Skip to site navigation (Press enter)

[webkit-changes] [139377] branches/chromium/1312

cevans Thu, 10 Jan 2013 15:16:17 -0800

Title: [139377] branches/chromium/1312

Revision: 139377
Author: cev...@google.com
Date: 2013-01-10 15:18:01 -0800 (Thu, 10 Jan 2013)

Log Message

Merge 138918
BUG=167147
Review URL: https://codereview.chromium.org/11786012


Modified Paths

branches/chromium/1312/Source/WebCore/dom/Document.cpp


Added Paths

branches/chromium/1312/LayoutTests/fast/dom/window-load-crash-expected.txt
branches/chromium/1312/LayoutTests/fast/dom/window-load-crash.html

Diff

Copied: branches/chromium/1312/LayoutTests/fast/dom/window-load-crash-expected.txt (from rev 138918, trunk/LayoutTests/fast/dom/window-load-crash-expected.txt) (0 => 139377)


--- branches/chromium/1312/LayoutTests/fast/dom/window-load-crash-expected.txt	                        (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/dom/window-load-crash-expected.txt	2013-01-10 23:18:01 UTC (rev 139377)
@@ -0,0 +1,2 @@
+Blocked access to external URL http://blocked/does-not-exist.html
+Test passes if it does not crash.

Copied: branches/chromium/1312/LayoutTests/fast/dom/window-load-crash.html (from rev 138918, trunk/LayoutTests/fast/dom/window-load-crash.html) (0 => 139377)


--- branches/chromium/1312/LayoutTests/fast/dom/window-load-crash.html	                        (rev 0)
+++ branches/chromium/1312/LayoutTests/fast/dom/window-load-crash.html	2013-01-10 23:18:01 UTC (rev 139377)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<base href=""
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function crash()
+{
+    GCController.collect();
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+</script>
+<iframe _onload_=crash() src="" srcdoc="<script>window._onload_ = function() { frames[0].document.getElementsByTagName('a')[0].click(); }</script><iframe seamless srcdoc='<a href=""
+</html>

Modified: branches/chromium/1312/Source/WebCore/dom/Document.cpp (139376 => 139377)


--- branches/chromium/1312/Source/WebCore/dom/Document.cpp	2013-01-10 23:14:33 UTC (rev 139376)
+++ branches/chromium/1312/Source/WebCore/dom/Document.cpp	2013-01-10 23:18:01 UTC (rev 139377)
@@ -2462,6 +2462,9 @@
     if (!doload)
         return;
 
+    // Call to dispatchWindowLoadEvent can blow us from underneath.
+    RefPtr<Document> protect(this);
+
     m_processingLoadEvent = true;
 
     ScriptableDocumentParser* parser = scriptableDocumentParser();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes