[webkit-changes] [107023] trunk

Tue, 07 Feb 2012 18:21:14 -0800

Title: [107023] trunk
Revision
107023
Author
commit-qu...@webkit.org
Date
2012-02-07 18:21:04 -0800 (Tue, 07 Feb 2012)

Log Message

Resolve crash in FrameLoader::checkTimerFired.
https://bugs.webkit.org/show_bug.cgi?id=77907

Patch by Chris Palmer <pal...@google.com> on 2012-02-07
Reviewed by Eric Seidel.

Source/WebCore:

Test is LayoutTests/http/tests/appcache/deferred-events-delete-while-raising-timer.html.

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::checkTimerFired):

LayoutTests:

* http/tests/appcache/deferred-events-delete-while-raising-timer-expected.txt: Added.
* http/tests/appcache/deferred-events-delete-while-raising-timer.html: Added.
* http/tests/appcache/resources/deferred-events-delete-while-raising-timer-1.html: Added.
* http/tests/appcache/resources/deferred-events-delete-while-raising-timer-2.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (107022 => 107023)


--- trunk/LayoutTests/ChangeLog	2012-02-08 02:06:08 UTC (rev 107022)
+++ trunk/LayoutTests/ChangeLog	2012-02-08 02:21:04 UTC (rev 107023)
@@ -1,3 +1,15 @@
+2012-02-07  Chris Palmer  <pal...@google.com>
+
+        Resolve crash in FrameLoader::checkTimerFired.
+        https://bugs.webkit.org/show_bug.cgi?id=77907
+
+        Reviewed by Eric Seidel.
+
+        * http/tests/appcache/deferred-events-delete-while-raising-timer-expected.txt: Added.
+        * http/tests/appcache/deferred-events-delete-while-raising-timer.html: Added.
+        * http/tests/appcache/resources/deferred-events-delete-while-raising-timer-1.html: Added.
+        * http/tests/appcache/resources/deferred-events-delete-while-raising-timer-2.html: Added.
+
 2012-02-07  David Barton  <dbar...@mathscribe.com>
 
         Remove extraneous MathML code before bug 52444 fix

Added: trunk/LayoutTests/http/tests/appcache/deferred-events-delete-while-raising-timer-expected.txt (0 => 107023)


--- trunk/LayoutTests/http/tests/appcache/deferred-events-delete-while-raising-timer-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/appcache/deferred-events-delete-while-raising-timer-expected.txt	2012-02-08 02:21:04 UTC (rev 107023)
@@ -0,0 +1,4 @@
+Test the destruction of an iframe while deferred events are being raised does not crash the system.
+
+SUCCESS
+

Added: trunk/LayoutTests/http/tests/appcache/deferred-events-delete-while-raising-timer.html (0 => 107023)


--- trunk/LayoutTests/http/tests/appcache/deferred-events-delete-while-raising-timer.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/appcache/deferred-events-delete-while-raising-timer.html	2012-02-08 02:21:04 UTC (rev 107023)
@@ -0,0 +1,21 @@
+<html>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.waitUntilDone();
+}
+
+window._onmessage_ = function() {
+  document.getElementById('result').innerHTML = "SUCCESS";
+  if (window.layoutTestController)
+    layoutTestController.notifyDone();
+}
+
+function killChildFrame() {
+  document.body.removeChild(document.getElementsByTagName("iframe")[0]);
+}
+</script>
+<p>Test the destruction of an iframe while deferred events are being raised does not crash the system.</p>
+<div id="result">FAILURE</div>
+<iframe src=""
+</html>

Added: trunk/LayoutTests/http/tests/appcache/resources/deferred-events-delete-while-raising-timer-1.html (0 => 107023)


--- trunk/LayoutTests/http/tests/appcache/resources/deferred-events-delete-while-raising-timer-1.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/appcache/resources/deferred-events-delete-while-raising-timer-1.html	2012-02-08 02:21:04 UTC (rev 107023)
@@ -0,0 +1,14 @@
+<html manifest="THIS_FILE_DOES_NOT_EXIST.manifest">
+<script src=""
+<script>
+window.applicationCache._onchecking_ = function() {
+  parent.postMessage("hello", "*");
+  parent.killChildFrame();
+}
+
+function killChildFrame() {
+  document.body.removeChild(document.getElementsByTagName("iframe")[0]);
+}
+</script>
+<iframe src=""
+</html>

Added: trunk/LayoutTests/http/tests/appcache/resources/deferred-events-delete-while-raising-timer-2.html (0 => 107023)


--- trunk/LayoutTests/http/tests/appcache/resources/deferred-events-delete-while-raising-timer-2.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/appcache/resources/deferred-events-delete-while-raising-timer-2.html	2012-02-08 02:21:04 UTC (rev 107023)
@@ -0,0 +1,8 @@
+<html manifest="THIS_FILE_DOES_NOT_EXIST.manifest">
+<script src=""
+<script>
+window.applicationCache._onchecking_ = function() {
+  parent.killChildFrame();
+}
+</script>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (107022 => 107023)


--- trunk/Source/WebCore/ChangeLog	2012-02-08 02:06:08 UTC (rev 107022)
+++ trunk/Source/WebCore/ChangeLog	2012-02-08 02:21:04 UTC (rev 107023)
@@ -1,3 +1,15 @@
+2012-02-07  Chris Palmer  <pal...@google.com>
+
+        Resolve crash in FrameLoader::checkTimerFired.
+        https://bugs.webkit.org/show_bug.cgi?id=77907
+
+        Reviewed by Eric Seidel.
+
+        Test is LayoutTests/http/tests/appcache/deferred-events-delete-while-raising-timer.html.
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::checkTimerFired):
+
 2012-02-07  Yong Li  <y...@rim.com>
 
         [BlackBerry] NetworkJob should stop redirecting when the request is cleared by client

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (107022 => 107023)


--- trunk/Source/WebCore/loader/FrameLoader.cpp	2012-02-08 02:06:08 UTC (rev 107022)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2012-02-08 02:21:04 UTC (rev 107023)
@@ -750,6 +750,8 @@
 
 void FrameLoader::checkTimerFired(Timer<FrameLoader>*)
 {
+    RefPtr<Frame> protect(m_frame);
+
     if (Page* page = m_frame->page()) {
         if (page->defersLoading())
             return;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to