[webkit-changes] [108724] trunk

Thu, 23 Feb 2012 20:58:31 -0800

Title: [108724] trunk
Revision
108724
Author
[email protected]
Date
2012-02-23 20:58:34 -0800 (Thu, 23 Feb 2012)

Log Message

Don't clear IntentRequest callback pointers on stop()

This causes re-entry into ScriptExecutionContext when
the ActiveDOMCallback objects get deleted, which crashes.
Instead, just de-activate the object and wait for
context destruction to clean up.

Test crashes consistently without fix and passes with fix.
Added some test infrastructure to support this test.
https://bugs.webkit.org/show_bug.cgi?id=78638

Patch by Greg Billock <[email protected]> on 2012-02-23
Reviewed by Adam Barth.

* Modules/intents/IntentRequest.cpp:
(WebCore::IntentRequest::IntentRequest):
(WebCore::IntentRequest::stop):
(WebCore::IntentRequest::postResult):
(WebCore::IntentRequest::postFailure):
* Modules/intents/IntentRequest.h:
(IntentRequest):

Modified Paths

Added Paths

Diff

Added: trunk/LayoutTests/webintents/resources/pass.html (0 => 108724)


--- trunk/LayoutTests/webintents/resources/pass.html	                        (rev 0)
+++ trunk/LayoutTests/webintents/resources/pass.html	2012-02-24 04:58:34 UTC (rev 108724)
@@ -0,0 +1,7 @@
+<html>
+  <head>
+  </head>
+  <body>
+    <p>PASS</p>
+  </body>
+</html>

Added: trunk/LayoutTests/webintents/resources/web-intents-reload-orig.html (0 => 108724)


--- trunk/LayoutTests/webintents/resources/web-intents-reload-orig.html	                        (rev 0)
+++ trunk/LayoutTests/webintents/resources/web-intents-reload-orig.html	2012-02-24 04:58:34 UTC (rev 108724)
@@ -0,0 +1,30 @@
+<html>
+  <head>
+    <script src=""
+    <script>
+      function onSuccess() {
+      }
+
+      function onFailure() {
+      }
+
+      function startIntent() {
+        debug("* launching intent action/type");
+        var intent = new Intent("action", "type");
+        try {
+          navigator.startActivity(intent, onSuccess, onFailure);
+        } catch (e) {
+          testFailed("startActivity should not throw exception");
+        }
+
+        debug("* navigating after startActivity");
+
+        // This should not crash.
+        window.location = "resources/pass.html";
+      }
+    </script>
+  </head>
+  <body>
+    <p>Original content</p>
+  </body>
+</html>

Added: trunk/LayoutTests/webintents/web-intents-reload-expected.txt (0 => 108724)


--- trunk/LayoutTests/webintents/web-intents-reload-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/webintents/web-intents-reload-expected.txt	2012-02-24 04:58:34 UTC (rev 108724)
@@ -0,0 +1,10 @@
+Received Web Intent: action="" type=type
+* loaded
+* sent mouseup
+* loaded replacement page
+ 
+
+--------
+Frame: 'frame'
+--------
+PASS

Added: trunk/LayoutTests/webintents/web-intents-reload.html (0 => 108724)


--- trunk/LayoutTests/webintents/web-intents-reload.html	                        (rev 0)
+++ trunk/LayoutTests/webintents/web-intents-reload.html	2012-02-24 04:58:34 UTC (rev 108724)
@@ -0,0 +1,49 @@
+<html>
+  <head>
+    <script src=""
+    <script>
+      var latch = true;
+
+      function buttonClicked() {
+        frames[0].startIntent();
+      }
+
+      function frameloaded() {
+        if (latch) {
+          latch = false;
+          startTest();
+          return;
+        }
+
+        debug("* loaded replacement page");
+
+        if (window.layoutTestController) {
+          window.layoutTestController.notifyDone();
+        }
+      }
+
+      function startTest() {
+        if (window.layoutTestController) {
+          window.layoutTestController.waitUntilDone();
+          window.layoutTestController.dumpChildFramesAsText();
+        }
+
+        debug("* loaded");
+
+        // We must simulate a button press with eventSender because intents
+        // require a user gesture.
+        var button = document.getElementById("button");
+        if (eventSender) {
+          eventSender.mouseMoveTo(button.getBoundingClientRect().left + 2, button.getBoundingClientRect().top + 12);
+          eventSender.mouseDown();
+          eventSender.mouseUp();
+          debug("* sent mouseup");
+        }
+      }
+    </script>
+  </head>
+<body>
+<input type="button" id="button" value="Start Web Intent" _onmouseup_="buttonClicked()">
+<iframe id="frame" _onload_="frameloaded()" src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (108723 => 108724)


--- trunk/Source/WebCore/ChangeLog	2012-02-24 04:40:48 UTC (rev 108723)
+++ trunk/Source/WebCore/ChangeLog	2012-02-24 04:58:34 UTC (rev 108724)
@@ -1,3 +1,26 @@
+2012-02-23  Greg Billock  <[email protected]>
+
+        Don't clear IntentRequest callback pointers on stop()
+
+        This causes re-entry into ScriptExecutionContext when
+        the ActiveDOMCallback objects get deleted, which crashes.
+        Instead, just de-activate the object and wait for
+        context destruction to clean up.
+
+        Test crashes consistently without fix and passes with fix.
+        Added some test infrastructure to support this test.
+        https://bugs.webkit.org/show_bug.cgi?id=78638
+
+        Reviewed by Adam Barth.
+
+        * Modules/intents/IntentRequest.cpp:
+        (WebCore::IntentRequest::IntentRequest):
+        (WebCore::IntentRequest::stop):
+        (WebCore::IntentRequest::postResult):
+        (WebCore::IntentRequest::postFailure):
+        * Modules/intents/IntentRequest.h:
+        (IntentRequest):
+
 2012-02-23  Konrad Piascik  <[email protected]>
 
