Title: [216525] branches/safari-603-branch
- Revision
- 216525
- Author
- [email protected]
- Date
- 2017-05-09 11:05:23 -0700 (Tue, 09 May 2017)
Log Message
Cherry-pick r216120. rdar://problem/31970955
Modified Paths
Added Paths
Diff
Modified: branches/safari-603-branch/LayoutTests/ChangeLog (216524 => 216525)
--- branches/safari-603-branch/LayoutTests/ChangeLog 2017-05-09 18:05:19 UTC (rev 216524)
+++ branches/safari-603-branch/LayoutTests/ChangeLog 2017-05-09 18:05:23 UTC (rev 216525)
@@ -1,5 +1,20 @@
2017-05-09 Matthew Hanson <[email protected]>
+ Cherry-pick r216120. rdar://problem/31970955
+
+ 2017-05-03 Daniel Bates <[email protected]>
+
+ Abandon the current load once the provisional loader detaches from the frame
+ https://bugs.webkit.org/show_bug.cgi?id=171577
+ <rdar://problem/31581227>
+
+ Reviewed by Brent Fulgham.
+
+ * fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt: Added.
+ * fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html: Added.
+
+2017-05-09 Matthew Hanson <[email protected]>
+
Cherry-pick r216096. rdar://problem/31971264
2017-05-02 Zalan Bujtas <[email protected]>
Added: branches/safari-603-branch/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt (0 => 216525)
--- branches/safari-603-branch/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash-expected.txt 2017-05-09 18:05:23 UTC (rev 216525)
@@ -0,0 +1,6 @@
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS did not crash.
Added: branches/safari-603-branch/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html (0 => 216525)
--- branches/safari-603-branch/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html (rev 0)
+++ branches/safari-603-branch/LayoutTests/fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html 2017-05-09 18:05:23 UTC (rev 216525)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+var parentFrame = document.body.appendChild(document.createElement("iframe"));
+parentFrame.src = ""
+
+var childFrame = parentFrame.contentDocument.body.appendChild(document.createElement("iframe"));
+childFrame.contentWindow._onunload_ = function () {
+ var link = parentFrame.contentDocument.createElement("a");
+ link.href = "" did not crash.<script>window.testRunner && window.testRunner.notifyDone()</" + "script>";
+ link.click(); // Navigates parentFrame
+}
+</script>
+</body>
+</html>
Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (216524 => 216525)
--- branches/safari-603-branch/Source/WebCore/ChangeLog 2017-05-09 18:05:19 UTC (rev 216524)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog 2017-05-09 18:05:23 UTC (rev 216525)
@@ -1,5 +1,29 @@
2017-05-09 Matthew Hanson <[email protected]>
+ Cherry-pick r216120. rdar://problem/31970955
+
+ 2017-05-03 Daniel Bates <[email protected]>
+
+ Abandon the current load once the provisional loader detaches from the frame
+ https://bugs.webkit.org/show_bug.cgi?id=171577
+ <rdar://problem/31581227>
+
+ Reviewed by Brent Fulgham and Brady Eidson.
+
+ We detach all child frames as part of setting our document loader to the provisional
+ document loader when committing a load for a frame. Detaching child frames invokes
+ the unload event handler on the child frames that can run arbitrary _javascript_ script.
+ Among other things, such script can initiate a new load in the frame whose current
+ load is being committed. We should stop processing the current load as soon as we
+ detect that updating our document loader has started a new provisional load.
+
+ Test: fast/loader/inner-iframe-loads-data-url-into-parent-on-unload-crash.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::transitionToCommitted):
+
+2017-05-09 Matthew Hanson <[email protected]>
+
Cherry-pick r216096. rdar://problem/31971264
2017-05-02 Zalan Bujtas <[email protected]>
Modified: branches/safari-603-branch/Source/WebCore/loader/FrameLoader.cpp (216524 => 216525)
--- branches/safari-603-branch/Source/WebCore/loader/FrameLoader.cpp 2017-05-09 18:05:19 UTC (rev 216524)
+++ branches/safari-603-branch/Source/WebCore/loader/FrameLoader.cpp 2017-05-09 18:05:23 UTC (rev 216525)
@@ -1922,20 +1922,20 @@
if (pdl != m_provisionalDocumentLoader)
return;
- // Nothing else can interupt this commit - set the Provisional->Committed transition in stone
if (m_documentLoader)
m_documentLoader->stopLoadingSubresources();
if (m_documentLoader)
m_documentLoader->stopLoadingPlugIns();
+ // Setting our document loader invokes the unload event handler of our child frames.
+ // Script can do anything. If the script initiates a new load, we need to abandon the
+ // current load or the two will stomp each other.
setDocumentLoader(m_provisionalDocumentLoader.get());
+ if (pdl != m_provisionalDocumentLoader)
+ return;
setProvisionalDocumentLoader(nullptr);
- if (pdl != m_documentLoader) {
- ASSERT(m_state == FrameStateComplete);
- return;
- }
-
+ // Nothing else can interupt this commit - set the Provisional->Committed transition in stone
setState(FrameStateCommittedPage);
#if ENABLE(TOUCH_EVENTS) && !PLATFORM(IOS)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
