[webkit-changes] [87959] trunk

Thu, 02 Jun 2011 15:04:06 -0700

Title: [87959] trunk
Revision
87959
Author
[email protected]
Date
2011-06-02 15:03:49 -0700 (Thu, 02 Jun 2011)

Log Message

<rdar://problem/9539920> and https://bugs.webkit.org/show_bug.cgi?id=61950
Repro crash loading certain webarchives after r87566.

Reviewed by Oliver Hunt.

Source/WebCore: 

Test: webarchive/loading/_javascript_-url-iframe-crash.html

* bindings/ScriptControllerBase.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL): DocumentWriter::replaceDocument can
  cause the DocumentLoader to be destroyed, so protect it with a Ref here.

LayoutTests: 

* webarchive/loading/_javascript_-url-iframe-crash-expected.txt: Added.
* webarchive/loading/_javascript_-url-iframe-crash.html: Added.
* webarchive/loading/resources/_javascript_-url-iframe-crash.webarchive: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (87958 => 87959)


--- trunk/LayoutTests/ChangeLog	2011-06-02 21:59:29 UTC (rev 87958)
+++ trunk/LayoutTests/ChangeLog	2011-06-02 22:03:49 UTC (rev 87959)
@@ -1,3 +1,14 @@
+2011-06-02  Brady Eidson  <[email protected]>
+
+        Reviewed by Oliver Hunt.
+
+        <rdar://problem/9539920> and https://bugs.webkit.org/show_bug.cgi?id=61950
+        Repro crash loading certain webarchives after r87566.
+
+        * webarchive/loading/_javascript_-url-iframe-crash-expected.txt: Added.
+        * webarchive/loading/_javascript_-url-iframe-crash.html: Added.
+        * webarchive/loading/resources/_javascript_-url-iframe-crash.webarchive: Added.
+
 2011-06-02  Tony Chang  <[email protected]>
 
         [chromium] mark media/audio-delete-while-slider-thumb-clicked.html as passing

Added: trunk/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt (0 => 87959)


--- trunk/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt	2011-06-02 22:03:49 UTC (rev 87959)
@@ -0,0 +1,17 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - willPerformClientRedirectToURL: resources/_javascript_-url-iframe-crash.webarchive 
+main frame - didFinishDocumentLoadForFrame
+main frame - didFinishLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didCancelClientRedirectForFrame
+main frame - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFailProvisionalLoadWithError
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+Loading this webarchive with a "non-empty _javascript_ URL iframe" should not crash.
+

Added: trunk/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html (0 => 87959)


--- trunk/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html	                        (rev 0)
+++ trunk/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html	2011-06-02 22:03:49 UTC (rev 87959)
@@ -0,0 +1,10 @@
+<html>
+<script>
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.waitUntilDone();
+    }
+    
+    window.location="resources/_javascript_-url-iframe-crash.webarchive";
+</script>
+</html>

Added: trunk/LayoutTests/webarchive/loading/resources/_javascript_-url-iframe-crash.webarchive


(Binary files differ)
Property changes on: trunk/LayoutTests/webarchive/loading/resources/_javascript_-url-iframe-crash.webarchive ___________________________________________________________________

Added: svn:mime-type

Modified: trunk/Source/WebCore/ChangeLog (87958 => 87959)


--- trunk/Source/WebCore/ChangeLog	2011-06-02 21:59:29 UTC (rev 87958)
+++ trunk/Source/WebCore/ChangeLog	2011-06-02 22:03:49 UTC (rev 87959)
@@ -1,3 +1,16 @@
+2011-06-02  Brady Eidson  <[email protected]>
+
+        Reviewed by Oliver Hunt.
+
+        <rdar://problem/9539920> and https://bugs.webkit.org/show_bug.cgi?id=61950
+        Repro crash loading certain webarchives after r87566.
+
+        Test: webarchive/loading/_javascript_-url-iframe-crash.html
+
+        * bindings/ScriptControllerBase.cpp:
+        (WebCore::ScriptController::executeIfJavaScriptURL): DocumentWriter::replaceDocument can
+          cause the DocumentLoader to be destroyed, so protect it with a Ref here.
+
 2011-06-02  Jay Civelli  <[email protected]>
 
         Reviewed by Adam Barth.

Modified: trunk/Source/WebCore/bindings/ScriptControllerBase.cpp (87958 => 87959)


--- trunk/Source/WebCore/bindings/ScriptControllerBase.cpp	2011-06-02 21:59:29 UTC (rev 87958)
+++ trunk/Source/WebCore/bindings/ScriptControllerBase.cpp	2011-06-02 22:03:49 UTC (rev 87959)
@@ -117,7 +117,10 @@
     if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
         // We're still in a frame, so there should be a DocumentLoader.
         ASSERT(m_frame->document()->loader());
-        if (DocumentLoader* loader = m_frame->document()->loader())
+        
+        // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
+        // so protect it with a RefPtr.
+        if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
             loader->writer()->replaceDocument(scriptResult);
     }
     return true;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to