[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

eric at webkit.org eric at webkit.org
Thu Apr 8 01:02:16 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 90747254171d1e7356be9ba6b6ad375d4290ad8a
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Jan 12 18:10:14 2010 +0000

    2010-01-12  Tony Chang  <tony at chromium.org>
    
            Reviewed by Maciej Stachowiak.
    
            Add a test for a Chromium crash when loading multipart/x-mixed-replace
            data.
    
            https://bugs.webkit.org/show_bug.cgi?id=31446
    
            * http/tests/multipart/multipart-wait-before-boundary-expected.txt: Added.
            * http/tests/multipart/multipart-wait-before-boundary.html: Added.
            * http/tests/multipart/resources/multipart-wait-before-boundary.php: Added.
    2010-01-12  Tony Chang  <tony at chromium.org>
    
            Reviewed by Maciej Stachowiak.
    
            Fix a crash in Chromium when receiving multipart/x-mixed-replace data.
            If we stop a multipart load after ResourceLoader::didReceiveResponse
            but before ResourceLoader::didReceiveData, we have a NULL document
            loader because it has been moved back to the provisional state.  New
            loads that happen after this will dereference the NULL document
            loader.
    
            Work around this by moving the provisional document loader back as
            the document loader when the request is stopped.
    
            https://bugs.webkit.org/show_bug.cgi?id=31446
    
            Test: http/tests/multipart/multipart-wait-before-boundary.html
    
            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::checkLoadCompleteForThisFrame):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53143 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index aedc4db..16dc064 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-01-12  Tony Chang  <tony at chromium.org>
+
+        Reviewed by Maciej Stachowiak.
+
+        Add a test for a Chromium crash when loading multipart/x-mixed-replace
+        data.
+
+        https://bugs.webkit.org/show_bug.cgi?id=31446
+
+        * http/tests/multipart/multipart-wait-before-boundary-expected.txt: Added.
+        * http/tests/multipart/multipart-wait-before-boundary.html: Added.
+        * http/tests/multipart/resources/multipart-wait-before-boundary.php: Added.
+
 2010-01-12  Petri Latvala  <petri.latvala at nomovok.com>
 
         Reviewed by Antti Koivisto.
diff --git a/LayoutTests/fast/js/lexical-lookup-in-function-constructor-expected.txt b/LayoutTests/http/tests/multipart/multipart-wait-before-boundary-expected.txt
similarity index 100%
copy from LayoutTests/fast/js/lexical-lookup-in-function-constructor-expected.txt
copy to LayoutTests/http/tests/multipart/multipart-wait-before-boundary-expected.txt
diff --git a/LayoutTests/http/tests/multipart/multipart-wait-before-boundary.html b/LayoutTests/http/tests/multipart/multipart-wait-before-boundary.html
new file mode 100644
index 0000000..1d3c28b
--- /dev/null
+++ b/LayoutTests/http/tests/multipart/multipart-wait-before-boundary.html
@@ -0,0 +1,23 @@
+<html>
+<head>
+    <script>
+        if (window.layoutTestController) {
+            layoutTestController.dumpAsText();
+            layoutTestController.waitUntilDone();
+        }
+        function childLoaded() {
+            setTimeout("window.frames['iframe'].location = 'resources/multipart-wait-before-boundary.php?done=1'", 0);
+        }
+        function success() {
+            if (window.layoutTestController) {
+                document.getElementById('status').innerHTML = 'SUCCESS';
+                layoutTestController.notifyDone();
+            }
+        }
+    </script>
+</head>
+<body>
+    <p id="status">RUNNING...</p>
+    <iframe id="iframe" src="resources/multipart-wait-before-boundary.php">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/multipart/resources/multipart-wait-before-boundary.php b/LayoutTests/http/tests/multipart/resources/multipart-wait-before-boundary.php
new file mode 100644
index 0000000..34de0f2
--- /dev/null
+++ b/LayoutTests/http/tests/multipart/resources/multipart-wait-before-boundary.php
@@ -0,0 +1,41 @@
+<?php
+    if (isset($_GET['done'])) {
+      header("Content-Type: text/html");
+      echo("<script>parent.success()</script>");
+      exit(0);
+    }
+
+    $boundary = "cutHere";
+
+    function sendHeader()
+    {
+        global $boundary;
+
+        echo("--$boundary\r\n");
+        echo("Content-Type: text/html\r\n\r\n");
+        flush();
+    }
+
+    header("Content-Type: multipart/x-mixed-replace; boundary=$boundary");
+
+    // generate some padding to work around CFNetwork handling of multipart data
+    $padding = "aa";
+    for ($i = 0; $i < 10; $i++) {
+      $padding .= $padding;
+    }
+
+    sendHeader();
+    echo("test html\n");
+    echo("<!-- $padding -->");
+    flush();
+    sendHeader();
+    echo("second html");
+    echo("<script>parent.childLoaded()</script>");
+    echo("<!-- $padding -->");
+    flush();
+    sendHeader();
+    echo("third html");
+    echo("<!-- $padding -->");
+    flush();
+    usleep(30 * 1000000);
+?>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index a351088..28b0090 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,24 @@
+2010-01-12  Tony Chang  <tony at chromium.org>
+
+        Reviewed by Maciej Stachowiak.
+
+        Fix a crash in Chromium when receiving multipart/x-mixed-replace data.
+        If we stop a multipart load after ResourceLoader::didReceiveResponse
+        but before ResourceLoader::didReceiveData, we have a NULL document
+        loader because it has been moved back to the provisional state.  New
+        loads that happen after this will dereference the NULL document
+        loader.
+
+        Work around this by moving the provisional document loader back as
+        the document loader when the request is stopped.
+
+        https://bugs.webkit.org/show_bug.cgi?id=31446
+
+        Test: http/tests/multipart/multipart-wait-before-boundary.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::checkLoadCompleteForThisFrame):
+
 2010-01-12  Enrica Casucci  <enrica at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index 9eac628..2683209 100644
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -2922,6 +2922,9 @@ void FrameLoader::checkLoadCompleteForThisFrame()
                 stopLoadingSubframes();
                 pdl->stopLoading();
 
+                if (isReplacing())
+                    setDocumentLoader(m_provisionalDocumentLoader.get());
+
                 // Finish resetting the load state, but only if another load hasn't been started by the
                 // delegate callback.
                 if (pdl == m_provisionalDocumentLoader)

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list