Diff
Modified: trunk/LayoutTests/ChangeLog (144858 => 144859)
--- trunk/LayoutTests/ChangeLog 2013-03-06 01:47:47 UTC (rev 144858)
+++ trunk/LayoutTests/ChangeLog 2013-03-06 02:11:03 UTC (rev 144859)
@@ -1,3 +1,14 @@
+2013-03-05 Aaron Colwell <acolw...@chromium.org>
+
+ Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement
+ https://bugs.webkit.org/show_bug.cgi?id=110623
+
+ Reviewed by Eric Seidel.
+
+ * http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt: Added.
+ * http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html: Added.
+ * http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html: Added.
+
2013-03-05 Chris Fleizach <cfleiz...@apple.com>
AX: Support aria-posinset/setsize
Added: trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt (0 => 144859)
--- trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt 2013-03-06 02:11:03 UTC (rev 144859)
@@ -0,0 +1 @@
+Test deleting a subframe from within its readystatechange event and garbage collecting right after removing the video element from the document. We pass if we don't crash.
Added: trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html (0 => 144859)
--- trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html (rev 0)
+++ trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html 2013-03-06 02:11:03 UTC (rev 144859)
@@ -0,0 +1,15 @@
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+function r()
+{
+ document.body.removeChild(document.getElementById("f"));
+ setTimeout(function() { testRunner.notifyDone();}, 0);
+}
+</script>
+Test deleting a subframe from within its readystatechange event and garbage collecting right after removing the video element from the document.
+We pass if we don't crash.
+<iframe id="f" src=""
Added: trunk/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html (0 => 144859)
--- trunk/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html (rev 0)
+++ trunk/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html 2013-03-06 02:11:03 UTC (rev 144859)
@@ -0,0 +1,22 @@
+<html>
+<head>
+<script>
+i = 0;
+document.addEventListener('readystatechange', function() {
+ if (i == 1)
+ parent.r();
+ i++;
+});
+
+window.addEventListener('DOMContentLoaded', function() {
+ document.getElementById("v").load();
+ document.body.removeChild(document.getElementById("v"));
+ window.gc();
+});
+
+</script>
+</head>
+<body>
+<video id=v src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (144858 => 144859)
--- trunk/Source/WebCore/ChangeLog 2013-03-06 01:47:47 UTC (rev 144858)
+++ trunk/Source/WebCore/ChangeLog 2013-03-06 02:11:03 UTC (rev 144859)
@@ -1,3 +1,19 @@
+2013-03-05 Aaron Colwell <acolw...@chromium.org>
+
+ Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement
+ https://bugs.webkit.org/show_bug.cgi?id=110623
+
+ Reviewed by Eric Seidel.
+
+ Test: http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html
+
+ * html/HTMLAudioElement.h:
+ (HTMLAudioElement):
+ * html/HTMLAudioElement.idl:
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::hasPendingActivity):
+ * html/HTMLMediaElement.idl:
+
2013-03-05 Chris Fleizach <cfleiz...@apple.com>
AX: Support aria-posinset/setsize
Modified: trunk/Source/WebCore/html/HTMLAudioElement.h (144858 => 144859)
--- trunk/Source/WebCore/html/HTMLAudioElement.h 2013-03-06 01:47:47 UTC (rev 144858)
+++ trunk/Source/WebCore/html/HTMLAudioElement.h 2013-03-06 02:11:03 UTC (rev 144859)
@@ -39,8 +39,6 @@
static PassRefPtr<HTMLAudioElement> create(const QualifiedName&, Document*, bool);
static PassRefPtr<HTMLAudioElement> createForJSConstructor(Document*, const String& src);
- virtual bool hasPendingActivity() const { return isPlaying() || HTMLMediaElement::hasPendingActivity(); }
-
virtual bool isActiveNode() const { return true; }
private:
Modified: trunk/Source/WebCore/html/HTMLAudioElement.idl (144858 => 144859)
--- trunk/Source/WebCore/html/HTMLAudioElement.idl 2013-03-06 01:47:47 UTC (rev 144858)
+++ trunk/Source/WebCore/html/HTMLAudioElement.idl 2013-03-06 02:11:03 UTC (rev 144859)
@@ -24,7 +24,6 @@
*/
[
- ActiveDOMObject,
Conditional=VIDEO,
NamedConstructor=Audio(in [Optional=DefaultIsNullString] DOMString src)
] interface HTMLAudioElement : HTMLMediaElement {
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (144858 => 144859)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2013-03-06 01:47:47 UTC (rev 144858)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2013-03-06 02:11:03 UTC (rev 144859)
@@ -3957,7 +3957,7 @@
bool HTMLMediaElement::hasPendingActivity() const
{
- return m_asyncEventQueue->hasPendingEvents();
+ return (hasAudio() && isPlaying()) || m_asyncEventQueue->hasPendingEvents();
}
void HTMLMediaElement::mediaVolumeDidChange()
Modified: trunk/Source/WebCore/html/HTMLMediaElement.idl (144858 => 144859)
--- trunk/Source/WebCore/html/HTMLMediaElement.idl 2013-03-06 01:47:47 UTC (rev 144858)
+++ trunk/Source/WebCore/html/HTMLMediaElement.idl 2013-03-06 02:11:03 UTC (rev 144859)
@@ -25,7 +25,8 @@
[
Conditional=VIDEO,
- JSGenerateToNativeObject
+ JSGenerateToNativeObject,
+ ActiveDOMObject
] interface HTMLMediaElement : HTMLElement {
// error state
