[webkit-changes] [88283] branches/safari-534-branch

Tue, 07 Jun 2011 16:26:16 -0700

Title: [88283] branches/safari-534-branch

Diff

Modified: branches/safari-534-branch/LayoutTests/ChangeLog (88282 => 88283)


--- branches/safari-534-branch/LayoutTests/ChangeLog	2011-06-07 23:24:40 UTC (rev 88282)
+++ branches/safari-534-branch/LayoutTests/ChangeLog	2011-06-07 23:25:46 UTC (rev 88283)
@@ -1,3 +1,18 @@
+2011-06-07  Lucas Forschler  <[email protected]>
+
+    Merged 87959.
+
+    2011-06-02  Brady Eidson  <[email protected]>
+
+        Reviewed by Oliver Hunt.
+
+        <rdar://problem/9539920> and https://bugs.webkit.org/show_bug.cgi?id=61950
+        Repro crash loading certain webarchives after r87566.
+
+        * webarchive/loading/_javascript_-url-iframe-crash-expected.txt: Added.
+        * webarchive/loading/_javascript_-url-iframe-crash.html: Added.
+        * webarchive/loading/resources/_javascript_-url-iframe-crash.webarchive: Added.
+
 2011-06-02  Lucas Forschler  <[email protected]>
 
     Merged 87844.

Copied: branches/safari-534-branch/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt (from rev 87959, trunk/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt) (0 => 88283)


--- branches/safari-534-branch/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt	                        (rev 0)
+++ branches/safari-534-branch/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash-expected.txt	2011-06-07 23:25:46 UTC (rev 88283)
@@ -0,0 +1,17 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - willPerformClientRedirectToURL: resources/_javascript_-url-iframe-crash.webarchive 
+main frame - didFinishDocumentLoadForFrame
+main frame - didFinishLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didCancelClientRedirectForFrame
+main frame - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFailProvisionalLoadWithError
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+Loading this webarchive with a "non-empty _javascript_ URL iframe" should not crash.
+

Copied: branches/safari-534-branch/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html (from rev 87959, trunk/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html) (0 => 88283)


--- branches/safari-534-branch/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html	                        (rev 0)
+++ branches/safari-534-branch/LayoutTests/webarchive/loading/_javascript_-url-iframe-crash.html	2011-06-07 23:25:46 UTC (rev 88283)
@@ -0,0 +1,10 @@
+<html>
+<script>
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.waitUntilDone();
+    }
+    
+    window.location="resources/_javascript_-url-iframe-crash.webarchive";
+</script>
+</html>

Copied: branches/safari-534-branch/LayoutTests/webarchive/loading/resources/_javascript_-url-iframe-crash.webarchive (from rev 87959, trunk/LayoutTests/webarchive/loading/resources/_javascript_-url-iframe-crash.webarchive)


(Binary files differ)

Modified: branches/safari-534-branch/Source/WebCore/ChangeLog (88282 => 88283)


--- branches/safari-534-branch/Source/WebCore/ChangeLog	2011-06-07 23:24:40 UTC (rev 88282)
+++ branches/safari-534-branch/Source/WebCore/ChangeLog	2011-06-07 23:25:46 UTC (rev 88283)
@@ -1,3 +1,20 @@
+2011-06-07  Lucas Forschler  <[email protected]>
+
+    Merged 87959. 
+
+    2011-06-02  Brady Eidson  <[email protected]>
+
+        Reviewed by Oliver Hunt.
+
+        <rdar://problem/9539920> and https://bugs.webkit.org/show_bug.cgi?id=61950
+        Repro crash loading certain webarchives after r87566.
+
+        Test: webarchive/loading/_javascript_-url-iframe-crash.html
+
+        * bindings/ScriptControllerBase.cpp:
+        (WebCore::ScriptController::executeIfJavaScriptURL): DocumentWriter::replaceDocument can
+          cause the DocumentLoader to be destroyed, so protect it with a Ref here.
+
 2011-06-02  Lucas Forschler  <[email protected]>
 
     Merged 87856.

Modified: branches/safari-534-branch/Source/WebCore/bindings/ScriptControllerBase.cpp (88282 => 88283)


--- branches/safari-534-branch/Source/WebCore/bindings/ScriptControllerBase.cpp	2011-06-07 23:24:40 UTC (rev 88282)
+++ branches/safari-534-branch/Source/WebCore/bindings/ScriptControllerBase.cpp	2011-06-07 23:25:46 UTC (rev 88283)
@@ -111,7 +111,10 @@
     if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
         // We're still in a frame, so there should be a DocumentLoader.
         ASSERT(m_frame->document()->loader());
-        if (DocumentLoader* loader = m_frame->document()->loader())
+        
+        // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
+        // so protect it with a RefPtr.
+        if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
             loader->writer()->replaceDocument(scriptResult);
     }
     return true;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to