         Upstream BlackBerry Cookie Management Classes

Modified: trunk/Source/WebCore/Modules/intents/IntentRequest.cpp (108723 => 108724)


--- trunk/Source/WebCore/Modules/intents/IntentRequest.cpp	2012-02-24 04:40:48 UTC (rev 108723)
+++ trunk/Source/WebCore/Modules/intents/IntentRequest.cpp	2012-02-24 04:58:34 UTC (rev 108724)
@@ -54,24 +54,26 @@
     , m_intent(intent)
     , m_successCallback(successCallback)
     , m_errorCallback(errorCallback)
+    , m_stopped(false)
 {
 }
 
 void IntentRequest::contextDestroyed()
 {
     ContextDestructionObserver::contextDestroyed();
-    m_successCallback.clear();
-    m_errorCallback.clear();
+    m_stopped = true;
 }
 
 void IntentRequest::stop()
 {
-    m_successCallback.clear();
-    m_errorCallback.clear();
+    m_stopped = true;
 }
 
 void IntentRequest::postResult(SerializedScriptValue* data)
 {
+    if (m_stopped)
+        return;
+
     // Callback could lead to deletion of this.
     RefPtr<IntentRequest> protector(this);
 
@@ -86,6 +88,9 @@
 
 void IntentRequest::postFailure(SerializedScriptValue* data)
 {
+    if (m_stopped)
+        return;
+
     // Callback could lead to deletion of this.
     RefPtr<IntentRequest> protector(this);

Modified: trunk/Source/WebCore/Modules/intents/IntentRequest.h (108723 => 108724)


--- trunk/Source/WebCore/Modules/intents/IntentRequest.h	2012-02-24 04:40:48 UTC (rev 108723)
+++ trunk/Source/WebCore/Modules/intents/IntentRequest.h	2012-02-24 04:58:34 UTC (rev 108724)
@@ -60,6 +60,7 @@
     RefPtr<Intent> m_intent;
     RefPtr<IntentResultCallback> m_successCallback;
     RefPtr<IntentResultCallback> m_errorCallback;
+    bool m_stopped;
 };
 
 } // namespace WebCore

Modified: trunk/Tools/DumpRenderTree/chromium/WebViewHost.cpp (108723 => 108724)


--- trunk/Tools/DumpRenderTree/chromium/WebViewHost.cpp	2012-02-24 04:40:48 UTC (rev 108723)
+++ trunk/Tools/DumpRenderTree/chromium/WebViewHost.cpp	2012-02-24 04:58:34 UTC (rev 108724)
@@ -47,6 +47,7 @@
 #include "WebFrame.h"
 #include "WebGeolocationClientMock.h"
 #include "WebHistoryItem.h"
+#include "WebIntent.h"
 #include "WebKit.h"
 #include "WebNode.h"
 #include "WebPluginParams.h"
@@ -1313,6 +1314,14 @@
     return false;
 }
 
+void WebViewHost::dispatchIntent(WebFrame* source, const WebIntentRequest& request)
+{
+    printf("Received Web Intent: action="" type=%s\n",
+           request.intent().action().utf8().data(),
+           request.intent().type().utf8().data());
+    m_currentRequest = request;
+}
+
 // Public functions -----------------------------------------------------------
 
 WebViewHost::WebViewHost(TestShell* shell)

Modified: trunk/Tools/DumpRenderTree/chromium/WebViewHost.h (108723 => 108724)


--- trunk/Tools/DumpRenderTree/chromium/WebViewHost.h	2012-02-24 04:40:48 UTC (rev 108723)
+++ trunk/Tools/DumpRenderTree/chromium/WebViewHost.h	2012-02-24 04:58:34 UTC (rev 108724)
@@ -37,6 +37,7 @@
 #include "WebAccessibilityNotification.h"
 #include "WebCursorInfo.h"
 #include "WebFrameClient.h"
+#include "WebIntentRequest.h"
 #include "WebSpellCheckClient.h"
 #include "WebViewClient.h"
 #include <wtf/HashMap.h>
@@ -237,6 +238,7 @@
     virtual void didDetectXSS(WebKit::WebFrame*, const WebKit::WebURL&, bool didBlockEntirePage);
     virtual void openFileSystem(WebKit::WebFrame*, WebKit::WebFileSystem::Type, long long size, bool create, WebKit::WebFileSystemCallbacks*);
     virtual bool willCheckAndDispatchMessageEvent(WebKit::WebFrame* source, WebKit::WebSecurityOrigin target, WebKit::WebDOMMessageEvent);
+    virtual void dispatchIntent(WebKit::WebFrame* source, const WebKit::WebIntentRequest&);
 
     WebKit::WebDeviceOrientationClientMock* deviceOrientationClientMock();
     
@@ -410,6 +412,9 @@
         PointerLockWillFailSync
     } m_pointerLockPlannedResult;
 #endif
+
+    // For web intents: holds the current request, if any.
+    WebKit::WebIntentRequest m_currentRequest;
 };
 
 #endif // WebViewHost_h

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to