Title: [216120] trunk
- Revision
- 216120
- Author
- [email protected]
- Date
- 2017-05-03 09:58:04 -0700 (Wed, 03 May 2017)
Log Message
Abandon the current load once the provisional loader detaches from the frame
https://bugs.webkit.org/show_bug.cgi?id=171577
<rdar://problem/31581227>
Source/WebCore:
Reviewed by Brent Fulgham and Brady Eidson.
We detach all child frames as part of setting our document loader to the provisional
document loader when committing a load for a frame. Detaching child frames invokes
the unload event handler on the child frames that can run arbitrary _javascript_ script.
Among other things, such script can initiate a new load in the frame whose current
load is being committed. We should stop processing the current load as soon as we
detect that updating our document loader has started a new provisional load.
Test: fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::transitionToCommitted):
LayoutTests:
Reviewed by Brent Fulgham.
* fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt: Added.
* fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (216119 => 216120)
--- trunk/LayoutTests/ChangeLog 2017-05-03 16:52:42 UTC (rev 216119)
+++ trunk/LayoutTests/ChangeLog 2017-05-03 16:58:04 UTC (rev 216120)
@@ -1,3 +1,14 @@
+2017-05-03 Daniel Bates <[email protected]>
+
+ Abandon the current load once the provisional loader detaches from the frame
+ https://bugs.webkit.org/show_bug.cgi?id=171577
+ <rdar://problem/31581227>
+
+ Reviewed by Brent Fulgham.
+
+ * fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt: Added.
+ * fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html: Added.
+
2017-05-03 Carlos Garcia Campos <[email protected]>
Unreviewed GTK+ gardening. Update expectations of several tests.
Added: trunk/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt (0 => 216120)
--- trunk/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt 2017-05-03 16:58:04 UTC (rev 216120)
@@ -0,0 +1,6 @@
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS did not crash.
Added: trunk/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html (0 => 216120)
--- trunk/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html (rev 0)
+++ trunk/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html 2017-05-03 16:58:04 UTC (rev 216120)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+var parentFrame = document.body.appendChild(document.createElement("iframe"));
+parentFrame.src = ""
+
+var childFrame = parentFrame.contentDocument.body.appendChild(document.createElement("iframe"));
+childFrame.contentWindow._onunload_ = function () {
+ var link = parentFrame.contentDocument.createElement("a");
+ link.href = "" did not crash.<script>window.testRunner && window.testRunner.notifyDone()</" + "script>";
+ link.click(); // Navigates parentFrame
+}
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (216119 => 216120)
--- trunk/Source/WebCore/ChangeLog 2017-05-03 16:52:42 UTC (rev 216119)
+++ trunk/Source/WebCore/ChangeLog 2017-05-03 16:58:04 UTC (rev 216120)
@@ -1,5 +1,25 @@
2017-05-03 Daniel Bates <[email protected]>
+ Abandon the current load once the provisional loader detaches from the frame
+ https://bugs.webkit.org/show_bug.cgi?id=171577
+ <rdar://problem/31581227>
+
+ Reviewed by Brent Fulgham and Brady Eidson.
+
+ We detach all child frames as part of setting our document loader to the provisional
+ document loader when committing a load for a frame. Detaching child frames invokes
+ the unload event handler on the child frames that can run arbitrary _javascript_ script.
+ Among other things, such script can initiate a new load in the frame whose current
+ load is being committed. We should stop processing the current load as soon as we
+ detect that updating our document loader has started a new provisional load.
+
+ Test: fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::transitionToCommitted):
+
+2017-05-03 Daniel Bates <[email protected]>
+
Cleanup: Remove out-of-date comment and null check from DocumentLoader::detachFromFrame()
https://bugs.webkit.org/show_bug.cgi?id=171604
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (216119 => 216120)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2017-05-03 16:52:42 UTC (rev 216119)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2017-05-03 16:58:04 UTC (rev 216120)
@@ -1904,20 +1904,20 @@
if (pdl != m_provisionalDocumentLoader)
return;
- // Nothing else can interupt this commit - set the Provisional->Committed transition in stone
if (m_documentLoader)
m_documentLoader->stopLoadingSubresources();
if (m_documentLoader)
m_documentLoader->stopLoadingPlugIns();
+ // Setting our document loader invokes the unload event handler of our child frames.
+ // Script can do anything. If the script initiates a new load, we need to abandon the
+ // current load or the two will stomp each other.
setDocumentLoader(m_provisionalDocumentLoader.get());
+ if (pdl != m_provisionalDocumentLoader)
+ return;
setProvisionalDocumentLoader(nullptr);
- if (pdl != m_documentLoader) {
- ASSERT(m_state == FrameStateComplete);
- return;
- }
-
+ // Nothing else can interupt this commit - set the Provisional->Committed transition in stone
setState(FrameStateCommittedPage);
// Handle adding the URL to the back/forward list.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
