Diff
Modified: trunk/Source/WebCore/ChangeLog (97648 => 97649)
--- trunk/Source/WebCore/ChangeLog 2011-10-17 21:14:58 UTC (rev 97648)
+++ trunk/Source/WebCore/ChangeLog 2011-10-17 21:22:23 UTC (rev 97649)
@@ -1,3 +1,23 @@
+2011-10-17 Sheriff Bot <[email protected]>
+
+ Unreviewed, rolling out r97643.
+ http://trac.webkit.org/changeset/97643
+ https://bugs.webkit.org/show_bug.cgi?id=70270
+
+ Broke iframe reparenting tests (Requested by dimich on
+ #webkit).
+
+ * manual-tests/iframe_notifications/iframe-reparenting-close-window-child.html: Removed.
+ * manual-tests/iframe_notifications/iframe-reparenting-close-window-iframe.html: Removed.
+ * manual-tests/iframe_notifications/iframe-reparenting-close-window.html: Removed.
+ * notifications/NotificationCenter.cpp:
+ (WebCore::NotificationCenter::disconnectFrame):
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::webkitNotifications):
+ * page/DOMWindow.h:
+ * page/Frame.cpp:
+ (WebCore::Frame::transferChildFrameToNewDocument):
+
2011-10-17 Dmitry Titov <[email protected]>
window.webkitNotifications uses deallocated NotificationPresenter after live Iframe transfer.
Deleted: trunk/Source/WebCore/manual-tests/iframe_notifications/iframe-reparenting-close-window-child.html (97648 => 97649)
--- trunk/Source/WebCore/manual-tests/iframe_notifications/iframe-reparenting-close-window-child.html 2011-10-17 21:14:58 UTC (rev 97648)
+++ trunk/Source/WebCore/manual-tests/iframe_notifications/iframe-reparenting-close-window-child.html 2011-10-17 21:22:23 UTC (rev 97649)
@@ -1,29 +0,0 @@
-<html>
-<script>
-
-var iframe;
-
-window.addAndTransferIframe = function()
-{
- iframe = document.createElement('iframe');
- iframe.setAttribute('width', '500');
- iframe.setAttribute('height', '350');
- iframe.setAttribute('src', 'iframe-reparenting-close-window-iframe.html');
- window.document.body.appendChild(iframe);
-}
-
-// Called from Iframe when it is loaded and initialized.
-window.transferIframe = function()
-{
- var backgroundWin = window.opener;
- backgroundWin.log("Transferring Iframe now.");
- backgroundWin.document.adoptNode(iframe);
- backgroundWin.document.body.appendChild(iframe);
- iframe.contentWindow.finish();
- window.close();
-}
-</script>
-
-<body>
-</body>
-</html>
\ No newline at end of file
Deleted: trunk/Source/WebCore/manual-tests/iframe_notifications/iframe-reparenting-close-window-iframe.html (97648 => 97649)
--- trunk/Source/WebCore/manual-tests/iframe_notifications/iframe-reparenting-close-window-iframe.html 2011-10-17 21:14:58 UTC (rev 97648)
+++ trunk/Source/WebCore/manual-tests/iframe_notifications/iframe-reparenting-close-window-iframe.html 2011-10-17 21:22:23 UTC (rev 97649)
@@ -1,26 +0,0 @@
-<html>
-<head>
-<script>
-var logWin = window.parent.opener;
-logWin.log('Initializing Iframe');
-
-var notificationCenter = null;
-function test() {
- notificationCenter = window.webkitNotifications;
- logWin.log("Before transfer: checkPermission returned (should be 1): " + notificationCenter.checkPermission());
- setTimeout("window.parent.transferIframe();", 5000); // Wait long enough for Chrome popup blocker to release the window so it can actually close.
