[webkit-changes] [147955] trunk

Mon, 08 Apr 2013 14:41:26 -0700

Title: [147955] trunk
Revision
147955
Author
[email protected]
Date
2013-04-08 14:43:15 -0700 (Mon, 08 Apr 2013)

Log Message

REGRESSION (r138858): Crash in WebCore::FrameLoader::~FrameLoader() when opening page in a background tab
https://bugs.webkit.org/show_bug.cgi?id=109935
<rdar://problem/13225963>

Reviewed by Brady Eidson.

Previously, we were deciding if a Page could go into
the PageCache by blacklisting certain load types. Instead,
whitelist the load types that we know can go into the cache,
so that newly-added load types are not cached unless
that is explicitly desired.

The crash occurs when a page which is actively loading
is put into the page cache while doing a redirect with
FrameLoadTypeRedirectWithLockedBackForwardList (note that
this is a redirect that was not covered in the blacklist),
and then promptly removed from the page cache, resulting
in resources from the redirect target (the now-active page)
being incorrectly destroyed.

No new tests, only known crash repro case is extremely
timing dependent (and only happens in WebKit2, with tiled
drawing, in background tabs).

* history/PageCache.cpp:
(WebCore::PageCache::canCache):

Adjust a test which depended on slow-redirects going
into the page cache (which will no longer happen)
to instead click on a link.

* fast/history/timed-refresh-in-cached-frame.html:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (147954 => 147955)


--- trunk/LayoutTests/ChangeLog	2013-04-08 21:41:30 UTC (rev 147954)
+++ trunk/LayoutTests/ChangeLog	2013-04-08 21:43:15 UTC (rev 147955)
@@ -1,3 +1,17 @@
+2013-04-08  Tim Horton  <[email protected]>
+
+        REGRESSION (r138858): Crash in WebCore::FrameLoader::~FrameLoader() when opening page in a background tab
+        https://bugs.webkit.org/show_bug.cgi?id=109935
+        <rdar://problem/13225963>
+
+        Reviewed by Brady Eidson.
+
+        Adjust a test which depended on slow-redirects going
+        into the page cache (which will no longer happen)
+        to instead click on a link.
+
+        * fast/history/timed-refresh-in-cached-frame.html:
+
 2013-04-08  Jer Noble  <[email protected]>
 
         Unreviewed gardening. Remove expected results added by r147824.

Modified: trunk/LayoutTests/fast/history/timed-refresh-in-cached-frame.html (147954 => 147955)


--- trunk/LayoutTests/fast/history/timed-refresh-in-cached-frame.html	2013-04-08 21:41:30 UTC (rev 147954)
+++ trunk/LayoutTests/fast/history/timed-refresh-in-cached-frame.html	2013-04-08 21:43:15 UTC (rev 147955)
@@ -1,6 +1,7 @@
 <body _onload_="redirect()">
 <!-- Needs to take two seconds, because a faster refresh would result in not creating a b/f item for the navigation -->
 <iframe src=''></iframe>
+<a id="outerLink" href=''>test</a>
 <script>
 if (window.testRunner) {
     testRunner.dumpAsText();
@@ -10,6 +11,13 @@
 
 function redirect()
 {
-    location='data:text/html,<p>PASSED if didn&apos;t crash in two seconds.</p><script>if (window.testRunner) setTimeout("testRunner.notifyDone()", 2500); </scr' + 'ipt>';
+    setTimeout(function () {
+        if (window.eventSender) {
+            var el = document.getElementById("outerLink");
+            eventSender.mouseMoveTo(el.offsetLeft + 5, el.offsetTop + 5);
+            eventSender.mouseDown();
+            eventSender.mouseUp();
+        }
+    }, 0);
 }
 </script>

Modified: trunk/Source/WebCore/ChangeLog (147954 => 147955)


--- trunk/Source/WebCore/ChangeLog	2013-04-08 21:41:30 UTC (rev 147954)
+++ trunk/Source/WebCore/ChangeLog	2013-04-08 21:43:15 UTC (rev 147955)
@@ -1,3 +1,32 @@
+2013-04-08  Tim Horton  <[email protected]>
+
+        REGRESSION (r138858): Crash in WebCore::FrameLoader::~FrameLoader() when opening page in a background tab
+        https://bugs.webkit.org/show_bug.cgi?id=109935
+        <rdar://problem/13225963>
+
+        Reviewed by Brady Eidson.
+
+        Previously, we were deciding if a Page could go into
+        the PageCache by blacklisting certain load types. Instead,
+        whitelist the load types that we know can go into the cache,
+        so that newly-added load types are not cached unless
+        that is explicitly desired.
+
+        The crash occurs when a page which is actively loading
+        is put into the page cache while doing a redirect with
+        FrameLoadTypeRedirectWithLockedBackForwardList (note that
+        this is a redirect that was not covered in the blacklist),
+        and then promptly removed from the page cache, resulting
+        in resources from the redirect target (the now-active page)
+        being incorrectly destroyed.
+
+        No new tests, only known crash repro case is extremely
+        timing dependent (and only happens in WebKit2, with tiled
+        drawing, in background tabs).
+
+        * history/PageCache.cpp:
+        (WebCore::PageCache::canCache):
+
 2013-04-08  Anders Carlsson  <[email protected]>
 
         Fix build.

Modified: trunk/Source/WebCore/history/PageCache.cpp (147954 => 147955)


--- trunk/Source/WebCore/history/PageCache.cpp	2013-04-08 21:41:30 UTC (rev 147954)
+++ trunk/Source/WebCore/history/PageCache.cpp	2013-04-08 21:43:15 UTC (rev 147955)
@@ -360,9 +360,10 @@
 #if ENABLE(PROXIMITY_EVENTS)
         && !DeviceProximityController::isActiveAt(page)
 #endif
-        && loadType != FrameLoadTypeReload
-        && loadType != FrameLoadTypeReloadFromOrigin
-        && loadType != FrameLoadTypeSame;
+        && (loadType == FrameLoadTypeStandard
+            || loadType == FrameLoadTypeBack
+            || loadType == FrameLoadTypeForward
+            || loadType == FrameLoadTypeIndexedBackForward);
 }
 
 void PageCache::setCapacity(int capacity)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to