- Revision
- 90038
- Author
- [email protected]
- Date
- 2011-06-29 13:46:33 -0700 (Wed, 29 Jun 2011)
Log Message
2011-06-29 Darin Adler <[email protected]>
Reviewed by Anders Carlsson.
[WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
https://bugs.webkit.org/show_bug.cgi?id=63483
* fast/loader/create-frame-in-DOMContentLoaded-expected.txt: Added.
* fast/loader/create-frame-in-DOMContentLoaded.html: Added.
2011-06-29 Darin Adler <[email protected]>
Reviewed by Anders Carlsson.
[WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
https://bugs.webkit.org/show_bug.cgi?id=63483
Test: fast/loader/create-frame-in-DOMContentLoaded.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::init): Added an assertion.
(WebCore::FrameLoader::finishedLoadingDocument): Removed a non-helpful #if
statement. The rule that we do not call the client when creating the initial
empty document was nominally specific to Windows and Chromium but is needed
for all platforms.
2011-06-29 Darin Adler <[email protected]>
Reviewed by Anders Carlsson.
[WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
https://bugs.webkit.org/show_bug.cgi?id=63483
* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::createFrame): Added a check for null when creating
a frame. Also added a check that was in the WebKit1 code, but not here. Strangely,
the comment from the second check was still here, but not the code.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (90037 => 90038)
--- trunk/LayoutTests/ChangeLog 2011-06-29 20:14:12 UTC (rev 90037)
+++ trunk/LayoutTests/ChangeLog 2011-06-29 20:46:33 UTC (rev 90038)
@@ -1,3 +1,13 @@
+2011-06-29 Darin Adler <[email protected]>
+
+ Reviewed by Anders Carlsson.
+
+ [WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
+ https://bugs.webkit.org/show_bug.cgi?id=63483
+
+ * fast/loader/create-frame-in-DOMContentLoaded-expected.txt: Added.
+ * fast/loader/create-frame-in-DOMContentLoaded.html: Added.
+
2011-06-29 Nat Duca <[email protected]>
[chromium] Unreviewed, mark fast/canvas/webgl/context-lost-restored failing
Added: trunk/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded-expected.txt (0 => 90038)
--- trunk/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded-expected.txt 2011-06-29 20:46:33 UTC (rev 90038)
@@ -0,0 +1,5 @@
+A) Entered DOMContentLoaded event handler function.
+C) Entered load event handler function.
+D) Exiting load event handler function.
+Test passed if messages A, B, C, D were all in order and there was no crash.
+B) Exiting DOMContentLoaded event handler function.
Added: trunk/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded.html (0 => 90038)
--- trunk/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded.html (rev 0)
+++ trunk/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded.html 2011-06-29 20:46:33 UTC (rev 90038)
@@ -0,0 +1,31 @@
+<head>
+<script>
+var frame;
+function print(message)
+{
+ var line = document.createElement("div");
+ line.appendChild(document.createTextNode(message));
+ document.body.appendChild(line);
+}
+function handleDOMContentLoadedEvent()
+{
+ document.body.removeChild(document.body.firstChild);
+ print("A) Entered DOMContentLoaded event handler function.");
+ frame = document.createElement("iframe");
+ document.body.appendChild(frame);
+ print("B) Exiting DOMContentLoaded event handler function.");
+}
+function handleLoadEvent()
+{
+ print("C) Entered load event handler function.");
+ document.body.removeChild(frame);
+ print("D) Exiting load event handler function.");
+ print("Test passed if messages A, B, C, D were all in order and there was no crash.");
+}
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+addEventListener("load", handleLoadEvent);
+addEventListener("DOMContentLoaded", handleDOMContentLoadedEvent);
+</script>
+</head>
+<body>TEST DID NOT RUN YET</body>
Modified: trunk/Source/WebCore/ChangeLog (90037 => 90038)
--- trunk/Source/WebCore/ChangeLog 2011-06-29 20:14:12 UTC (rev 90037)
+++ trunk/Source/WebCore/ChangeLog 2011-06-29 20:46:33 UTC (rev 90038)
@@ -1,3 +1,19 @@
+2011-06-29 Darin Adler <[email protected]>
+
+ Reviewed by Anders Carlsson.
