Title: [90936] trunk
- Revision
- 90936
- Author
- [email protected]
- Date
- 2011-07-13 11:51:44 -0700 (Wed, 13 Jul 2011)
Log Message
Source/WebCore: Patch by Abhishek Arya <[email protected]> on 2011-07-13
Reviewed by Adam Barth.
Issue with Frame lifetime due to deletion in beforeload event.
https://bugs.webkit.org/show_bug.cgi?id=64457
Copy the Frame protector higher in the stack from loadWithDocumentLoader
to loadFrameRequest since any of loadPostRequest or loadURL can call
loadWithDocumentLoader, thereby dispatching the beforeload event and
blowing away the frame. This deleted frame will be later accessed in
the loadFrameRequest function causing a crash.
Test: fast/events/form-iframe-target-before-load-crash2.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadFrameRequest):
(WebCore::FrameLoader::loadWithDocumentLoader):
LayoutTests: Tests that we do not crash when frame is blown away in a beforeload
event.
https://bugs.webkit.org/show_bug.cgi?id=64457
Reviewed by Adam Barth.
* fast/events/form-iframe-target-before-load-crash.html:
* fast/events/form-iframe-target-before-load-crash2-expected.txt: Added.
* fast/events/form-iframe-target-before-load-crash2.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (90935 => 90936)
--- trunk/LayoutTests/ChangeLog 2011-07-13 18:49:16 UTC (rev 90935)
+++ trunk/LayoutTests/ChangeLog 2011-07-13 18:51:44 UTC (rev 90936)
@@ -1,3 +1,15 @@
+2011-07-13 Abhishek Arya <[email protected]>
+
+ Tests that we do not crash when frame is blown away in a beforeload
+ event.
+ https://bugs.webkit.org/show_bug.cgi?id=64457
+
+ Reviewed by Adam Barth.
+
+ * fast/events/form-iframe-target-before-load-crash.html:
+ * fast/events/form-iframe-target-before-load-crash2-expected.txt: Added.
+ * fast/events/form-iframe-target-before-load-crash2.html: Added.
+
2011-07-13 Mihnea Ovidenie <[email protected]>
[CSSRegions]content:-webkit-from-flow not applied correctly
Modified: trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash.html (90935 => 90936)
--- trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash.html 2011-07-13 18:49:16 UTC (rev 90935)
+++ trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash.html 2011-07-13 18:51:44 UTC (rev 90936)
@@ -1,4 +1,5 @@
<html>
+ <script src=""
<body _onload_="runTest()">
<div id="console"></div>
<form id="form1" style="display:none" method="post" target="test" action=""
@@ -25,6 +26,7 @@
if (count == 2)
{
document.body.removeChild(document.getElementById('test'));
+ gc();
document.body.offsetTop;
}
}, true);
Added: trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt (0 => 90936)
--- trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt 2011-07-13 18:51:44 UTC (rev 90936)
@@ -0,0 +1,2 @@
+PASS
+
Copied: trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html (from rev 90935, trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash.html) (0 => 90936)
--- trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html (rev 0)
+++ trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html 2011-07-13 18:51:44 UTC (rev 90936)
@@ -0,0 +1,37 @@
+<html>
+ <script src=""
+ <body _onload_="runTest()">
+ <div id="console"></div>
+ <form id="form1" style="display:none" target="test" action=""
+ <script>
+ if (window.layoutTestController)
+ {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ function runTest()
+ {
+ document.getElementById('form1').submit();
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ document.getElementById('console').innerHTML = 'PASS';
+ }
+
+ count = 0;
+ document.addEventListener("beforeload", function(event) {
+ event.preventDefault();
+ count = count + 1;
+ if (count == 2)
+ {
+ document.body.removeChild(document.getElementById('test'));
+ gc();
+ document.body.offsetTop;
+ }
+ }, true);
+ </script>
+ <iframe id="test" src=""
+ </body>
+</html>
+
Modified: trunk/Source/WebCore/ChangeLog (90935 => 90936)
--- trunk/Source/WebCore/ChangeLog 2011-07-13 18:49:16 UTC (rev 90935)
+++ trunk/Source/WebCore/ChangeLog 2011-07-13 18:51:44 UTC (rev 90936)
@@ -1,3 +1,22 @@
+2011-07-13 Abhishek Arya <[email protected]>
+
+ Reviewed by Adam Barth.
+
+ Issue with Frame lifetime due to deletion in beforeload event.
+ https://bugs.webkit.org/show_bug.cgi?id=64457
+
+ Copy the Frame protector higher in the stack from loadWithDocumentLoader
+ to loadFrameRequest since any of loadPostRequest or loadURL can call
+ loadWithDocumentLoader, thereby dispatching the beforeload event and
+ blowing away the frame. This deleted frame will be later accessed in
+ the loadFrameRequest function causing a crash.
+
+ Test: fast/events/form-iframe-target-before-load-crash2.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::loadFrameRequest):
+ (WebCore::FrameLoader::loadWithDocumentLoader):
+
2011-07-13 Mihnea Ovidenie <[email protected]>
[CSSRegions]content:-webkit-from-flow not applied correctly
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (90935 => 90936)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2011-07-13 18:49:16 UTC (rev 90935)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2011-07-13 18:51:44 UTC (rev 90936)
@@ -1114,6 +1114,9 @@
void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, bool lockHistory, bool lockBackForwardList,
PassRefPtr<Event> event, PassRefPtr<FormState> formState, ReferrerPolicy referrerPolicy)
{
+ // Protect frame from getting blown away inside dispatchBeforeLoadEvent in loadWithDocumentLoader.
+ RefPtr<Frame> protect(m_frame);
+
KURL url = ""
ASSERT(m_frame->document());
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
