Title: [88814] branches/chromium/742
- Revision
- 88814
- Author
- [email protected]
- Date
- 2011-06-14 09:59:24 -0700 (Tue, 14 Jun 2011)
Log Message
Merge 87959
BUG=84946
Review URL: http://codereview.chromium.org/7158003
Modified Paths
Added Paths
Diff
Copied: branches/chromium/742/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt (from rev 87959, trunk/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt) (0 => 88814)
--- branches/chromium/742/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt (rev 0)
+++ branches/chromium/742/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt 2011-06-14 16:59:24 UTC (rev 88814)
@@ -0,0 +1,17 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - willPerformClientRedirectToURL: resources/_javascript_-url-iframe-crash.webarchive
+main frame - didFinishDocumentLoadForFrame
+main frame - didFinishLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didCancelClientRedirectForFrame
+main frame - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFailProvisionalLoadWithError
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+Loading this webarchive with a "non-empty _javascript_ URL iframe" should not crash.
+
Copied: branches/chromium/742/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html (from rev 87959, trunk/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html) (0 => 88814)
--- branches/chromium/742/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html (rev 0)
+++ branches/chromium/742/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html 2011-06-14 16:59:24 UTC (rev 88814)
@@ -0,0 +1,10 @@
+<html>
+<script>
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ window.location="resources/_javascript_-url-iframe-crash.webarchive";
+</script>
+</html>
Copied: branches/chromium/742/LayoutTests/webarchive/loading/resources/_javascript_-url-iframe-crash.webarchive (from rev 87959, trunk/LayoutTests/webarchive/loading/resources/_javascript_-url-iframe-crash.webarchive)
(Binary files differ)
Modified: branches/chromium/742/Source/WebCore/bindings/ScriptControllerBase.cpp (88813 => 88814)
--- branches/chromium/742/Source/WebCore/bindings/ScriptControllerBase.cpp 2011-06-14 16:48:13 UTC (rev 88813)
+++ branches/chromium/742/Source/WebCore/bindings/ScriptControllerBase.cpp 2011-06-14 16:59:24 UTC (rev 88814)
@@ -110,7 +110,10 @@
if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
// We're still in a frame, so there should be a DocumentLoader.
ASSERT(m_frame->document()->loader());
- if (DocumentLoader* loader = m_frame->document()->loader())
+
+ // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
+ // so protect it with a RefPtr.
+ if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
loader->writer()->replaceDocument(scriptResult);
}
return true;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
