Diff
Modified: branches/safari-536.30-branch/LayoutTests/ChangeLog (148491 => 148492)
--- branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-04-16 04:37:13 UTC (rev 148491)
+++ branches/safari-536.30-branch/LayoutTests/ChangeLog 2013-04-16 05:09:17 UTC (rev 148492)
@@ -1,5 +1,19 @@
2013-04-15 Andy Estes <aes...@apple.com>
+ Merged r131670.
+
+ 2012-10-17 Tom Sepez <tse...@chromium.org>
+
+ Crash in ContainerNode::removeAllChildren()
+ https://bugs.webkit.org/show_bug.cgi?id=98443
+
+ Reviewed by Eric Carlson.
+
+ * http/tests/security/video-poster-cross-origin-crash2-expected.txt: Added.
+ * http/tests/security/video-poster-cross-origin-crash2.html: Added.
+
+2013-04-15 Andy Estes <aes...@apple.com>
+
Merged r142063.
2013-02-06 Tom Sepez <tse...@chromium.org>
Added: branches/safari-536.30-branch/LayoutTests/http/tests/security/video-poster-cross-origin-crash2-expected.txt (0 => 148492)
--- branches/safari-536.30-branch/LayoutTests/http/tests/security/video-poster-cross-origin-crash2-expected.txt (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/http/tests/security/video-poster-cross-origin-crash2-expected.txt 2013-04-16 05:09:17 UTC (rev 148492)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Cross-origin image load denied by Cross-Origin Resource Sharing policy.
+Test passes if it doesn't crash.
+
+
Added: branches/safari-536.30-branch/LayoutTests/http/tests/security/video-poster-cross-origin-crash2.html (0 => 148492)
--- branches/safari-536.30-branch/LayoutTests/http/tests/security/video-poster-cross-origin-crash2.html (rev 0)
+++ branches/safari-536.30-branch/LayoutTests/http/tests/security/video-poster-cross-origin-crash2.html 2013-04-16 05:09:17 UTC (rev 148492)
@@ -0,0 +1,27 @@
+<p>Test passes if it doesn't crash.</p>
+<div id="tCF2">
+ <div>
+ <video src=""
+ <video crossorigin="" poster="http://localhost:8080/nonesuch.png"></video>
+ </div>
+</div>
+<script>
+function init()
+{
+ setTimeout('crash()', 0);
+}
+
+function crash()
+{
+ tCF2.innerHTML = '';
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+document.addEventListener('DOMContentLoaded', init, false);
+</script>
+
Modified: branches/safari-536.30-branch/Source/WebCore/ChangeLog (148491 => 148492)
--- branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-16 04:37:13 UTC (rev 148491)
+++ branches/safari-536.30-branch/Source/WebCore/ChangeLog 2013-04-16 05:09:17 UTC (rev 148492)
@@ -1,5 +1,32 @@
2013-04-15 Andy Estes <aes...@apple.com>
+ Merged r131670.
+
+ 2012-10-17 Tom Sepez <tse...@chromium.org>
+
+ Crash in ContainerNode::removeAllChildren()
+ https://bugs.webkit.org/show_bug.cgi?id=98443
+
+ Reviewed by Eric Carlson.
+
+ This patch makes the errorEventSender added in WebKit Revision 112190 interact
+ with the updatedHasPendingLoadEvent() mechanism in the same manner as the other
+ existing event senders.
+
+ Test: http/tests/security/video-poster-cross-origin-crash2.html
+
+ * loader/ImageLoader.cpp:
+ (WebCore::ImageLoader::setImage):
+ (WebCore::ImageLoader::updateFromElement):
+ (WebCore::ImageLoader::notifyFinished):
+ (WebCore::ImageLoader::updatedHasPendingEvent):
+ (WebCore::ImageLoader::dispatchPendingBeforeLoadEvent):
+ (WebCore::ImageLoader::dispatchPendingLoadEvent):
+ * loader/ImageLoader.h:
+ (ImageLoader):
+
+2013-04-15 Andy Estes <aes...@apple.com>
+
Merged r142063.
