Diff
Modified: tags/Safari-600.1.3.3/Source/WebCore/ChangeLog (171777 => 171778)
--- tags/Safari-600.1.3.3/Source/WebCore/ChangeLog 2014-07-29 23:08:47 UTC (rev 171777)
+++ tags/Safari-600.1.3.3/Source/WebCore/ChangeLog 2014-07-29 23:16:18 UTC (rev 171778)
@@ -1,3 +1,47 @@
+2014-07-29 Babak Shafiei <[email protected]>
+
+ Merge r171647.
+
+ 2014-07-26 Timothy Horton <[email protected]>
+
+ Crash in Web Content Process under ~PDFDocument under clearTouchEventListeners at topDocument()
+ https://bugs.webkit.org/show_bug.cgi?id=135319
+ <rdar://problem/17315168>
+
+ Reviewed by Darin Adler and Antti Koivisto.
+
+ * dom/Document.h:
+ * dom/Document.cpp:
+ (WebCore::Document::Document):
+ (WebCore::Document::prepareForDestruction):
+ Add a flag on Document, m_hasPreparedForDestruction, which ensures
+ that each Document only goes through prepareForDestruction() once.
+ prepareForDestruction() can be called a number of times during teardown,
+ but it's only necessary to actually execute it once.
+
+ This was previously achieved by virtue of all callers of prepareForDestruction()
+ first checking hasLivingRenderTree, and prepareForDestruction() tearing down
+ the render tree, but that meant that prepareForDestruction() was not called
+ for Documents who never had a render tree in the first place.
+
+ The only part of prepareForDestruction() that is now predicated on hasLivingRenderTree()
+ is the call to destroyRenderTree(); the rest of the function has the potential to be relevant
+ for non-rendered placeholder documents and can safely deal with them in other ways.
+
+ It is important to call prepareForDestruction() on non-rendered placeholder documents
+ because some of the cleanup (like disconnectFromFrame()) is critical to safe destruction.
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::clear):
+ Call prepareForDestruction() even if we don't have a living render tree.
+ For the sake of minimizing change, removeFocusedNodeOfSubtree still
+ depends on having a living render tree before calling prepareForDestruction().
+
+ * page/Frame.cpp:
+ (WebCore::Frame::setView):
+ (WebCore::Frame::setDocument):
+ Call prepareForDestruction() even if we don't have a living render tree.
+
2014-07-25 Matthew Hanson <[email protected]>
Merge r171632. <rdar://problem/17817223>
Modified: tags/Safari-600.1.3.3/Source/WebCore/dom/Document.cpp (171777 => 171778)
--- tags/Safari-600.1.3.3/Source/WebCore/dom/Document.cpp 2014-07-29 23:08:47 UTC (rev 171777)
+++ tags/Safari-600.1.3.3/Source/WebCore/dom/Document.cpp 2014-07-29 23:16:18 UTC (rev 171778)
@@ -515,6 +515,7 @@
, m_disabledFieldsetElementsCount(0)
, m_hasInjectedPlugInsScript(false)
, m_renderTreeBeingDestroyed(false)
+ , m_hasPreparedForDestruction(false)
, m_hasStyleWithViewportUnits(false)
{
allDocuments().add(this);
@@ -2047,6 +2048,9 @@
void Document::prepareForDestruction()
{
+ if (m_hasPreparedForDestruction)
+ return;
+
#if ENABLE(TOUCH_EVENTS) && PLATFORM(IOS)
clearTouchEventListeners();
#endif
@@ -2055,7 +2059,8 @@
if (m_domWindow && m_frame)
m_domWindow->willDetachDocumentFromFrame();
- destroyRenderTree();
+ if (hasLivingRenderTree())
+ destroyRenderTree();
if (isPluginDocument())
toPluginDocument(this)->detachFromPluginElement();
@@ -2087,6 +2092,8 @@
m_mediaQueryMatcher->documentDestroyed();
disconnectFromFrame();
+
+ m_hasPreparedForDestruction = true;
}
void Document::removeAllEventListeners()
Modified: tags/Safari-600.1.3.3/Source/WebCore/dom/Document.h (171777 => 171778)
--- tags/Safari-600.1.3.3/Source/WebCore/dom/Document.h 2014-07-29 23:08:47 UTC (rev 171777)
+++ tags/Safari-600.1.3.3/Source/WebCore/dom/Document.h 2014-07-29 23:16:18 UTC (rev 171778)
@@ -1695,6 +1695,7 @@
bool m_hasInjectedPlugInsScript;
bool m_renderTreeBeingDestroyed;
+ bool m_hasPreparedForDestruction;
bool m_hasStyleWithViewportUnits;
};
Modified: tags/Safari-600.1.3.3/Source/WebCore/loader/FrameLoader.cpp (171777 => 171778)
--- tags/Safari-600.1.3.3/Source/WebCore/loader/FrameLoader.cpp 2014-07-29 23:08:47 UTC (rev 171777)
+++ tags/Safari-600.1.3.3/Source/WebCore/loader/FrameLoader.cpp 2014-07-29 23:16:18 UTC (rev 171778)
@@ -613,10 +613,10 @@
if (!m_frame.document()->inPageCache()) {
m_frame.document()->cancelParsing();
m_frame.document()->stopActiveDOMObjects();
- if (m_frame.document()->hasLivingRenderTree()) {
- m_frame.document()->prepareForDestruction();
+ bool hadLivingRenderTree = m_frame.document()->hasLivingRenderTree();
+ m_frame.document()->prepareForDestruction();
+ if (hadLivingRenderTree)
m_frame.document()->removeFocusedNodeOfSubtree(m_frame.document());
- }
}
// Do this after detaching the document so that the unload event works.
