Title: [145650] branches/safari-536.30-branch
- Revision
- 145650
- Author
- [email protected]
- Date
- 2013-03-12 18:17:02 -0700 (Tue, 12 Mar 2013)
Log Message
Merged r138918. <rdar://problem/13334933>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (145649 => 145650)
--- branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-03-13 01:14:34 UTC (rev 145649)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-03-13 01:17:02 UTC (rev 145650)
@@ -1,5 +1,19 @@
2013-03-12 Lucas Forschler <[email protected]>
+ Merge r138918
+
+ 2013-01-06 Abhishek Arya <[email protected]>
+
+ Heap-use-after-free in WebCore::Document::implicitClose
+ https://bugs.webkit.org/show_bug.cgi?id=105655
+
+ Reviewed by Eric Seidel.
+
+ * fast/dom/window-load-crash-expected.txt: Added.
+ * fast/dom/window-load-crash.html: Added.
+
+2013-03-12 Lucas Forschler <[email protected]>
+
Merge r138850
2013-01-04 Abhishek Arya <[email protected]>
Copied: branches/safari-536.30-branch/LayoutTests/fast/dom/window-load-crash-expected.txt (from rev 138918, trunk/LayoutTests/fast/dom/window-load-crash-expected.txt) (0 => 145650)
--- branches/safari-536.30-branch/LayoutTests/fast/dom/window-load-crash-expected.txt (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/dom/window-load-crash-expected.txt 2013-03-13 01:17:02 UTC (rev 145650)
@@ -0,0 +1,2 @@
+Blocked access to external URL http://blocked/does-not-exist.html
+Test passes if it does not crash.
Copied: branches/safari-536.30-branch/LayoutTests/fast/dom/window-load-crash.html (from rev 138918, trunk/LayoutTests/fast/dom/window-load-crash.html) (0 => 145650)
--- branches/safari-536.30-branch/LayoutTests/fast/dom/window-load-crash.html (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/dom/window-load-crash.html 2013-03-13 01:17:02 UTC (rev 145650)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<base href=""
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function crash()
+{
+ GCController.collect();
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+<iframe _onload_=crash() src="" srcdoc="<script>window._onload_ = function() { frames[0].document.getElementsByTagName('a')[0].click(); }</script><iframe seamless srcdoc='<a href=""
+</html>
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (145649 => 145650)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-03-13 01:14:34 UTC (rev 145649)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-03-13 01:17:02 UTC (rev 145650)
@@ -1,5 +1,22 @@
2013-03-12 Lucas Forschler <[email protected]>
+ Merge r138918
+
+ 2013-01-06 Abhishek Arya <[email protected]>
+
+ Heap-use-after-free in WebCore::Document::implicitClose
+ https://bugs.webkit.org/show_bug.cgi?id=105655
+
+ Reviewed by Eric Seidel.
+
+ Test: fast/dom/window-load-crash.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::implicitClose): RefPtr protect |this| document since it
+ can be destroyed in the dispatchWindowLoadEvent call.
+
+2013-03-12 Lucas Forschler <[email protected]>
+
Merge r138863
2013-01-04 Abhishek Arya <[email protected]>
Modified: branches/safari-536.30-branch/Source/WebCore/dom/Document.cpp (145649 => 145650)
--- branches/safari-536.30-branch/Source/WebCore/dom/Document.cpp 2013-03-13 01:14:34 UTC (rev 145649)
+++ branches/safari-536.30-branch/Source/WebCore/dom/Document.cpp 2013-03-13 01:17:02 UTC (rev 145650)
@@ -2387,6 +2387,9 @@
if (!doload)
return;
+ // Call to dispatchWindowLoadEvent can blow us from underneath.
+ RefPtr<Document> protect(this);
+
m_processingLoadEvent = true;
ScriptableDocumentParser* parser = scriptableDocumentParser();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