2013-02-06 Tom Sepez <tse...@chromium.org>
Modified: branches/safari-536.30-branch/Source/WebCore/loader/ImageLoader.cpp (148491 => 148492)
--- branches/safari-536.30-branch/Source/WebCore/loader/ImageLoader.cpp 2013-04-16 04:37:13 UTC (rev 148491)
+++ branches/safari-536.30-branch/Source/WebCore/loader/ImageLoader.cpp 2013-04-16 05:09:17 UTC (rev 148492)
@@ -122,7 +122,7 @@
// Only consider updating the protection ref-count of the Element immediately before returning
// from this function as doing so might result in the destruction of this ImageLoader.
- updatedHasPendingLoadEvent();
+ updatedHasPendingEvent();
}
void ImageLoader::setImageWithoutConsideringPendingLoadEvent(CachedImage* newImage)
@@ -155,7 +155,7 @@
// Only consider updating the protection ref-count of the Element immediately before returning
// from this function as doing so might result in the destruction of this ImageLoader.
- updatedHasPendingLoadEvent();
+ updatedHasPendingEvent();
}
void ImageLoader::updateFromElement()
@@ -240,7 +240,7 @@
// Only consider updating the protection ref-count of the Element immediately before returning
// from this function as doing so might result in the destruction of this ImageLoader.
- updatedHasPendingLoadEvent();
+ updatedHasPendingEvent();
}
void ImageLoader::updateFromElementIgnoringPreviousError()
@@ -278,7 +278,7 @@
// Only consider updating the protection ref-count of the Element immediately before returning
// from this function as doing so might result in the destruction of this ImageLoader.
- updatedHasPendingLoadEvent();
+ updatedHasPendingEvent();
return;
}
@@ -286,7 +286,7 @@
m_hasPendingLoadEvent = false;
// Only consider updating the protection ref-count of the Element immediately before returning
// from this function as doing so might result in the destruction of this ImageLoader.
- updatedHasPendingLoadEvent();
+ updatedHasPendingEvent();
return;
}
@@ -333,18 +333,17 @@
imageResource->setCachedImage(m_image.get());
}
-void ImageLoader::updatedHasPendingLoadEvent()
+void ImageLoader::updatedHasPendingEvent()
{
- // If an Element that does image loading is removed from the DOM the load event for the image is still observable.
+ // If an Element that does image loading is removed from the DOM the load/error event for the image is still observable.
// As long as the ImageLoader is actively loading, the Element itself needs to be ref'ed to keep it from being
// destroyed by DOM manipulation or garbage collection.
// If such an Element wishes for the load to stop when removed from the DOM it needs to stop the ImageLoader explicitly.
-
- if (m_hasPendingLoadEvent == m_elementIsProtected)
+ bool wasProtected = m_elementIsProtected;
+ m_elementIsProtected = m_hasPendingLoadEvent || m_hasPendingErrorEvent;
+ if (wasProtected == m_elementIsProtected)
return;
- m_elementIsProtected = m_hasPendingLoadEvent;
-
if (m_elementIsProtected)
m_element->ref();
else
@@ -389,7 +388,7 @@
// Only consider updating the protection ref-count of the Element immediately before returning
// from this function as doing so might result in the destruction of this ImageLoader.
- updatedHasPendingLoadEvent();
+ updatedHasPendingEvent();
}
void ImageLoader::dispatchPendingLoadEvent()
@@ -405,7 +404,7 @@
// Only consider updating the protection ref-count of the Element immediately before returning
// from this function as doing so might result in the destruction of this ImageLoader.
- updatedHasPendingLoadEvent();
+ updatedHasPendingEvent();
}
void ImageLoader::dispatchPendingErrorEvent()
Modified: branches/safari-536.30-branch/Source/WebCore/loader/ImageLoader.h (148491 => 148492)
--- branches/safari-536.30-branch/Source/WebCore/loader/ImageLoader.h 2013-04-16 04:37:13 UTC (rev 148491)
+++ branches/safari-536.30-branch/Source/WebCore/loader/ImageLoader.h 2013-04-16 05:09:17 UTC (rev 148492)
@@ -75,7 +75,7 @@
virtual void dispatchLoadEvent() = 0;
virtual String sourceURI(const AtomicString&) const = 0;
- void updatedHasPendingLoadEvent();
+ void updatedHasPendingEvent();
void dispatchPendingBeforeLoadEvent();
void dispatchPendingLoadEvent();