheetText(). Before
r180020, it would return the text, even if the MIME type was incorrect.
However, this is no longer the case and we now need to make sure that
cachedResourceContent() returns false if sheetText() returns a null
String.

Test: http/tests/inspector/css/bad-mime-type.html

* inspector/InspectorPageAgent.cpp:
(WebCore::InspectorPageAgent::cachedResourceContent):

LayoutTests:

Add layout test that shows the Web inspector on a page that has
a stylesheet with an invalid MIME type, to make sure we don't
crash.

* http/tests/inspector/css/bad-mime-type-expected.txt: Added.
* http/tests/inspector/css/bad-mime-type.html: Added.
* http/tests/misc/css-accept-any-type.html:
* http/tests/misc/css-reject-any-type-in-strict-mode.html:
* http/tests/misc/resources/stylesheet-bad-mime-type.php: Renamed from LayoutTests/http/tests/misc/resources/stylesheet.php.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@182829 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/inspector/css/bad-mime-type-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/inspector/css/bad-mime-type.html [new file with mode: 0644]
LayoutTests/http/tests/misc/css-accept-any-type.html
LayoutTests/http/tests/misc/css-reject-any-type-in-strict-mode.html
LayoutTests/http/tests/misc/resources/stylesheet-bad-mime-type.php [moved from LayoutTests/http/tests/misc/resources/stylesheet.php with 100% similarity]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/inspector/ContentSearchUtilities.cpp
Source/WebCore/ChangeLog
Source/WebCore/inspector/InspectorPageAgent.cpp

index 7de05f6..ec4bd4d 100644 (file)
@@ -1,3 +1,21 @@
+2015-04-14  Chris Dumez  <cdumez@apple.com>
+
+        Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
+        https://bugs.webkit.org/show_bug.cgi?id=143745
+        <rdar://problem/20243916>
+
+        Reviewed by Joseph Pecoraro.
+
+        Add layout test that shows the Web inspector on a page that has
+        a stylesheet with an invalid MIME type, to make sure we don't
+        crash.
+
+        * http/tests/inspector/css/bad-mime-type-expected.txt: Added.
+        * http/tests/inspector/css/bad-mime-type.html: Added.
+        * http/tests/misc/css-accept-any-type.html:
+        * http/tests/misc/css-reject-any-type-in-strict-mode.html:
+        * http/tests/misc/resources/stylesheet-bad-mime-type.php: Renamed from LayoutTests/http/tests/misc/resources/stylesheet.php.
+
 2015-04-14  Brady Eidson  <beidson@apple.com>
 
         Make sure media element loads hit content filter extensions.
diff --git a/LayoutTests/http/tests/inspector/css/bad-mime-type-expected.txt b/LayoutTests/http/tests/inspector/css/bad-mime-type-expected.txt
new file mode 100644 (file)
index 0000000..0089b56
--- /dev/null
@@ -0,0 +1,3 @@
+Tests that showing Web Inspector on a page that has a stylesheet with an invalid MIME type does not crash.
+
+This test passes if it does not crash.
diff --git a/LayoutTests/http/tests/inspector/css/bad-mime-type.html b/LayoutTests/http/tests/inspector/css/bad-mime-type.html
new file mode 100644 (file)
index 0000000..76721a3
--- /dev/null
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script type="text/javascript" src="../inspector-test.js"></script>
+
+<!-- This stylesheet is served with an invalid MIME type -->
+<link rel="stylesheet" href="/misc/resources/stylesheet-bad-mime-type.php">
+
+<script>
+function test()
+{
+    InspectorTest.completeTest();
+}
+</script>
+</head>
+<body onload="runTest()">
+<p>Tests that showing Web Inspector on a page that has a stylesheet with an invalid MIME type does not crash.</p>
+<p>This test passes if it does not crash.</p>
+</body>
+</html>
index 6dc691c..ed6385d 100644 (file)
@@ -1,7 +1,7 @@
 <html>
 <head>
     <title></title>
-    <link rel="stylesheet" href="resources/stylesheet.php">
+    <link rel="stylesheet" href="resources/stylesheet-bad-mime-type.php">
     <script>
         function test()
         {
index 4b3e524..11146ef 100644 (file)
@@ -2,7 +2,7 @@
 <html>
 <head>
     <title></title>
-    <link rel="stylesheet" href="resources/stylesheet.php">
+    <link rel="stylesheet" href="resources/stylesheet-bad-mime-type.php">
     <script>
         function test()
         {
index 3662708..026f927 100644 (file)
@@ -1,3 +1,18 @@
+2015-04-14  Chris Dumez  <cdumez@apple.com>
+
+        Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
+        https://bugs.webkit.org/show_bug.cgi?id=143745
+        <rdar://problem/20243916>
+
+        Reviewed by Joseph Pecoraro.
+
+        Add assertion in ContentSearchUtilities::findMagicComment() to make
+        sure the content String is not null or we would crash in
+        JSC::Yarr::interpret() later.
+
+        * inspector/ContentSearchUtilities.cpp:
+        (Inspector::ContentSearchUtilities::findMagicComment):
+
 2015-04-14  Michael Saboff  <msaboff@apple.com>
 
         DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format
index 2b427dd..ed32a15 100644 (file)
@@ -180,6 +180,7 @@ static String stylesheetCommentPattern(const String& name)
 
 static String findMagicComment(const String& content, const String& patternString)
 {
+    ASSERT(!content.isNull());
     const char* error = nullptr;
     JSC::Yarr::YarrPattern pattern(patternString, false, true, &error);
     ASSERT(!error);
index 63e6b04..5c40f7a 100644 (file)
@@ -1,3 +1,30 @@
+2015-04-14  Chris Dumez  <cdumez@apple.com>
+
+        Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type
+        https://bugs.webkit.org/show_bug.cgi?id=143745
+        <rdar://problem/20243916>
+
+        Reviewed by Joseph Pecoraro.
+
+        After r180020, we are stricter and no longer accept CSS resources that
+        are not served with a CSS MIME type. Showing Web inspector on a page
+        with such bad resource would crash because
+        InspectorPageAgent::cachedResourceContent() would return true but
+        the result String would be null. This null String would then later
+        be passed to the Yarr interpreter and crash on a String::is8Bit()
+        call.
+
+        cachedResourceContent() calls CachedCSSStyleSheet::sheetText(). Before
+        r180020, it would return the text, even if the MIME type was incorrect.
+        However, this is no longer the case and we now need to make sure that
+        cachedResourceContent() returns false if sheetText() returns a null
+        String.
+
+        Test: http/tests/inspector/css/bad-mime-type.html
+
+        * inspector/InspectorPageAgent.cpp:
+        (WebCore::InspectorPageAgent::cachedResourceContent):
+
 2015-04-14  Said Abou-Hallawa  <sabouhallawa@apple.com>
 
         textPath layout performance improvement.
index 8f9cce7..29f7bb2 100644 (file)
@@ -155,8 +155,9 @@ bool InspectorPageAgent::cachedResourceContent(CachedResource* cachedResource, S
     if (cachedResource) {
         switch (cachedResource->type()) {
         case CachedResource::CSSStyleSheet:
+            // This can return a null String if the MIME type is invalid.
             *result = downcast<CachedCSSStyleSheet>(*cachedResource).sheetText();
-            return true;
+            return !result->isNull();
         case CachedResource::Script:
             *result = downcast<CachedScript>(*cachedResource).script();
             return true;