- Revision
- 241107
- Author
- [email protected]
- Date
- 2019-02-06 16:02:59 -0800 (Wed, 06 Feb 2019)
Log Message
Cherry-pick r241015. rdar://problem/47866495
REGRESSION (r240909): Release assert in FrameLoader::loadURL when navigating with a non-existent target name
https://bugs.webkit.org/show_bug.cgi?id=194329
Reviewed by Geoffrey Garen.
Source/WebCore:
The bug was caused by the code path for when navigating with a specific target frame name that does not exist
never setting the load type of PolicyChecker. As a result, we would use whatever load type used in the previous
navigation, resulting in this release assertion.
Updating the load type here should in theory fix the underlying bug r240909 was meant to catch & fix.
Test: fast/loader/navigate-with-new-target-after-back-forward-navigation.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadURL):
LayoutTests:
Added a regression test.
* fast/loader/navigate-with-new-target-after-back-forward-navigation-expected.txt: Added.
* fast/loader/navigate-with-new-target-after-back-forward-navigation.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241015 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-607-branch/LayoutTests/ChangeLog (241106 => 241107)
--- branches/safari-607-branch/LayoutTests/ChangeLog 2019-02-07 00:02:53 UTC (rev 241106)
+++ branches/safari-607-branch/LayoutTests/ChangeLog 2019-02-07 00:02:59 UTC (rev 241107)
@@ -1,5 +1,49 @@
2019-02-06 Alan Coon <[email protected]>
+ Cherry-pick r241015. rdar://problem/47866495
+
+ REGRESSION (r240909): Release assert in FrameLoader::loadURL when navigating with a non-existent target name
+ https://bugs.webkit.org/show_bug.cgi?id=194329
+
+ Reviewed by Geoffrey Garen.
+
+ Source/WebCore:
+
+ The bug was caused by the code path for when navigating with a specific target frame name that does not exist
+ never setting the load type of PolicyChecker. As a result, we would use whatever load type used in the previous
+ navigation, resulting in this release assertion.
+
+ Updating the load type here should in theory fix the underlying bug r240909 was meant to catch & fix.
+
+ Test: fast/loader/navigate-with-new-target-after-back-forward-navigation.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::loadURL):
+
+ LayoutTests:
+
+ Added a regression test.
+
+ * fast/loader/navigate-with-new-target-after-back-forward-navigation-expected.txt: Added.
+ * fast/loader/navigate-with-new-target-after-back-forward-navigation.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241015 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-02-05 Ryosuke Niwa <[email protected]>
+
+ REGRESSION (r240909): Release assert in FrameLoader::loadURL when navigating with a non-existent target name
+ https://bugs.webkit.org/show_bug.cgi?id=194329
+
+ Reviewed by Geoffrey Garen.
+
+ Added a regression test.
+
+ * fast/loader/navigate-with-new-target-after-back-forward-navigation-expected.txt: Added.
+ * fast/loader/navigate-with-new-target-after-back-forward-navigation.html: Added.
+
+2019-02-06 Alan Coon <[email protected]>
+
Cherry-pick r240989. rdar://problem/47842627
Web Inspector: Fix modify-css-property-race.html test failures
Modified: branches/safari-607-branch/LayoutTests/TestExpectations (241106 => 241107)
--- branches/safari-607-branch/LayoutTests/TestExpectations 2019-02-07 00:02:53 UTC (rev 241106)
+++ branches/safari-607-branch/LayoutTests/TestExpectations 2019-02-07 00:02:59 UTC (rev 241107)
@@ -6,6 +6,8 @@
# Platform-specific tests. Skipped here, then re-enabled on the appropriate platform.
#//////////////////////////////////////////////////////////////////////////////////////////
+webgl [ Skip ]
+
compositing/ios [ Skip ]
css3/touch-action [ Skip ]
accessibility/ios-simulator [ Skip ]
Added: branches/safari-607-branch/LayoutTests/fast/loader/navigate-with-new-target-after-back-forward-navigation-expected.txt (0 => 241107)
--- branches/safari-607-branch/LayoutTests/fast/loader/navigate-with-new-target-after-back-forward-navigation-expected.txt (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/loader/navigate-with-new-target-after-back-forward-navigation-expected.txt 2019-02-07 00:02:59 UTC (rev 241107)
@@ -0,0 +1,5 @@
+ALERT: PASS
+This tests navigating via an anchor element with a non-existent target name, which should create a new window.
+WebKit should not hit any assertions and alert "PASS".
