[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

beidson at apple.com beidson at apple.com
Thu Apr 8 01:14:41 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 62b5cc5a5f9b4dc606c4e0f501e39a97c396e3e1
Author: beidson at apple.com <beidson at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Jan 19 18:17:50 2010 +0000

    Crash in Page::backForwardList when using History object from a detached window
    <rdar://problem/7556252> and https://bugs.webkit.org/show_bug.cgi?id=33828
    
    Reviewed by Alexey Proskuryakov.
    
    WebCore:
    
    Test: fast/loader/stateobjects/state-api-on-detached-frame-crash.html
    
    * page/History.cpp:
    (WebCore::History::stateObjectAdded): Do an early return when detached. The spec
      doesn't really cover expected behavior and we already do something similar in
      other places, such as in History::length().
    
    LayoutTests:
    
    * fast/loader/stateobjects/state-api-on-detached-frame-crash-expected.txt: Added.
    * fast/loader/stateobjects/state-api-on-detached-frame-crash.html: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53472 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 5c74049..c5f6b2a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-01-19  Brady Eidson  <beidson at apple.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Crash in Page::backForwardList when using History object from a detached window
+        <rdar://problem/7556252> and https://bugs.webkit.org/show_bug.cgi?id=33828
+
+        * fast/loader/stateobjects/state-api-on-detached-frame-crash-expected.txt: Added.
+        * fast/loader/stateobjects/state-api-on-detached-frame-crash.html: Added.
+
 2010-01-19  Yury Semikhatsky  <yurys at chromium.org>
 
         Reviewed by NOBODY (build fix).
diff --git a/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash-expected.txt b/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash-expected.txt
new file mode 100644
index 0000000..3eaff39
--- /dev/null
+++ b/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash-expected.txt
@@ -0,0 +1 @@
+If this test doesn't crash, it passed.
diff --git a/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash.html b/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash.html
new file mode 100644
index 0000000..8ecca69
--- /dev/null
+++ b/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash.html
@@ -0,0 +1,29 @@
+<html>
+<script>
+
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+function runTest()
+{
+    var ifr = frames[0];
+    document.body.removeChild(document.getElementsByTagName("iframe")[0])
+    try {
+        ifr.history.replaceState("foo", "bar");
+    } catch(e) {
+        alert(e);
+    }
+    try {
+        ifr.history.pushState("fu", "barred");
+    } catch(e) {
+        alert(e);
+    }   
+}
+
+</script>
+<body onload="runTest();">
+If this test doesn't crash, it passed.
+<iframe src="about:blank">
+</iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 6121d4f..4eb33fc 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-01-19  Brady Eidson  <beidson at apple.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Crash in Page::backForwardList when using History object from a detached window
+        <rdar://problem/7556252> and https://bugs.webkit.org/show_bug.cgi?id=33828
+
+        Test: fast/loader/stateobjects/state-api-on-detached-frame-crash.html
+
+        * page/History.cpp:
+        (WebCore::History::stateObjectAdded): Do an early return when detached. The spec
+          doesn't really cover expected behavior and we already do something similar in 
+          other places, such as in History::length().
+
 2010-01-19  Yury Semikhatsky  <yurys at chromium.org>
 
         Reviewed by NOBODY (build fix).
diff --git a/WebCore/page/History.cpp b/WebCore/page/History.cpp
index ea9819e..f352bc9 100644
--- a/WebCore/page/History.cpp
+++ b/WebCore/page/History.cpp
@@ -98,9 +98,8 @@ KURL History::urlForState(const String& urlString)
 
 void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& title, const String& urlString, StateObjectType stateObjectType, ExceptionCode& ec)
 {
-    if (!m_frame)
+    if (!m_frame || !m_frame->page())
         return;
-    ASSERT(m_frame->page());
     
     KURL fullURL = urlForState(urlString);
     if (!fullURL.isValid()) {

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list