[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

ap at apple.com ap at apple.com
Thu Apr 8 01:13:46 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit d043731fa617503119f511c2e6ef3a6091cad6f3
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Jan 18 22:51:22 2010 +0000

            Reviewed by Geoffrey Garen.
    
            https://bugs.webkit.org/show_bug.cgi?id=33813
            <rdar://problem/7545104> Crash when using DOMApplicationCache from a destroyed frame
    
            Test: http/tests/appcache/destroyed-frame.html
    
            * loader/appcache/DOMApplicationCache.cpp:
            (WebCore::DOMApplicationCache::scriptExecutionContext): Return null when there is no frame.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53433 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index cce7048..00da5f5 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-01-18  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        https://bugs.webkit.org/show_bug.cgi?id=33813
+        <rdar://problem/7545104> Crash when using DOMApplicationCache from a destroyed frame
+
+        * http/tests/appcache/destroyed-frame-expected.txt: Added.
+        * http/tests/appcache/destroyed-frame.html: Added.
+
 2010-01-18  Dan Bernstein  <mitz at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/http/tests/appcache/destroyed-frame-expected.txt b/LayoutTests/http/tests/appcache/destroyed-frame-expected.txt
new file mode 100644
index 0000000..7050859
--- /dev/null
+++ b/LayoutTests/http/tests/appcache/destroyed-frame-expected.txt
@@ -0,0 +1,5 @@
+Test for bug 33813: Crash when using DOMApplicationCache from a destroyed frame.
+
+PASS if didn't crash.
+
+
diff --git a/LayoutTests/http/tests/appcache/destroyed-frame.html b/LayoutTests/http/tests/appcache/destroyed-frame.html
new file mode 100644
index 0000000..c1dd731
--- /dev/null
+++ b/LayoutTests/http/tests/appcache/destroyed-frame.html
@@ -0,0 +1,52 @@
+<body onload="test()">
+<p>Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=33813">bug 33813</a>: Crash when using DOMApplicationCache from a destroyed frame.</p>
+<p>PASS if didn't crash.</p>
+<iframe src="about:blank"></iframe>
+
+<script>
+
+function gc()
+{
+    if (window.GCController)
+        return GCController.collect();
+
+    for (var i = 0; i < 10000; i++) { // > force garbage collection (FF requires about 9K allocations before a collect)
+        var s = new String("");
+    }
+}
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+var ifrCache;
+
+function test()
+{
+    ifrCache = frames[0].applicationCache;
+    document.body.removeChild(document.getElementsByTagName("iframe")[0]);
+    setTimeout(function() {
+        gc();
+        ifrCache.onchecking = function() { }
+        ifrCache.onerror = function() { }
+        ifrCache.onnoupdate = function() { }
+        ifrCache.ondownloading = function() { }
+        ifrCache.onprogress = function() { }
+        ifrCache.onupdateready = function() { }
+        ifrCache.oncached = function() { }
+        ifrCache.onobsolete = function() { }
+        ifrCache.addEventListener("error", function() { }, true);
+
+        var evt = document.createEvent("Event");
+        evt.initEvent("error", true, true);
+        ifrCache.dispatchEvent(evt);
+
+        try { ifrCache.update(); } catch (ex) { }
+        try { ifrCache.swapCache(); } catch (ex) { }
+
+        if (window.layoutTestController)
+            layoutTestController.notifyDone();
+    }, 0);
+}
+</script>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 12661ff..2ac9129 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2010-01-18  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        https://bugs.webkit.org/show_bug.cgi?id=33813
+        <rdar://problem/7545104> Crash when using DOMApplicationCache from a destroyed frame
+
+        Test: http/tests/appcache/destroyed-frame.html
+
+        * loader/appcache/DOMApplicationCache.cpp:
+        (WebCore::DOMApplicationCache::scriptExecutionContext): Return null when there is no frame.
+
 2010-01-18  Dan Bernstein  <mitz at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/loader/appcache/DOMApplicationCache.cpp b/WebCore/loader/appcache/DOMApplicationCache.cpp
index 29c1bd5..f51402c 100644
--- a/WebCore/loader/appcache/DOMApplicationCache.cpp
+++ b/WebCore/loader/appcache/DOMApplicationCache.cpp
@@ -87,8 +87,9 @@ void DOMApplicationCache::swapCache(ExceptionCode& ec)
 
 ScriptExecutionContext* DOMApplicationCache::scriptExecutionContext() const
 {
-    ASSERT(m_frame);
-    return m_frame->document();
+    if (m_frame)
+        return m_frame->document();
+    return 0;
 }
 
 const AtomicString& DOMApplicationCache::toEventType(ApplicationCacheHost::EventID id)

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list