Title: [139358] branches/chromium/1312
- Revision
- 139358
- Author
- cev...@google.com
- Date
- 2013-01-10 13:35:41 -0800 (Thu, 10 Jan 2013)
Log Message
Merge 138926
BUG=129890
Review URL: https://codereview.chromium.org/11819065
Modified Paths
Added Paths
Diff
Copied: branches/chromium/1312/LayoutTests/fast/dom/ready-state-change-crash-expected.txt (from rev 138926, trunk/LayoutTests/fast/dom/ready-state-change-crash-expected.txt) (0 => 139358)
--- branches/chromium/1312/LayoutTests/fast/dom/ready-state-change-crash-expected.txt (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/dom/ready-state-change-crash-expected.txt 2013-01-10 21:35:41 UTC (rev 139358)
@@ -0,0 +1,2 @@
+Test passes if it does not crash.
+
Copied: branches/chromium/1312/LayoutTests/fast/dom/ready-state-change-crash.html (from rev 138926, trunk/LayoutTests/fast/dom/ready-state-change-crash.html) (0 => 139358)
--- branches/chromium/1312/LayoutTests/fast/dom/ready-state-change-crash.html (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/dom/ready-state-change-crash.html 2013-01-10 21:35:41 UTC (rev 139358)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<body>
+<div id="a"></div>
+<div id="b">
+<iframe id="f" src=""
+</div>
+
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+var listenerActive = false;
+var fDoc = document.getElementById('f').contentDocument;
+fDoc.open();
+
+// Waits for frame f to finish loading, then moves div b into div a.
+moveDivBIntoDivA = function() {
+ if (fDoc.readyState == 'loading') {
+ if (!listenerActive) {
+ fDoc.addEventListener('readystatechange', moveDivBIntoDivA);
+ listenerActive = true;
+ }
+ return;
+ }
+ document.getElementById('a').appendChild(document.getElementById('b'));
+};
+
+moveDivBIntoDivA();
+fDoc.close();
+</script>
+</body>
+</html>
Modified: branches/chromium/1312/Source/WebCore/html/parser/HTMLDocumentParser.cpp (139357 => 139358)
--- branches/chromium/1312/Source/WebCore/html/parser/HTMLDocumentParser.cpp 2013-01-10 21:27:54 UTC (rev 139357)
+++ branches/chromium/1312/Source/WebCore/html/parser/HTMLDocumentParser.cpp 2013-01-10 21:35:41 UTC (rev 139358)
@@ -146,6 +146,11 @@
if (m_scriptRunner)
document()->setReadyState(Document::Interactive);
+ // Setting the ready state above can fire mutation event and detach us
+ // from underneath. In that case, just bail out.
+ if (isDetached())
+ return;
+
attemptToRunDeferredScriptsAndEnd();
}
Modified: branches/chromium/1312/Source/WebCore/loader/DocumentLoader.cpp (139357 => 139358)
--- branches/chromium/1312/Source/WebCore/loader/DocumentLoader.cpp 2013-01-10 21:27:54 UTC (rev 139357)
+++ branches/chromium/1312/Source/WebCore/loader/DocumentLoader.cpp 2013-01-10 21:35:41 UTC (rev 139358)
@@ -212,6 +212,9 @@
// but not loads initiated by child frames' data sources -- that's the WebFrame's job.
void DocumentLoader::stopLoading()
{
+ RefPtr<Frame> protectFrame(m_frame);
+ RefPtr<DocumentLoader> protectLoader(this);
+
// In some rare cases, calling FrameLoader::stopLoading could cause isLoading() to return false.
// (This can happen when there's a single XMLHttpRequest currently loading and stopLoading causes it
// to stop loading. Because of this, we need to save it so we don't return early.
@@ -248,9 +251,6 @@
// See <rdar://problem/9673866> for more details.
if (m_isStopping)
return;
-
- RefPtr<Frame> protectFrame(m_frame);
- RefPtr<DocumentLoader> protectLoader(this);
m_isStopping = true;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
