[webkit-changes] [164204] trunk

Sun, 16 Feb 2014 19:47:27 -0800

Title: [164204] trunk
Revision
164204
Author
[email protected]
Date
2014-02-16 19:52:02 -0800 (Sun, 16 Feb 2014)

Log Message

Ensure that removing an iframe from the DOM tree disconnects its Frame.
<https://webkit.org/b/128889>
<rdar://problem/15671221>

Merged from Blink (patch by Adam Klein):
https://src.chromium.org/viewvc/blink?revision=156174&view=revision

Source/WebCore:

SubframeLoadingDisabler wasn't catching the case when an <iframe> was,
in its unload handler, removed and re-added to the same parent.
Fix this by using a count of SubframeLoadingDisablers that are on the
stack for a given root, rather than a simple boolean.

Test: fast/frames/reattach-in-unload.html

* html/HTMLFrameOwnerElement.h:
(WebCore::SubframeLoadingDisabler::disabledSubtreeRoots):

LayoutTests:

* fast/frames/reattach-in-unload-expected.txt: Added.
* fast/frames/reattach-in-unload.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (164203 => 164204)


--- trunk/LayoutTests/ChangeLog	2014-02-17 03:19:49 UTC (rev 164203)
+++ trunk/LayoutTests/ChangeLog	2014-02-17 03:52:02 UTC (rev 164204)
@@ -1,3 +1,15 @@
+2014-02-16  Andreas Kling  <[email protected]>
+
+        Ensure that removing an iframe from the DOM tree disconnects its Frame.
+        <https://webkit.org/b/128889>
+        <rdar://problem/15671221>
+
+        Merged from Blink (patch by Adam Klein):
+        https://src.chromium.org/viewvc/blink?revision=156174&view=revision
+
+        * fast/frames/reattach-in-unload-expected.txt: Added.
+        * fast/frames/reattach-in-unload.html: Added.
+
 2014-02-16  Benjamin Poulain  <[email protected]>
 
         When applying style, attribute value matching should be case sensitive for SVG

Added: trunk/LayoutTests/fast/frames/reattach-in-unload-expected.txt (0 => 164204)


--- trunk/LayoutTests/fast/frames/reattach-in-unload-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/reattach-in-unload-expected.txt	2014-02-17 03:52:02 UTC (rev 164204)
@@ -0,0 +1,12 @@
+Ensure that removing an iframe from the tree results in frame destruction
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS frame.contentWindow is null
+PASS frame.contentWindow is null
+Did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/frames/reattach-in-unload.html (0 => 164204)


--- trunk/LayoutTests/fast/frames/reattach-in-unload.html	                        (rev 0)
+++ trunk/LayoutTests/fast/frames/reattach-in-unload.html	2014-02-17 03:52:02 UTC (rev 164204)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<body>
+<script src=""
+<script>
+description('Ensure that removing an iframe from the tree results in frame destruction');
+
+var frame = document.createElement('iframe');
+function handler() {
+    var p = frame.parentNode;
+    p.removeChild(frame);
+    p.appendChild(frame);
+}
+
+document.body.appendChild(frame);
+frame.contentWindow._onunload_ = handler;
+frame.parentNode.removeChild(frame)
+shouldBeNull("frame.contentWindow");
+
+var div = document.body.appendChild(document.createElement('div'));
+div.appendChild(frame);
+div.removeChild(frame);
+shouldBeNull("frame.contentWindow");
+debug('Did not crash');
+</script>
+</body>

Modified: trunk/Source/WebCore/ChangeLog (164203 => 164204)


--- trunk/Source/WebCore/ChangeLog	2014-02-17 03:19:49 UTC (rev 164203)
+++ trunk/Source/WebCore/ChangeLog	2014-02-17 03:52:02 UTC (rev 164204)
@@ -1,3 +1,22 @@
+2014-02-16  Andreas Kling  <[email protected]>
+
+        Ensure that removing an iframe from the DOM tree disconnects its Frame.
+        <https://webkit.org/b/128889>
+        <rdar://problem/15671221>
+
+        Merged from Blink (patch by Adam Klein):
+        https://src.chromium.org/viewvc/blink?revision=156174&view=revision
+
+        SubframeLoadingDisabler wasn't catching the case when an <iframe> was,
+        in its unload handler, removed and re-added to the same parent.
+        Fix this by using a count of SubframeLoadingDisablers that are on the
+        stack for a given root, rather than a simple boolean.
+
+        Test: fast/frames/reattach-in-unload.html
+
+        * html/HTMLFrameOwnerElement.h:
+        (WebCore::SubframeLoadingDisabler::disabledSubtreeRoots):
+
 2014-02-16  Benjamin Poulain  <[email protected]>
 
         When applying style, attribute value matching should be case sensitive for SVG

Modified: trunk/Source/WebCore/html/HTMLFrameOwnerElement.h (164203 => 164204)


--- trunk/Source/WebCore/html/HTMLFrameOwnerElement.h	2014-02-17 03:19:49 UTC (rev 164203)
+++ trunk/Source/WebCore/html/HTMLFrameOwnerElement.h	2014-02-17 03:52:02 UTC (rev 164204)
@@ -22,6 +22,7 @@
 #define HTMLFrameOwnerElement_h
 
 #include "HTMLElement.h"
+#include <wtf/HashCountedSet.h>
 
 namespace WebCore {
 
@@ -88,9 +89,9 @@
     static bool canLoadFrame(HTMLFrameOwnerElement&);
 
 private:
-    static HashSet<ContainerNode*>& disabledSubtreeRoots()
+    static HashCountedSet<ContainerNode*>& disabledSubtreeRoots()
     {
-        DEFINE_STATIC_LOCAL(HashSet<ContainerNode*>, nodes, ());
+        DEFINE_STATIC_LOCAL(HashCountedSet<ContainerNode*>, nodes, ());
         return nodes;
     }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to