Title: [135303] trunk
- Revision
- 135303
- Author
- infe...@chromium.org
- Date
- 2012-11-20 11:46:29 -0800 (Tue, 20 Nov 2012)
Log Message
Crash in FrameLoader::stopLoading.
https://bugs.webkit.org/show_bug.cgi?id=99504
Reviewed by Nate Chapin.
Source/WebCore:
Frame can be blown away in unload event handler. Need
to protect it with a RefPtr.
Test: fast/frames/frame-unload-crash2.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::commitProvisionalLoad):
LayoutTests:
* fast/frames/frame-unload-crash2-expected.txt: Added.
* fast/frames/frame-unload-crash2.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (135302 => 135303)
--- trunk/LayoutTests/ChangeLog 2012-11-20 19:29:54 UTC (rev 135302)
+++ trunk/LayoutTests/ChangeLog 2012-11-20 19:46:29 UTC (rev 135303)
@@ -1,3 +1,13 @@
+2012-11-20 Abhishek Arya <infe...@chromium.org>
+
+ Crash in FrameLoader::stopLoading.
+ https://bugs.webkit.org/show_bug.cgi?id=99504
+
+ Reviewed by Nate Chapin.
+
+ * fast/frames/frame-unload-crash2-expected.txt: Added.
+ * fast/frames/frame-unload-crash2.html: Added.
+
2012-11-20 Tom Sepez <tse...@chromium.org>
XSSAuditor::decodedSnippetForJavaScript stopping when comma encountered.
Added: trunk/LayoutTests/fast/frames/frame-unload-crash2-expected.txt (0 => 135303)
--- trunk/LayoutTests/fast/frames/frame-unload-crash2-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/frames/frame-unload-crash2-expected.txt 2012-11-20 19:46:29 UTC (rev 135303)
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
Added: trunk/LayoutTests/fast/frames/frame-unload-crash2.html (0 => 135303)
--- trunk/LayoutTests/fast/frames/frame-unload-crash2.html (rev 0)
+++ trunk/LayoutTests/fast/frames/frame-unload-crash2.html 2012-11-20 19:46:29 UTC (rev 135303)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<iframe srcdoc=""></iframe>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+}
+
+function finish() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+frames[0]._onunload_ = function () {
+ document.open();
+ document.write("PASS. WebKit didn't crash.");
+ document.close();
+
+ setTimeout("finish()", 0);
+};
+</script>
+</html>
Property changes on: trunk/LayoutTests/fast/frames/frame-unload-crash2.html
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (135302 => 135303)
--- trunk/Source/WebCore/ChangeLog 2012-11-20 19:29:54 UTC (rev 135302)
+++ trunk/Source/WebCore/ChangeLog 2012-11-20 19:46:29 UTC (rev 135303)
@@ -1,3 +1,18 @@
+2012-11-20 Abhishek Arya <infe...@chromium.org>
+
+ Crash in FrameLoader::stopLoading.
+ https://bugs.webkit.org/show_bug.cgi?id=99504
+
+ Reviewed by Nate Chapin.
+
+ Frame can be blown away in unload event handler. Need
+ to protect it with a RefPtr.
+
+ Test: fast/frames/frame-unload-crash2.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::commitProvisionalLoad):
+
2012-11-20 Dirk Schulze <k...@webkit.org>
Remove unnecessary FilterOperations header from RenderBoxModelObject
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (135302 => 135303)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2012-11-20 19:29:54 UTC (rev 135302)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2012-11-20 19:46:29 UTC (rev 135303)
@@ -1668,6 +1668,7 @@
{
RefPtr<CachedPage> cachedPage = m_loadingFromCachedPage ? pageCache()->get(history()->provisionalItem()) : 0;
RefPtr<DocumentLoader> pdl = m_provisionalDocumentLoader;
+ RefPtr<Frame> protect(m_frame);
LOG(PageCache, "WebCoreLoading %s: About to commit provisional load from previous URL '%s' to new URL '%s'", m_frame->tree()->uniqueName().string().utf8().data(),
m_frame->document() ? m_frame->document()->url().string().utf8().data() : "",
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
