Title: [145652] branches/safari-536.30-branch
- Revision
- 145652
- Author
- [email protected]
- Date
- 2013-03-12 18:19:07 -0700 (Tue, 12 Mar 2013)
Log Message
Merged r138926. <rdar://problem/13334936>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (145651 => 145652)
--- branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-03-13 01:19:05 UTC (rev 145651)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-03-13 01:19:07 UTC (rev 145652)
@@ -1,5 +1,19 @@
2013-03-12 Lucas Forschler <[email protected]>
+ Merge r138926
+
+ 2013-01-06 Abhishek Arya <[email protected]>
+
+ Heap-use-after-free in DocumentLoader::stopLoading
+ https://bugs.webkit.org/show_bug.cgi?id=103656
+
+ Reviewed by Eric Seidel.
+
+ * fast/dom/ready-state-change-crash-expected.txt: Added.
+ * fast/dom/ready-state-change-crash.html: Added.
+
+2013-03-12 Lucas Forschler <[email protected]>
+
Merge r138918
2013-01-06 Abhishek Arya <[email protected]>
Copied: branches/safari-536.30-branch/LayoutTests/fast/dom/ready-state-change-crash-expected.txt (from rev 138926, trunk/LayoutTests/fast/dom/ready-state-change-crash-expected.txt) (0 => 145652)
--- branches/safari-536.30-branch/LayoutTests/fast/dom/ready-state-change-crash-expected.txt (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/dom/ready-state-change-crash-expected.txt 2013-03-13 01:19:07 UTC (rev 145652)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+
Copied: branches/safari-536.30-branch/LayoutTests/fast/dom/ready-state-change-crash.html (from rev 138926, trunk/LayoutTests/fast/dom/ready-state-change-crash.html) (0 => 145652)
--- branches/safari-536.30-branch/LayoutTests/fast/dom/ready-state-change-crash.html (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/dom/ready-state-change-crash.html 2013-03-13 01:19:07 UTC (rev 145652)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<body>
+<div id="a"></div>
+<div id="b">
+<iframe id="f" src=""
+</div>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var listenerActive = false;
+var fDoc = document.getElementById('f').contentDocument;
+fDoc.open();
+
+// Waits for frame f to finish loading, then moves div b into div a.
+moveDivBIntoDivA = function() {
+ if (fDoc.readyState == 'loading') {
+ if (!listenerActive) {
+ fDoc.addEventListener('readystatechange', moveDivBIntoDivA);
+ listenerActive = true;
+ }
+ return;
+ }
+ document.getElementById('a').appendChild(document.getElementById('b'));
+};
+
+moveDivBIntoDivA();
+fDoc.close();
+</script>
+</body>
+</html>
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (145651 => 145652)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-03-13 01:19:05 UTC (rev 145651)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-03-13 01:19:07 UTC (rev 145652)
@@ -1,5 +1,28 @@
2013-03-12 Lucas Forschler <[email protected]>
+ Merge r138926
+
+ 2013-01-06 Abhishek Arya <[email protected]>
+
+ Heap-use-after-free in DocumentLoader::stopLoading
+ https://bugs.webkit.org/show_bug.cgi?id=103656
+
+ Reviewed by Eric Seidel.
+
+ Test: fast/dom/ready-state-change-crash.html
+
+ * html/parser/HTMLDocumentParser.cpp:
+ (WebCore::HTMLDocumentParser::prepareToStopParsing): Bail out
+ if the parser is detached due to mutation event.
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::stopLoading): Move the protectors for
+ frame and document loader to the start of the function. Call to
+ m_frame->loader()->stopLoading() can change document ready state
+ and fire mutation event which might blow the document loader from
+ underneath.
+
+2013-03-12 Lucas Forschler <[email protected]>
+
Merge r138918
2013-01-06 Abhishek Arya <[email protected]>
Modified: branches/safari-536.30-branch/Source/WebCore/html/parser/HTMLDocumentParser.cpp (145651 => 145652)
--- branches/safari-536.30-branch/Source/WebCore/html/parser/HTMLDocumentParser.cpp 2013-03-13 01:19:05 UTC (rev 145651)
+++ branches/safari-536.30-branch/Source/WebCore/html/parser/HTMLDocumentParser.cpp 2013-03-13 01:19:07 UTC (rev 145652)
@@ -150,6 +150,11 @@
if (m_scriptRunner)
document()->setReadyState(Document::Interactive);
+ // Setting the ready state above can fire mutation event and detach us
+ // from underneath. In that case, just bail out.
+ if (isDetached())
+ return;
+
attemptToRunDeferredScriptsAndEnd();
}
Modified: branches/safari-536.30-branch/Source/WebCore/loader/DocumentLoader.cpp (145651 => 145652)
--- branches/safari-536.30-branch/Source/WebCore/loader/DocumentLoader.cpp 2013-03-13 01:19:05 UTC (rev 145651)
+++ branches/safari-536.30-branch/Source/WebCore/loader/DocumentLoader.cpp 2013-03-13 01:19:07 UTC (rev 145652)
@@ -206,6 +206,9 @@
// but not loads initiated by child frames' data sources -- that's the WebFrame's job.
void DocumentLoader::stopLoading()
{
+ RefPtr<Frame> protectFrame(m_frame);
+ RefPtr<DocumentLoader> protectLoader(this);
+
// In some rare cases, calling FrameLoader::stopLoading could cause isLoading() to return false.
// (This can happen when there's a single XMLHttpRequest currently loading and stopLoading causes it
// to stop loading. Because of this, we need to save it so we don't return early.
@@ -242,9 +245,6 @@
// See <rdar://problem/9673866> for more details.
if (m_isStopping)
return;
-
- RefPtr<Frame> protectFrame(m_frame);
- RefPtr<DocumentLoader> protectLoader(this);
m_isStopping = true;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