+
+ [WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
+ https://bugs.webkit.org/show_bug.cgi?id=63483
+
+ Test: fast/loader/create-frame-in-DOMContentLoaded.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::init): Added an assertion.
+ (WebCore::FrameLoader::finishedLoadingDocument): Removed a non-helpful #if
+ statement. The rule that we do not call the client when creating the initial
+ empty document was nominally specific to Windows and Chromium but is needed
+ for all platforms.
+
2011-06-29 Emil A Eklund <[email protected]>
Reviewed by Darin Adler.
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (90037 => 90038)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2011-06-29 20:14:12 UTC (rev 90037)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2011-06-29 20:46:33 UTC (rev 90038)
@@ -220,13 +220,15 @@
// This needs to be done early, so that an initial document gets correct sandbox flags in its SecurityOrigin.
updateSandboxFlags();
- // this somewhat odd set of steps is needed to give the frame an initial empty document
+ // This somewhat odd set of steps gives the frame an initial empty document.
+ // It would be better if this could be done with even fewer steps.
m_stateMachine.advanceTo(FrameLoaderStateMachine::CreatingInitialEmptyDocument);
setPolicyDocumentLoader(m_client->createDocumentLoader(ResourceRequest(KURL(ParsedURLString, "")), SubstituteData()).get());
setProvisionalDocumentLoader(m_policyDocumentLoader.get());
setState(FrameStateProvisional);
m_provisionalDocumentLoader->setResponse(ResourceResponse(KURL(), "text/html", 0, String(), String()));
m_provisionalDocumentLoader->finishedLoading();
+ ASSERT(!m_frame->document());
m_documentLoader->writer()->begin(KURL(), false);
m_documentLoader->writer()->end();
m_frame->document()->cancelParsing();
@@ -2050,11 +2052,8 @@
void FrameLoader::finishedLoadingDocument(DocumentLoader* loader)
{
- // FIXME: Platforms shouldn't differ here!
-#if PLATFORM(WIN) || PLATFORM(CHROMIUM)
if (m_stateMachine.creatingInitialEmptyDocument())
return;
-#endif
#if !ENABLE(WEB_ARCHIVE) && !ENABLE(MHTML)
m_client->finishedLoading(loader);
Modified: trunk/Source/WebKit2/ChangeLog (90037 => 90038)
--- trunk/Source/WebKit2/ChangeLog 2011-06-29 20:14:12 UTC (rev 90037)
+++ trunk/Source/WebKit2/ChangeLog 2011-06-29 20:46:33 UTC (rev 90038)
@@ -1,3 +1,15 @@
+2011-06-29 Darin Adler <[email protected]>
+
+ Reviewed by Anders Carlsson.
+
+ [WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
+ https://bugs.webkit.org/show_bug.cgi?id=63483
+
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::createFrame): Added a check for null when creating
+ a frame. Also added a check that was in the WebKit1 code, but not here. Strangely,
+ the comment from the second check was still here, but not the code.
+
2011-06-28 Chang Shu <[email protected]>
Reviewed by Andreas Kling.
Modified: trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (90037 => 90038)
--- trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2011-06-29 20:14:12 UTC (rev 90037)
+++ trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2011-06-29 20:46:33 UTC (rev 90038)
@@ -1207,8 +1207,13 @@
RefPtr<WebFrame> subframe = WebFrame::createSubframe(webPage, name, ownerElement);
Frame* coreSubframe = subframe->coreFrame();
+ if (!coreSubframe)
+ return 0;
- // The creation of the frame may have run arbitrary _javascript_ that removed it from the page already.
+ // The creation of the frame may have run arbitrary _javascript_ that removed it from the page already.
+ if (!coreSubframe->page())
+ return 0;
+
m_frame->coreFrame()->loader()->loadURLIntoChildFrame(url, referrer, coreSubframe);
// The frame's onload handler may have removed it from the document.
