Modified: branches/safari-537.77-branch/Source/WebCore/ChangeLog (169223 => 169224)
--- branches/safari-537.77-branch/Source/WebCore/ChangeLog 2014-05-22 21:46:23 UTC (rev 169223)
+++ branches/safari-537.77-branch/Source/WebCore/ChangeLog 2014-05-22 22:08:28 UTC (rev 169224)
@@ -1,5 +1,25 @@
2014-05-22 Dana Burkart <[email protected]>
+ Merge r167851
+
+ 2014-04-26 Darin Adler <[email protected]>
+
+ Frame and page lifetime fixes in WebCore::createWindow
+ https://bugs.webkit.org/show_bug.cgi?id=132089
+
+ Reviewed by Sam Weinig.
+
+ Speculative fix because I was unable to reproduce the crash that was
+ reported with the test case attached to this bug.
+
+ * loader/FrameLoader.cpp:
+ (WebCore::createWindow): Changed code to remove the assumption that calls
+ out will not destroy the page or frame. Use RefPtr for the frame, and
+ added early exits if frame->page() becomes null at any point before we
+ use a page pointer.
+
+2014-05-22 Dana Burkart <[email protected]>
+
Merge r168641
2014-05-09 Jon Honeycutt <[email protected]>
Modified: branches/safari-537.77-branch/Source/WebCore/loader/FrameLoader.cpp (169223 => 169224)
--- branches/safari-537.77-branch/Source/WebCore/loader/FrameLoader.cpp 2014-05-22 21:46:23 UTC (rev 169223)
+++ branches/safari-537.77-branch/Source/WebCore/loader/FrameLoader.cpp 2014-05-22 22:08:28 UTC (rev 169224)
@@ -3403,14 +3403,15 @@
{
ASSERT(!features.dialog || request.frameName().isEmpty());
+ created = false;
+
if (!request.frameName().isEmpty() && request.frameName() != "_blank") {
- if (Frame* frame = lookupFrame->loader()->findFrameForNavigation(request.frameName(), openerFrame->document())) {
+ if (RefPtr<Frame> frame = lookupFrame->loader()->findFrameForNavigation(request.frameName(), openerFrame->document())) {
if (request.frameName() != "_self") {
if (Page* page = frame->page())
page->chrome().focus();
}
- created = false;
- return frame;
+ return frame.release();
}
}
@@ -3418,7 +3419,7 @@
if (isDocumentSandboxed(openerFrame, SandboxPopups)) {
// FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.
openerFrame->document()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, "Blocked opening '" + request.resourceRequest().url().stringCenterEllipsizedToLength() + "' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.");
- return 0;
+ return nullptr;
}
// FIXME: Setting the referrer should be the caller's responsibility.
@@ -3435,14 +3436,13 @@
Page* oldPage = openerFrame->page();
if (!oldPage)
- return 0;
+ return nullptr;
- NavigationAction action(requestWithReferrer.resourceRequest());
- Page* page = oldPage->chrome().createWindow(openerFrame, requestWithReferrer, features, action);
+ Page* page = oldPage->chrome().createWindow(openerFrame, requestWithReferrer, features, NavigationAction(requestWithReferrer.resourceRequest()));
if (!page)
- return 0;
+ return nullptr;
- Frame* frame = page->mainFrame();
+ RefPtr<Frame> frame = page->mainFrame();
frame->loader()->forceSandboxFlags(openerFrame->document()->sandboxFlags());
@@ -3450,9 +3450,21 @@
frame->tree()->setName(request.frameName());
page->chrome().setToolbarsVisible(features.toolBarVisible || features.locationBarVisible);
+
+ if (!frame->page())
+ return nullptr;
page->chrome().setStatusbarVisible(features.statusBarVisible);
+
+ if (!frame->page())
+ return nullptr;
page->chrome().setScrollbarsVisible(features.scrollbarsVisible);
+
+ if (!frame->page())
+ return nullptr;
page->chrome().setMenubarVisible(features.menuBarVisible);
+
+ if (!frame->page())
+ return nullptr;
page->chrome().setResizable(features.resizable);
// 'x' and 'y' specify the location of the window, while 'width' and 'height'
@@ -3475,7 +3487,12 @@
// Ensure non-NaN values, minimum size as well as being within valid screen area.
FloatRect newWindowRect = DOMWindow::adjustWindowRect(page, windowRect);
+ if (!frame->page())
+ return nullptr;
page->chrome().setWindowRect(newWindowRect);
+
+ if (!frame->page())
+ return nullptr;
page->chrome().show();
created = true;