+
+
Added: branches/safari-607-branch/LayoutTests/fast/loader/navigate-with-new-target-after-back-forward-navigation.html (0 => 241107)
--- branches/safari-607-branch/LayoutTests/fast/loader/navigate-with-new-target-after-back-forward-navigation.html (rev 0)
+++ branches/safari-607-branch/LayoutTests/fast/loader/navigate-with-new-target-after-back-forward-navigation.html 2019-02-07 00:02:59 UTC (rev 241107)
@@ -0,0 +1,51 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete();
+ testRunner.overridePreference("WebKitUsesPageCachePreferenceKey", 1);
+}
+
+if (location.search == '?third') {
+ alert('PASS');
+ if (window.testRunner)
+ testRunner.notifyDone();
+} else if (self == top) {
+ document.write(`<p>This tests navigating via an anchor element with a non-existent target name, which should create a new window.<br>
+WebKit should not hit any assertions and alert "PASS".</p>`);
+ const frame = document.createElement('iframe');
+ frame.src = '';
+ let step = 0;
+ frame._onload_ = () => {
+ switch (step++) {
+ case 0:
+ setTimeout(() => frame.src = '', 0);
+ break;
+ case 1:
+ setTimeout(() => history.back(), 0);
+ break;
+ }
+ }
+ document.body.appendChild(frame);
+} else {
+ if (location.search == '?first') {
+ if (localStorage.getItem('loaded')) {
+ localStorage.removeItem('loaded');
+ window._onload_ = () => {
+ setTimeout(() => document.querySelector('a').click(), 0);
+ }
+ } else
+ localStorage.setItem('loaded', 'true');
+ }
+ document.write(location.search);
+ document.write(` <a href="" target="unknownTarget">go</a>`);
+}
+
+</script>
+</body>
+</html>
Modified: branches/safari-607-branch/Source/WebCore/ChangeLog (241106 => 241107)
--- branches/safari-607-branch/Source/WebCore/ChangeLog 2019-02-07 00:02:53 UTC (rev 241106)
+++ branches/safari-607-branch/Source/WebCore/ChangeLog 2019-02-07 00:02:59 UTC (rev 241107)
@@ -1,5 +1,55 @@
2019-02-06 Alan Coon <[email protected]>
+ Cherry-pick r241015. rdar://problem/47866495
+
+ REGRESSION (r240909): Release assert in FrameLoader::loadURL when navigating with a non-existent target name
+ https://bugs.webkit.org/show_bug.cgi?id=194329
+
+ Reviewed by Geoffrey Garen.
+
+ Source/WebCore:
+
+ The bug was caused by the code path for when navigating with a specific target frame name that does not exist
+ never setting the load type of PolicyChecker. As a result, we would use whatever load type used in the previous
+ navigation, resulting in this release assertion.
+
+ Updating the load type here should in theory fix the underlying bug r240909 was meant to catch & fix.
+
+ Test: fast/loader/navigate-with-new-target-after-back-forward-navigation.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::loadURL):
+
+ LayoutTests:
+
+ Added a regression test.
+
+ * fast/loader/navigate-with-new-target-after-back-forward-navigation-expected.txt: Added.
+ * fast/loader/navigate-with-new-target-after-back-forward-navigation.html: Added.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241015 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-02-05 Ryosuke Niwa <[email protected]>
+
+ REGRESSION (r240909): Release assert in FrameLoader::loadURL when navigating with a non-existent target name
+ https://bugs.webkit.org/show_bug.cgi?id=194329
+
+ Reviewed by Geoffrey Garen.
+
+ The bug was caused by the code path for when navigating with a specific target frame name that does not exist
+ never setting the load type of PolicyChecker. As a result, we would use whatever load type used in the previous
+ navigation, resulting in this release assertion.
+
+ Updating the load type here should in theory fix the underlying bug r240909 was meant to catch & fix.
+
+ Test: fast/loader/navigate-with-new-target-after-back-forward-navigation.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::loadURL):
+
+2019-02-06 Alan Coon <[email protected]>
+
Apply patch. rdar://problem/47822019
2019-02-06 Ryosuke Niwa <[email protected]>
Modified: branches/safari-607-branch/Source/WebCore/loader/FrameLoader.cpp (241106 => 241107)
--- branches/safari-607-branch/Source/WebCore/loader/FrameLoader.cpp 2019-02-07 00:02:53 UTC (rev 241106)
+++ branches/safari-607-branch/Source/WebCore/loader/FrameLoader.cpp 2019-02-07 00:02:59 UTC (rev 241107)
@@ -1380,6 +1380,7 @@
if (!targetFrame && !effectiveFrameName.isEmpty()) {
action = "" frameLoadRequest));
+ policyChecker().setLoadType(newLoadType);
RELEASE_ASSERT(!isBackForwardLoadType(policyChecker().loadType()));
policyChecker().checkNewWindowPolicy(WTFMove(action), WTFMove(request), WTFMove(formState), effectiveFrameName, [this, allowNavigationToInvalidURL, openerPolicy, completionHandler = completionHandlerCaller.release()] (const ResourceRequest& request, WeakPtr<FormState>&& formState, const String& frameName, const NavigationAction& action, ShouldContinue shouldContinue) mutable {
continueLoadAfterNewWindowPolicy(request, formState.get(), frameName, action, shouldContinue, allowNavigationToInvalidURL, openerPolicy);
