Title: [169866] trunk
- Revision
- 169866
- Author
- [email protected]
- Date
- 2014-06-11 17:30:22 -0700 (Wed, 11 Jun 2014)
Log Message
editing/selection/selection-in-iframe-removed-crash.html or selection-invalid-offset.html crashes intermittently
https://bugs.webkit.org/show_bug.cgi?id=111521
<rdar://problem/15159351>
Reviewed by Brady Eidson.
Source/WebCore:
Covered by existing tests.
* loader/DocumentLoader.cpp: (WebCore::DocumentLoader::commitData): Bail out if the
load was canceled from under receivedFirstData(). Since this is where we commit the
load, there are ample opportunities for scripts or clients to do anything.
LayoutTests:
* platform/mac/TestExpectations: Removed expectations for the tests.
Modified Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (169865 => 169866)
--- trunk/LayoutTests/ChangeLog 2014-06-12 00:30:18 UTC (rev 169865)
+++ trunk/LayoutTests/ChangeLog 2014-06-12 00:30:22 UTC (rev 169866)
@@ -1,3 +1,13 @@
+2014-06-11 Alexey Proskuryakov <[email protected]>
+
+ editing/selection/selection-in-iframe-removed-crash.html or selection-invalid-offset.html crashes intermittently
+ https://bugs.webkit.org/show_bug.cgi?id=111521
+ <rdar://problem/15159351>
+
+ Reviewed by Brady Eidson.
+
+ * platform/mac/TestExpectations: Removed expectations for the tests.
+
2014-06-11 Zalan Bujtas <[email protected]>
Subpixel rendering: RenderBox's content clipping should clip on device pixel boundary.
Modified: trunk/LayoutTests/platform/mac/TestExpectations (169865 => 169866)
--- trunk/LayoutTests/platform/mac/TestExpectations 2014-06-12 00:30:18 UTC (rev 169865)
+++ trunk/LayoutTests/platform/mac/TestExpectations 2014-06-12 00:30:22 UTC (rev 169866)
@@ -989,9 +989,6 @@
# Need support for ResourceHandle::didChangePriority and DRT support
webkit.org/b/111016 http/tests/loading/promote-img-preload-priority.html [ Failure ]
-webkit.org/b/111521 editing/selection/selection-invalid-offset.html [ Crash Pass ]
-webkit.org/b/111521 editing/selection/selection-in-iframe-removed-crash.html [ Crash Pass ]
-
webkit.org/b/110546 [ Debug ] fast/parser/document-write-fighting-eof.html [ Skip ]
webkit.org/b/110546 [ Debug ] fast/parser/document-write-partial-entity-before-load.html [ Skip ]
Modified: trunk/Source/WebCore/ChangeLog (169865 => 169866)
--- trunk/Source/WebCore/ChangeLog 2014-06-12 00:30:18 UTC (rev 169865)
+++ trunk/Source/WebCore/ChangeLog 2014-06-12 00:30:22 UTC (rev 169866)
@@ -1,3 +1,17 @@
+2014-06-11 Alexey Proskuryakov <[email protected]>
+
+ editing/selection/selection-in-iframe-removed-crash.html or selection-invalid-offset.html crashes intermittently
+ https://bugs.webkit.org/show_bug.cgi?id=111521
+ <rdar://problem/15159351>
+
+ Reviewed by Brady Eidson.
+
+ Covered by existing tests.
+
+ * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::commitData): Bail out if the
+ load was canceled from under receivedFirstData(). Since this is where we commit the
+ load, there are ample opportunities for scripts or clients to do anything.
+
2014-06-11 Zalan Bujtas <[email protected]>
Subpixel rendering: RenderBox's content clipping should clip on device pixel boundary.
Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (169865 => 169866)
--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2014-06-12 00:30:18 UTC (rev 169865)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2014-06-12 00:30:22 UTC (rev 169866)
@@ -812,6 +812,10 @@
if (!isMultipartReplacingLoad())
frameLoader()->receivedFirstData();
+ // The load could be canceled under receivedFirstData(), which makes delegate calls and even sometimes dispatches DOM events.
+ if (!isLoading())
+ return;
+
bool userChosen;
String encoding;
#if USE(CONTENT_FILTERING)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