Modified: tags/Safari-600.1.3.3/Source/WebCore/page/Frame.cpp (171777 => 171778)
--- tags/Safari-600.1.3.3/Source/WebCore/page/Frame.cpp 2014-07-29 23:08:47 UTC (rev 171777)
+++ tags/Safari-600.1.3.3/Source/WebCore/page/Frame.cpp 2014-07-29 23:16:18 UTC (rev 171778)
@@ -251,7 +251,7 @@
// Prepare for destruction now, so any unload event handlers get run and the DOMWindow is
// notified. If we wait until the view is destroyed, then things won't be hooked up enough for
// these calls to work.
- if (!view && m_doc && m_doc->hasLivingRenderTree() && !m_doc->inPageCache())
+ if (!view && m_doc && !m_doc->inPageCache())
m_doc->prepareForDestruction();
if (m_view)
@@ -271,7 +271,7 @@
{
ASSERT(!newDocument || newDocument->frame() == this);
- if (m_doc && m_doc->hasLivingRenderTree() && !m_doc->inPageCache())
+ if (m_doc && !m_doc->inPageCache())
m_doc->prepareForDestruction();
m_doc = newDocument.get();
Modified: tags/Safari-600.1.3.3/Source/WebKit2/ChangeLog (171777 => 171778)
--- tags/Safari-600.1.3.3/Source/WebKit2/ChangeLog 2014-07-29 23:08:47 UTC (rev 171777)
+++ tags/Safari-600.1.3.3/Source/WebKit2/ChangeLog 2014-07-29 23:16:18 UTC (rev 171778)
@@ -1,3 +1,27 @@
+2014-07-29 Babak Shafiei <[email protected]>
+
+ Merge r171647.
+
+ 2014-07-26 Timothy Horton <[email protected]>
+
+ Crash in Web Content Process under ~PDFDocument under clearTouchEventListeners at topDocument()
+ https://bugs.webkit.org/show_bug.cgi?id=135319
+ <rdar://problem/17315168>
+
+ Reviewed by Darin Adler and Antti Koivisto.
+
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::committedLoad):
+ Allow data through to WebCore for frames with custom content providers;
+ the only custom content provider currently implemented is main frame PDF
+ on iOS, which will end up creating a PDFDocument in WebCore, which drops all
+ data on the floor immediately, so this won't result in WebCore doing anything
+ with the data, but makes sure that more of the normal document lifecycle is maintained.
+
+ In the future, we might want to consider ensuring that all custom content providers
+ end up creating a SinkDocument or something similarly generic to ensure that
+ WebCore doesn't try to do anything with their data, but for now, the only client is covered.
+
2014-07-28 Matthew Hanson <[email protected]>
Merge r171635. <rdar://problem/17782407>
Modified: tags/Safari-600.1.3.3/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (171777 => 171778)
--- tags/Safari-600.1.3.3/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2014-07-29 23:08:47 UTC (rev 171777)
+++ tags/Safari-600.1.3.3/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2014-07-29 23:16:18 UTC (rev 171778)
@@ -887,10 +887,6 @@
void WebFrameLoaderClient::committedLoad(DocumentLoader* loader, const char* data, int length)
{
- // If we're loading a custom representation, we don't want to hand off the data to WebCore.
- if (m_frameHasCustomContentProvider)
- return;
-
if (!m_pluginView)
loader->commitData(data, length);
