Skip to site navigation (Press enter)

[webkit-changes] [271791] trunk

commit-queue Mon, 25 Jan 2021 04:31:40 -0800

Title: [271791] trunk

Revision: 271791
Author: commit-qu...@webkit.org
Date: 2021-01-25 04:30:59 -0800 (Mon, 25 Jan 2021)

Log Message

Nullptr dereference in SpeechRecognition::stop()
https://bugs.webkit.org/show_bug.cgi?id=220869
<rdar://problem/73507085>


Patch by Sihui Liu <sihui_...@appe.com> on 2021-01-25
Reviewed by Ryosuke Niwa.

Source/WebCore:

It is possible that SpeechRecognition is created with a Document having no frame and ActiveDOMObjects of the
Document are stopped. In this case, SpeechRecognition::stop() will be invoked after a SpeechRecognition, of
which m_connection is nullptr, is constructed.

Test: fast/speechrecognition/detached-iframe.html

* Modules/speech/SpeechRecognition.cpp:
(WebCore::SpeechRecognition::stop):

LayoutTests:

* fast/speechrecognition/detached-iframe-expected.txt: Added.
* fast/speechrecognition/detached-iframe.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/Modules/speech/SpeechRecognition.cpp

Added Paths

trunk/LayoutTests/fast/speechrecognition/detached-iframe-expected.txt
trunk/LayoutTests/fast/speechrecognition/detached-iframe.html

Diff

Modified: trunk/LayoutTests/ChangeLog (271790 => 271791)


--- trunk/LayoutTests/ChangeLog	2021-01-25 12:28:27 UTC (rev 271790)
+++ trunk/LayoutTests/ChangeLog	2021-01-25 12:30:59 UTC (rev 271791)
@@ -1,3 +1,14 @@
+2021-01-25  Sihui Liu  <sihui_...@appe.com>
+
+        Nullptr dereference in SpeechRecognition::stop()
+        https://bugs.webkit.org/show_bug.cgi?id=220869
+        <rdar://problem/73507085>
+
+        Reviewed by Ryosuke Niwa.
+
+        * fast/speechrecognition/detached-iframe-expected.txt: Added.
+        * fast/speechrecognition/detached-iframe.html: Added.
+
 2021-01-25  Chris Fleizach  <cfleiz...@apple.com>
 
         AX: iOS: VO: Web: Column Names Not Announced

Added: trunk/LayoutTests/fast/speechrecognition/detached-iframe-expected.txt (0 => 271791)


--- trunk/LayoutTests/fast/speechrecognition/detached-iframe-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/speechrecognition/detached-iframe-expected.txt	2021-01-25 12:30:59 UTC (rev 271791)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/speechrecognition/detached-iframe.html (0 => 271791)


--- trunk/LayoutTests/fast/speechrecognition/detached-iframe.html	                        (rev 0)
+++ trunk/LayoutTests/fast/speechrecognition/detached-iframe.html	2021-01-25 12:30:59 UTC (rev 271791)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+description("Verify that creating speech recognition in detached iframe does not crash.");
+
+if (window.testRunner)
+    jsTestIsAsync = true;
+
+function detachFrame() {
+    const frame = document.getElementById('iframe');
+    frame.parentNode.remove(frame);
+
+    setTimeout(() => { finishJSTest(); }, 0);
+}
+
+</script>
+<iframe id="iframe" srcdoc="<script>parent.detachFrame(); new webkitSpeechRecognition();</script>"></iframe>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (271790 => 271791)


--- trunk/Source/WebCore/ChangeLog	2021-01-25 12:28:27 UTC (rev 271790)
+++ trunk/Source/WebCore/ChangeLog	2021-01-25 12:30:59 UTC (rev 271791)
@@ -1,3 +1,20 @@
+2021-01-25  Sihui Liu  <sihui_...@appe.com>
+
+        Nullptr dereference in SpeechRecognition::stop()
+        https://bugs.webkit.org/show_bug.cgi?id=220869
+        <rdar://problem/73507085>
+
+        Reviewed by Ryosuke Niwa.
+
+        It is possible that SpeechRecognition is created with a Document having no frame and ActiveDOMObjects of the 
+        Document are stopped. In this case, SpeechRecognition::stop() will be invoked after a SpeechRecognition, of 
+        which m_connection is nullptr, is constructed.
+
+        Test: fast/speechrecognition/detached-iframe.html
+
+        * Modules/speech/SpeechRecognition.cpp:
+        (WebCore::SpeechRecognition::stop):
+
 2021-01-25  Chris Fleizach  <cfleiz...@apple.com>
 
         AX: iOS: VO: Web: Column Names Not Announced

Modified: trunk/Source/WebCore/Modules/speech/SpeechRecognition.cpp (271790 => 271791)


--- trunk/Source/WebCore/Modules/speech/SpeechRecognition.cpp	2021-01-25 12:28:27 UTC (rev 271790)
+++ trunk/Source/WebCore/Modules/speech/SpeechRecognition.cpp	2021-01-25 12:30:59 UTC (rev 271791)
@@ -102,6 +102,9 @@
 void SpeechRecognition::stop()
 {
     abortRecognition();
+
+    if (!m_connection)
+        return;
     m_connection->unregisterClient(*this);
 
     auto& document = downcast<Document>(*scriptExecutionContext());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes