[webkit-changes] [200998] branches/safari-601-branch

Mon, 16 May 2016 22:36:07 -0700

Title: [200998] branches/safari-601-branch

Diff

Modified: branches/safari-601-branch/LayoutTests/ChangeLog (200997 => 200998)


--- branches/safari-601-branch/LayoutTests/ChangeLog	2016-05-17 05:31:35 UTC (rev 200997)
+++ branches/safari-601-branch/LayoutTests/ChangeLog	2016-05-17 05:35:38 UTC (rev 200998)
@@ -1,3 +1,20 @@
+2016-05-16  Babak Shafiei  <bshaf...@apple.com>
+
+        Merge r200986.
+
+    2016-05-16  Brent Fulgham  <bfulg...@apple.com>
+
+            heap use-after-free at WebCore::TimerBase::heapPopMin()
+            https://bugs.webkit.org/show_bug.cgi?id=157742
+            <rdar://problem/26236778>
+
+            Reviewed by Simon Fraser.
+
+            * fast/frames/crash-during-iframe-load-stop-expected.txt: Added.
+            * fast/frames/crash-during-iframe-load-stop.html: Added.
+            * fast/frames/resources/crash-during-iframe-load-stop-inner.html: Added.
+            * fast/frames/resources/crash-during-iframe-load-stop.html: Added.
+
 2016-05-13  Ryan Haddad  <ryanhad...@apple.com>
 
         Merge r194403. rdar://problem/26274768

Copied: branches/safari-601-branch/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt (from rev 200986, trunk/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt) (0 => 200998)


--- branches/safari-601-branch/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt	                        (rev 0)
+++ branches/safari-601-branch/LayoutTests/fast/frames/crash-during-iframe-load-stop-expected.txt	2016-05-17 05:35:38 UTC (rev 200998)
@@ -0,0 +1,3 @@
+This tests that WebKit does not crash when frame loads are interrupted. This test passes if it does not crash.
+
+

Copied: branches/safari-601-branch/LayoutTests/fast/frames/crash-during-iframe-load-stop.html (from rev 200986, trunk/LayoutTests/fast/frames/crash-during-iframe-load-stop.html) (0 => 200998)


--- branches/safari-601-branch/LayoutTests/fast/frames/crash-during-iframe-load-stop.html	                        (rev 0)
+++ branches/safari-601-branch/LayoutTests/fast/frames/crash-during-iframe-load-stop.html	2016-05-17 05:35:38 UTC (rev 200998)
@@ -0,0 +1,38 @@
+<html>
+<head>
+<script>
+    if (window.testRunner) {
+        testRunner.waitUntilDone();
+        testRunner.dumpAsText();
+    }
+
+    var count = 0;
+</script>
+</head>
+<body _onload_='deleteFrame()'>
+    <script>
+    function deleteFrame()
+    {
+        var frameToRemove = document.getElementById('subframe');
+        document.body.removeChild(frameToRemove);
+    }
+
+    function reloadSubframe()
+    {
+        var iframe = document.createElement('iframe');
+        iframe.id = 'subframe';
+        iframe.src = '';
+        document.body.appendChild(iframe);
+        setTimeout(function() { deleteFrame(); }, 0);
+    }
+
+    function subFrameFinishedLoading()
+    {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+    </script>
+    <p>This tests that WebKit does not crash when frame loads are interrupted. This test passes if it does not crash.</p>
+    <iframe id="subframe" src=''></iframe>
+</body>
+</html>
\ No newline at end of file

Copied: branches/safari-601-branch/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html (from rev 200986, trunk/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html) (0 => 200998)


--- branches/safari-601-branch/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html	                        (rev 0)
+++ branches/safari-601-branch/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop-inner.html	2016-05-17 05:35:38 UTC (rev 200998)
@@ -0,0 +1,6 @@
+<html>
+  <script>
+      window.parent.stop();
+      window.parent.subFrameFinishedLoading();
+  </script>
+</html>
\ No newline at end of file

Copied: branches/safari-601-branch/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html (from rev 200986, trunk/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html) (0 => 200998)


--- branches/safari-601-branch/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html	                        (rev 0)
+++ branches/safari-601-branch/LayoutTests/fast/frames/resources/crash-during-iframe-load-stop.html	2016-05-17 05:35:38 UTC (rev 200998)
@@ -0,0 +1,16 @@
+<html>
+<head>
+    <script>
+    function subFrameFinishedLoading()
+    {
+        window.parent.count = window.parent.count + 1;
+        if (window.parent.count < 10)
+            window.parent.reloadSubframe();
+        else
+            window.parent.subFrameFinishedLoading();
+    }
+    </script>
+</head>
+  <iframe src=""
+  <iframe src="" <html></html>"></iframe>
+</html>
\ No newline at end of file

Modified: branches/safari-601-branch/Source/WebCore/ChangeLog (200997 => 200998)


--- branches/safari-601-branch/Source/WebCore/ChangeLog	2016-05-17 05:31:35 UTC (rev 200997)
+++ branches/safari-601-branch/Source/WebCore/ChangeLog	2016-05-17 05:35:38 UTC (rev 200998)
@@ -1,3 +1,23 @@
+2016-05-16  Babak Shafiei  <bshaf...@apple.com>
+
+        Merge r200986.
+
+    2016-05-16  Brent Fulgham  <bfulg...@apple.com>
+
+            heap use-after-free at WebCore::TimerBase::heapPopMin()
+            https://bugs.webkit.org/show_bug.cgi?id=157742
+            <rdar://problem/26236778>
+
+            Reviewed by David Kilzer.
+
+            Tested by fast/frames/resources/crash-during-iframe-load-stop.html.
+
+            * loader/FrameLoader.cpp:
+            (WebCore::FrameLoader::stopForUserCancel): Protect m_frame from destruction while it is still
+            being used by the current stack frame.
+            (WebCore::FrameLoader::frameDetached): Ditto.
+            (WebCore::FrameLoader::continueFragmentScrollAfterNavigationPolicy): Ditto.
+
 2016-05-12  Babak Shafiei  <bshaf...@apple.com>
 
         Build fix after r195004/r200780.

Modified: branches/safari-601-branch/Source/WebCore/loader/FrameLoader.cpp (200997 => 200998)


--- branches/safari-601-branch/Source/WebCore/loader/FrameLoader.cpp	2016-05-17 05:31:35 UTC (rev 200997)
+++ branches/safari-601-branch/Source/WebCore/loader/FrameLoader.cpp	2016-05-17 05:35:38 UTC (rev 200998)
@@ -1618,6 +1618,9 @@
 
 void FrameLoader::stopForUserCancel(bool deferCheckLoadComplete)
 {
+    // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
+    Ref<Frame> protectedFrame(m_frame);
+
     stopAllLoaders();
 
 #if PLATFORM(IOS)
@@ -2471,6 +2474,9 @@
 
 void FrameLoader::frameDetached()
 {
+    // Calling stopAllLoaders can cause the frame to be deallocated, including the frame loader.
+    Ref<Frame> protectedFrame(m_frame);
+
     stopAllLoaders();
     m_frame.document()->stopActiveDOMObjects();
     detachFromParent();
@@ -2766,6 +2772,10 @@
     if (!shouldContinue)
         return;
 
+    // Calling stopLoading() on the provisional document loader can cause the underlying
+    // frame to be deallocated.
+    Ref<Frame> protectedFrame(m_frame);
+
     // If we have a provisional request for a different document, a fragment scroll should cancel it.
     if (m_provisionalDocumentLoader && !equalIgnoringFragmentIdentifier(m_provisionalDocumentLoader->request().url(), request.url())) {
         m_provisionalDocumentLoader->stopLoading();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to