-}
-
-function testAfterClose()
-{
- logWin.log("After transfer: checkPermission returned (should be 2): " + notificationCenter.checkPermission());
-}
-window.finish = function() {
- logWin.log("After transfer, the checkPermission call is accessing a destroyed object and can return invalid value or crash, depending on circumstances.");
- setInterval(testAfterClose, 1000); // Do it several times in a row, it'll crash after 1-3 times
-}
-</script>
-</head>
-<body _onload_=test()>
-</body>
-</html>
\ No newline at end of file
Deleted: trunk/Source/WebCore/manual-tests/iframe_notifications/iframe-reparenting-close-window.html (97648 => 97649)
--- trunk/Source/WebCore/manual-tests/iframe_notifications/iframe-reparenting-close-window.html 2011-10-17 21:14:58 UTC (rev 97648)
+++ trunk/Source/WebCore/manual-tests/iframe_notifications/iframe-reparenting-close-window.html 2011-10-17 21:22:23 UTC (rev 97649)
@@ -1,31 +0,0 @@
-<html>
-<script>
-window.log = function(message)
-{
- document.getElementById("log").innerText += message + "\n";
-}
-
-function childLoaded()
-{
- log("Child window loaded.");
- window.childWindow.addAndTransferIframe();
-}
-
-function start()
-{
- window.childWindow = window.open("iframe-reparenting-close-window-child.html", "_blank");
- window.childWindow.addEventListener("load", childLoaded, false);
-}
-
-</script>
-<body>
-<p>Bug: https://bugs.webkit.org/show_bug.cgi?id=70147</p>
-<p>This test recreates scenario when an iframe is reparented from one page to another using 'live iframe transfer'
- (with adoptNode() used on the iframe right before re-parenting into the other page's DOM tree).
- Then the original page is closed, destroying some internal objects that are associated with the top frame/page/WebVeiw.</p>
-<p>In Chromium, this destroys the underlying NotificationPresenter object which is associated with the Page, and as a result, the use of webkitNotification object from _javascript_ can crash the browser or return bogus results ('use-after-delete').
- Open this test in Chromium and click the button to start the test. If the test doesn't crash, and prints expected results, the bug is not regressed.</p>
-<button _onclick_="start()">Start test</button>
-<pre id="log"></pre>
-</body>
-</html>
Modified: trunk/Source/WebCore/notifications/NotificationCenter.cpp (97648 => 97649)
--- trunk/Source/WebCore/notifications/NotificationCenter.cpp 2011-10-17 21:14:58 UTC (rev 97648)
+++ trunk/Source/WebCore/notifications/NotificationCenter.cpp 2011-10-17 21:22:23 UTC (rev 97649)
@@ -61,8 +61,9 @@
void NotificationCenter::disconnectFrame()
{
- // Can be 0 if iframe was transferred into another page. In this case
- // this method is invoked more then once.
+ // m_notificationPresenter should never be 0. But just to be safe, we check it here.
+ // Due to the mysterious bug http://code.google.com/p/chromium/issues/detail?id=49323.
+ ASSERT(m_notificationPresenter);
if (!m_notificationPresenter)
return;
m_notificationPresenter->cancelRequestsForPermission(scriptExecutionContext());
Modified: trunk/Source/WebCore/page/DOMWindow.cpp (97648 => 97649)
--- trunk/Source/WebCore/page/DOMWindow.cpp 2011-10-17 21:14:58 UTC (rev 97648)
+++ trunk/Source/WebCore/page/DOMWindow.cpp 2011-10-17 21:22:23 UTC (rev 97649)
@@ -748,11 +748,6 @@
return m_notifications.get();
}
-
-void DOMWindow::resetNotifications()
-{
- m_notifications->disconnectFrame();
-}
#endif
void DOMWindow::pageDestroyed()
Modified: trunk/Source/WebCore/page/DOMWindow.h (97648 => 97649)
--- trunk/Source/WebCore/page/DOMWindow.h 2011-10-17 21:14:58 UTC (rev 97648)
+++ trunk/Source/WebCore/page/DOMWindow.h 2011-10-17 21:22:23 UTC (rev 97649)
@@ -380,9 +380,6 @@
#if ENABLE(NOTIFICATIONS)
NotificationCenter* webkitNotifications() const;
- // Renders webkitNotifications object safely inoperable, disconnects
- // if from embedder-provided NotificationPresenter.
- void resetNotifications();
#endif
#if ENABLE(QUOTA)
Modified: trunk/Source/WebCore/page/Frame.cpp (97648 => 97649)
--- trunk/Source/WebCore/page/Frame.cpp 2011-10-17 21:14:58 UTC (rev 97648)
+++ trunk/Source/WebCore/page/Frame.cpp 2011-10-17 21:22:23 UTC (rev 97649)
@@ -746,12 +746,8 @@
// when the Geolocation's iframe is reparented.
// See https://bugs.webkit.org/show_bug.cgi?id=55577
// and https://bugs.webkit.org/show_bug.cgi?id=52877
- if (m_domWindow) {
+ if (m_domWindow)
m_domWindow->resetGeolocation();
-#if ENABLE(NOTIFICATIONS)
- m_domWindow->resetNotifications();
-#endif
- }
#if ENABLE(MEDIA_STREAM)
if (m_mediaStreamFrameController)
