Diff
Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (91589 => 91590)
--- branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-07-22 19:23:43 UTC (rev 91589)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog 2011-07-22 19:25:53 UTC (rev 91590)
@@ -1,5 +1,21 @@
2011-07-22 Lucas Forschler <lforsch...@apple.com>
+ Merged 90936.
+
+ 2011-07-13 Abhishek Arya <infe...@chromium.org>
+
+ Tests that we do not crash when frame is blown away in a beforeload
+ event.
+ https://bugs.webkit.org/show_bug.cgi?id=64457
+
+ Reviewed by Adam Barth.
+
+ * fast/events/form-iframe-target-before-load-crash.html:
+ * fast/events/form-iframe-target-before-load-crash2-expected.txt: Added.
+ * fast/events/form-iframe-target-before-load-crash2.html: Added.
+
+2011-07-22 Lucas Forschler <lforsch...@apple.com>
+
Merged 90914.
2011-07-13 John Knottenbelt <jknot...@chromium.org>
Modified: branches/safari-534.51-branch/LayoutTests/fast/events/form-iframe-target-before-load-crash.html (91589 => 91590)
--- branches/safari-534.51-branch/LayoutTests/fast/events/form-iframe-target-before-load-crash.html 2011-07-22 19:23:43 UTC (rev 91589)
+++ branches/safari-534.51-branch/LayoutTests/fast/events/form-iframe-target-before-load-crash.html 2011-07-22 19:25:53 UTC (rev 91590)
@@ -1,4 +1,5 @@
<html>
+ <script src=""
<body _onload_="runTest()">
<div id="console"></div>
<form id="form1" style="display:none" method="post" target="test" action=""
@@ -25,6 +26,7 @@
if (count == 2)
{
document.body.removeChild(document.getElementById('test'));
+ gc();
document.body.offsetTop;
}
}, true);
Copied: branches/safari-534.51-branch/LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt (from rev 90936, trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt) (0 => 91590)
--- branches/safari-534.51-branch/LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt 2011-07-22 19:25:53 UTC (rev 91590)
@@ -0,0 +1,2 @@
+PASS
+
Copied: branches/safari-534.51-branch/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html (from rev 90936, trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html) (0 => 91590)
--- branches/safari-534.51-branch/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html (rev 0)
+++ branches/safari-534.51-branch/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html 2011-07-22 19:25:53 UTC (rev 91590)
@@ -0,0 +1,37 @@
+<html>
+ <script src=""
+ <body _onload_="runTest()">
+ <div id="console"></div>
+ <form id="form1" style="display:none" target="test" action=""
+ <script>
+ if (window.layoutTestController)
+ {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ function runTest()
+ {
+ document.getElementById('form1').submit();
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ document.getElementById('console').innerHTML = 'PASS';
+ }
+
+ count = 0;
+ document.addEventListener("beforeload", function(event) {
+ event.preventDefault();
+ count = count + 1;
+ if (count == 2)
+ {
+ document.body.removeChild(document.getElementById('test'));
+ gc();
+ document.body.offsetTop;
+ }
+ }, true);
+ </script>
+ <iframe id="test" src=""
+ </body>
+</html>
+
Modified: branches/safari-534.51-branch/Source/WebCore/ChangeLog (91589 => 91590)
--- branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-07-22 19:23:43 UTC (rev 91589)
+++ branches/safari-534.51-branch/Source/WebCore/ChangeLog 2011-07-22 19:25:53 UTC (rev 91590)
@@ -1,5 +1,28 @@
2011-07-22 Lucas Forschler <lforsch...@apple.com>
+ Merged 90936.
+
+ 2011-07-13 Abhishek Arya <infe...@chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Issue with Frame lifetime due to deletion in beforeload event.
+ https://bugs.webkit.org/show_bug.cgi?id=64457
+
+ Copy the Frame protector higher in the stack from loadWithDocumentLoader
+ to loadFrameRequest since any of loadPostRequest or loadURL can call
+ loadWithDocumentLoader, thereby dispatching the beforeload event and
+ blowing away the frame. This deleted frame will be later accessed in
+ the loadFrameRequest function causing a crash.
+
+ Test: fast/events/form-iframe-target-before-load-crash2.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::loadFrameRequest):
+ (WebCore::FrameLoader::loadWithDocumentLoader):
+
+2011-07-22 Lucas Forschler <lforsch...@apple.com>
+
Merged 90914.
2011-07-13 John Knottenbelt <jknot...@chromium.org>
Modified: branches/safari-534.51-branch/Source/WebCore/loader/FrameLoader.cpp (91589 => 91590)
--- branches/safari-534.51-branch/Source/WebCore/loader/FrameLoader.cpp 2011-07-22 19:23:43 UTC (rev 91589)
+++ branches/safari-534.51-branch/Source/WebCore/loader/FrameLoader.cpp 2011-07-22 19:25:53 UTC (rev 91590)
@@ -1339,6 +1339,9 @@
void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, bool lockHistory, bool lockBackForwardList,
PassRefPtr<Event> event, PassRefPtr<FormState> formState, ReferrerPolicy referrerPolicy)
{
+ // Protect frame from getting blown away inside dispatchBeforeLoadEvent in loadWithDocumentLoader.
+ RefPtr<Frame> protect(m_frame);
+
KURL url = ""
ASSERT(m_frame->document());
