Title: [201277] releases/WebKitGTK/webkit-2.12
- Revision
- 201277
- Author
- [email protected]
- Date
- 2016-05-23 05:36:24 -0700 (Mon, 23 May 2016)
Log Message
Merge r200986 - heap use-after-free at WebCore::TimerBase::heapPopMin()
https://bugs.webkit.org/show_bug.cgi?id=157742
<rdar://problem/26236778>
Source/WebCore:
Reviewed by David Kilzer.
Tested by fast/frames/resources/crash-during-iframe-load-stop.html.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
being used by the current stack frame.
(WebCore::FrameLoader::frameDetached): Ditto.
(WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.
LayoutTests:
Reviewed by Simon Fraser.
* fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
* fast/frames/crash-during-iframe-load-stop.html: Added.
* fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
* fast/frames/resources/crash-during-iframe-load-stop.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (201276 => 201277)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-05-23 12:33:37 UTC (rev 201276)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-05-23 12:36:24 UTC (rev 201277)
@@ -1,3 +1,16 @@
+2016-05-16 Brent Fulgham <[email protected]>
+
+ heap use-after-free at WebCore::TimerBase::heapPopMin()
+ https://bugs.webkit.org/show_bug.cgi?id=157742
+ <rdar://problem/26236778>
+
+ Reviewed by Simon Fraser.
+
+ * fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
+ * fast/frames/crash-during-iframe-load-stop.html: Added.
+ * fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
+ * fast/frames/resources/crash-during-iframe-load-stop.html: Added.
+
2016-05-13 Ryosuke Niwa <[email protected]>
ToT WebKit doesn't show tooltip on perf dashboard's summary page
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt (0 => 201277)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt 2016-05-23 12:36:24 UTC (rev 201277)
@@ -0,0 +1,3 @@
+This tests that WebKit does not crash when frame loads are interrupted. This test passes if it does not crash.
+
+
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/crash-during-iframe-load-stop.html (0 => 201277)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/crash-during-iframe-load-stop.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/crash-during-iframe-load-stop.html 2016-05-23 12:36:24 UTC (rev 201277)
@@ -0,0 +1,38 @@
+<html>
+<head>
+<script>
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ }
+
+ var count = 0;
+</script>
+</head>
+<body _onload_='deleteFrame()'>
+ <script>
+ function deleteFrame()
+ {
+ var frameToRemove = document.getElementById('subframe');
+ document.body.removeChild(frameToRemove);
+ }
+
+ function reloadSubframe()
+ {
+ var iframe = document.createElement('iframe');
+ iframe.id = 'subframe';
+ iframe.src = '';
+ document.body.appendChild(iframe);
+ setTimeout(function() { deleteFrame(); }, 0);
+ }
+
+ function subFrameFinishedLoading()
+ {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+ </script>
+ <p>This tests that WebKit does not crash when frame loads are interrupted. This test passes if it does not crash.</p>
+ <iframe id="subframe" src=''></iframe>
+</body>
+</html>
\ No newline at end of file
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html (0 => 201277)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html 2016-05-23 12:36:24 UTC (rev 201277)
@@ -0,0 +1,6 @@
+<html>
+ <script>
+ window.parent.stop();
+ window.parent.subFrameFinishedLoading();
+ </script>
+</html>
\ No newline at end of file
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html (0 => 201277)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html 2016-05-23 12:36:24 UTC (rev 201277)
@@ -0,0 +1,16 @@
+<html>
+<head>
+ <script>
+ function subFrameFinishedLoading()
+ {
+ window.parent.count = window.parent.count + 1;
+ if (window.parent.count < 10)
+ window.parent.reloadSubframe();
+ else
+ window.parent.subFrameFinishedLoading();
+ }
+ </script>
+</head>
+ <iframe src=""
+ <iframe src="" <html></html>"></iframe>
+</html>
\ No newline at end of file
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (201276 => 201277)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-05-23 12:33:37 UTC (rev 201276)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-05-23 12:36:24 UTC (rev 201277)
@@ -1,3 +1,19 @@
+2016-05-16 Brent Fulgham <[email protected]>
+
+ heap use-after-free at WebCore::TimerBase::heapPopMin()
+ https://bugs.webkit.org/show_bug.cgi?id=157742
+ <rdar://problem/26236778>
+
+ Reviewed by David Kilzer.
+
+ Tested by fast/frames/resources/crash-during-iframe-load-stop.html.
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
+ being used by the current stack frame.
+ (WebCore::FrameLoader::frameDetached): Ditto.
+ (WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.
+
2016-05-16 Zalan Bujtas <[email protected]>
RenderLayer::hitTestList could mutate the list of candidate layers.
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/FrameLoader.cpp (201276 => 201277)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/FrameLoader.cpp 2016-05-23 12:33:37 UTC (rev 201276)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/loader/FrameLoader.cpp 2016-05-23 12:36:24 UTC (rev 201277)
@@ -1616,6 +1616,9 @@
void FrameLoader::stopForUserCancel(bool deferCheckLoadComplete)
{
+ // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
+ Ref<Frame> protectedFrame(m_frame);
+
stopAllLoaders();
#if PLATFORM(IOS)
@@ -2506,6 +2509,9 @@
void FrameLoader::frameDetached()
{
+ // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
+ Ref<Frame> protectedFrame(m_frame);
+
stopAllLoaders();
m_frame.document()->stopActiveDOMObjects();
detachFromParent();
@@ -2798,6 +2804,10 @@
if (!shouldContinue)
return;
+ // Calling stopLoading() on the provisional document loader can cause the underlying
+ // frame to be deallocated.
+ Ref<Frame> protectedFrame(m_frame);
+
// If we have a provisional request for a different document, a fragment scroll should cancel it.
if (m_provisionalDocumentLoader && !equalIgnoringFragmentIdentifier(m_provisionalDocumentLoader->request().url(), request.url())) {
m_provisionalDocumentLoader->stopLoading();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
