[webkit-changes] [289203] trunk

Mon, 07 Feb 2022 03:13:36 -0800

Title: [289203] trunk
Revision
289203
Author
[email protected]
Date
2022-02-07 03:12:58 -0800 (Mon, 07 Feb 2022)

Log Message

Bail out early in stopForUserCancel
https://bugs.webkit.org/show_bug.cgi?id=223536

Patch by Rob Buis <[email protected]> on 2022-02-07
Reviewed by Darin Adler.

Source/WebCore:

Bail out early in stopForUserCancel in case
the frame is already in the process of stopping.

Test: fast/loader/commit-provisional-load-crash.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopForBackForwardCache):
(WebCore::FrameLoader::stopForUserCancel):
* loader/FrameLoader.h:

LayoutTests:

Add test for this.

* fast/loader/commit-provisional-load-crash-expected.txt: Added.
* fast/loader/commit-provisional-load-crash.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (289202 => 289203)


--- trunk/LayoutTests/ChangeLog	2022-02-07 10:25:15 UTC (rev 289202)
+++ trunk/LayoutTests/ChangeLog	2022-02-07 11:12:58 UTC (rev 289203)
@@ -1,3 +1,15 @@
+2022-02-07  Rob Buis  <[email protected]>
+
+        Bail out early in stopForUserCancel
+        https://bugs.webkit.org/show_bug.cgi?id=223536
+
+        Reviewed by Darin Adler.
+
+        Add test for this.
+
+        * fast/loader/commit-provisional-load-crash-expected.txt: Added.
+        * fast/loader/commit-provisional-load-crash.html: Added.
+
 2022-02-07  Ziran Sun  <[email protected]>
 
         [Forms] Alias appearance <compat-auto> keywords to 'auto'

Added: trunk/LayoutTests/fast/loader/commit-provisional-load-crash-expected.txt (0 => 289203)


--- trunk/LayoutTests/fast/loader/commit-provisional-load-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/loader/commit-provisional-load-crash-expected.txt	2022-02-07 11:12:58 UTC (rev 289203)
@@ -0,0 +1,2 @@
+
+This test has PASSED if it does not CRASH.

Added: trunk/LayoutTests/fast/loader/commit-provisional-load-crash.html (0 => 289203)


--- trunk/LayoutTests/fast/loader/commit-provisional-load-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/loader/commit-provisional-load-crash.html	2022-02-07 11:12:58 UTC (rev 289203)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<script id="script">
+if (window.testRunner)
+    testRunner.dumpAsText();
+function runTest() {
+  document.createElement("audio").load(); 
+  window.stop(); 
+}
+let num = 0;
+function eventhandler() {
+  if (num < 2) {
+    num++;
+    script.appendChild(iframe); 
+  }
+  document._onreadystatechange_ = eventhandler;
+}
+</script>
+<body _onload_=runTest()>
+<iframe id="iframe" _onload_="eventhandler()" srcdoc="foo"></iframe>
+<p>This test has PASSED if it does not CRASH.</p>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (289202 => 289203)


--- trunk/Source/WebCore/ChangeLog	2022-02-07 10:25:15 UTC (rev 289202)
+++ trunk/Source/WebCore/ChangeLog	2022-02-07 11:12:58 UTC (rev 289203)
@@ -1,3 +1,20 @@
+2022-02-07  Rob Buis  <[email protected]>
+
+        Bail out early in stopForUserCancel
+        https://bugs.webkit.org/show_bug.cgi?id=223536
+
+        Reviewed by Darin Adler.
+
+        Bail out early in stopForUserCancel in case
+        the frame is already in the process of stopping.
+
+        Test: fast/loader/commit-provisional-load-crash.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::stopForBackForwardCache):
+        (WebCore::FrameLoader::stopForUserCancel):
+        * loader/FrameLoader.h:
+
 2022-02-07  Ziran Sun  <[email protected]>
 
         [Forms] Alias appearance <compat-auto> keywords to 'auto'

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (289202 => 289203)


--- trunk/Source/WebCore/loader/FrameLoader.cpp	2022-02-07 10:25:15 UTC (rev 289202)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2022-02-07 11:12:58 UTC (rev 289203)
@@ -1827,6 +1827,7 @@
 
 void FrameLoader::stopForBackForwardCache()
 {
+    m_inStopForBackForwardCache = true;
     // Stop provisional loads in subframes (The one in the main frame is about to be committed).
     if (!m_frame.isMainFrame()) {
         if (m_provisionalDocumentLoader)
@@ -1846,6 +1847,7 @@
     // running script, which could schedule new navigations.
     policyChecker().stopCheck();
     m_frame.navigationScheduler().cancel();
+    m_inStopForBackForwardCache = false;
 }
 
 void FrameLoader::stopAllLoadersAndCheckCompleteness()
@@ -1863,6 +1865,8 @@
 
 void FrameLoader::stopForUserCancel(bool deferCheckLoadComplete)
 {
+    if (m_inStopForBackForwardCache)
+        return;
     // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
     Ref<Frame> protectedFrame(m_frame);

Modified: trunk/Source/WebCore/loader/FrameLoader.h (289202 => 289203)


--- trunk/Source/WebCore/loader/FrameLoader.h	2022-02-07 10:25:15 UTC (rev 289202)
+++ trunk/Source/WebCore/loader/FrameLoader.h	2022-02-07 11:12:58 UTC (rev 289203)
@@ -504,6 +504,8 @@
     RefPtr<HistoryItem> m_requestedHistoryItem;
 
     bool m_alwaysAllowLocalWebarchive { false };
+
+    bool m_inStopForBackForwardCache { false };
 };
 
 // This function is called by createWindow() in JSDOMWindowBase.cpp, for example, for

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to