Title: [148533] branches/safari-536.30-branch
- Revision
- 148533
- Author
- [email protected]
- Date
- 2013-04-16 12:12:01 -0700 (Tue, 16 Apr 2013)
Log Message
Merged r130313. <rdar://problem/13656005>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (148532 => 148533)
--- branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-04-16 18:59:40 UTC (rev 148532)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-04-16 19:12:01 UTC (rev 148533)
@@ -1,5 +1,21 @@
2013-04-16 Lucas Forschler <[email protected]>
+ Merge r130313
+
+ 2012-10-03 Adam Barth <[email protected]>
+
+ Crash when calling document.open during unload
+ https://bugs.webkit.org/show_bug.cgi?id=98287
+
+ Reviewed by Nate Chapin.
+
+ Test that we don't crash when calling document.open during the unload event.
+
+ * fast/parser/document-open-in-unload-expected.txt: Added.
+ * fast/parser/document-open-in-unload.html: Added.
+
+2013-04-16 Lucas Forschler <[email protected]>
+
Merge r148483
2013-04-15 Anders Carlsson <[email protected]>
Copied: branches/safari-536.30-branch/LayoutTests/fast/parser/document-open-in-unload-expected.txt (from rev 130313, trunk/LayoutTests/fast/parser/document-open-in-unload-expected.txt) (0 => 148533)
--- branches/safari-536.30-branch/LayoutTests/fast/parser/document-open-in-unload-expected.txt (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/parser/document-open-in-unload-expected.txt 2013-04-16 19:12:01 UTC (rev 148533)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
Copied: branches/safari-536.30-branch/LayoutTests/fast/parser/document-open-in-unload.html (from rev 130313, trunk/LayoutTests/fast/parser/document-open-in-unload.html) (0 => 148533)
--- branches/safari-536.30-branch/LayoutTests/fast/parser/document-open-in-unload.html (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/fast/parser/document-open-in-unload.html 2013-04-16 19:12:01 UTC (rev 148533)
@@ -0,0 +1,10 @@
+This test passes if it doesn't crash.
+<iframe src=""
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+frames[0]._onunload_ = function () {
+ document.open();
+};
+</script>
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148532 => 148533)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-16 18:59:40 UTC (rev 148532)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-16 19:12:01 UTC (rev 148533)
@@ -1,5 +1,24 @@
2013-04-16 Lucas Forschler <[email protected]>
+ Merge r130313
+
+ 2012-10-03 Adam Barth <[email protected]>
+
+ Crash when calling document.open during unload
+ https://bugs.webkit.org/show_bug.cgi?id=98287
+
+ Reviewed by Nate Chapin.
+
+ Calling document.open results in us nulling out m_documentLoader. This
+ code doesn't properly handle that case and crashes.
+
+ Test: fast/parser/document-open-in-unload.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::commitProvisionalLoad):
+
+2013-04-16 Lucas Forschler <[email protected]>
+
Merge r147938
2013-04-08 Alexey Proskuryakov <[email protected]>
Modified: branches/safari-536.30-branch/Source/WebCore/loader/FrameLoader.cpp (148532 => 148533)
--- branches/safari-536.30-branch/Source/WebCore/loader/FrameLoader.cpp 2013-04-16 18:59:40 UTC (rev 148532)
+++ branches/safari-536.30-branch/Source/WebCore/loader/FrameLoader.cpp 2013-04-16 19:12:01 UTC (rev 148533)
@@ -1648,7 +1648,7 @@
transitionToCommitted(cachedPage);
- if (pdl) {
+ if (pdl && m_documentLoader) {
// Check if the destination page is allowed to access the previous page's timing information.
RefPtr<SecurityOrigin> securityOrigin = SecurityOrigin::create(pdl->request().url());
m_documentLoader->timing()->setHasSameOriginAsPreviousDocument(securityOrigin->canRequest(m_previousUrl));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes