[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

Wed Dec 22 11:23:45 UTC 2010

The following commit has been merged in the debian/experimental branch:
commit 8e4f97d95df1d7ca626b931d52deba0a9bedfd37
Author: yael.aharon at nokia.com <yael.aharon at nokia.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Jul 21 18:38:12 2010 +0000

    2010-07-21  Yael Aharon  <yael.aharon at nokia.com>
    
            Reviewed by Darin Adler.
    
            Crash in Notification::disconnectFrame() triggered by Frame::lifeSupportTimerFired()
            https://bugs.webkit.org/show_bug.cgi?id=42534
    
            Call NotificationsCenter::disconnectFrame() when the frame is disconnected from the page.
            Calling it from the destructor of Frame is too late and sometimes causes access violation.
            I was not able to reproduce this crash, so did not add new tests.
            This patch is based on the error reported in
            http://code.google.com/p/chromium/issues/detail?id=49323.
    
            * page/DOMWindow.cpp:
            (WebCore::DOMWindow::pageDestroyed):
            * page/DOMWindow.h:
            * page/Frame.cpp:
            (WebCore::Frame::pageDestroyed):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@63847 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index f91dee4..88874ea 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,22 @@
+2010-07-21  Yael Aharon  <yael.aharon at nokia.com>
+
+        Reviewed by Darin Adler.
+
+        Crash in Notification::disconnectFrame() triggered by Frame::lifeSupportTimerFired()
+        https://bugs.webkit.org/show_bug.cgi?id=42534
+
+        Call NotificationsCenter::disconnectFrame() when the frame is disconnected from the page.
+        Calling it from the destructor of Frame is too late and sometimes causes access violation.
+        I was not able to reproduce this crash, so did not add new tests.
+        This patch is based on the error reported in 
+        http://code.google.com/p/chromium/issues/detail?id=49323.
+
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::pageDestroyed):
+        * page/DOMWindow.h:
+        * page/Frame.cpp:
+        (WebCore::Frame::pageDestroyed):
+
 2010-07-21  Anders Carlsson  <andersca at apple.com>
 
         Reviewed by Sam Weinig.
diff --git a/WebCore/notifications/NotificationCenter.cpp b/WebCore/notifications/NotificationCenter.cpp
index f9672ad..ec70f0a 100644
--- a/WebCore/notifications/NotificationCenter.cpp
+++ b/WebCore/notifications/NotificationCenter.cpp
@@ -61,6 +61,11 @@ void NotificationCenter::requestPermission(PassRefPtr<VoidCallback> callback)
 
 void NotificationCenter::disconnectFrame()
 {
+    // m_notificationPresenter should never be 0. But just to be safe, we check it here.
+    // Due to the mysterious bug http://code.google.com/p/chromium/issues/detail?id=49323.
+    ASSERT(m_notificationPresenter);
+    if (!m_notificationPresenter)
+        return;
     m_notificationPresenter->cancelRequestsForPermission(m_scriptExecutionContext);
     m_notificationPresenter = 0;
 }
diff --git a/WebCore/page/DOMWindow.cpp b/WebCore/page/DOMWindow.cpp
index 062d0df..ad635a6 100644
--- a/WebCore/page/DOMWindow.cpp
+++ b/WebCore/page/DOMWindow.cpp
@@ -673,6 +673,17 @@ NotificationCenter* DOMWindow::webkitNotifications() const
 }
 #endif
 
+void DOMWindow::pageDestroyed()
+{
+#if ENABLE(NOTIFICATIONS)
+    // Clearing Notifications requests involves accessing the client so it must be done
+    // before the frame is detached.
+    if (m_notifications)
+        m_notifications->disconnectFrame();
+    m_notifications = 0;
+#endif
+}
+
 #if ENABLE(INDEXED_DATABASE)
 IndexedDatabaseRequest* DOMWindow::indexedDB() const
 {
diff --git a/WebCore/page/DOMWindow.h b/WebCore/page/DOMWindow.h
index beb2f7d..69d7428 100644
--- a/WebCore/page/DOMWindow.h
+++ b/WebCore/page/DOMWindow.h
@@ -228,6 +228,8 @@ namespace WebCore {
         NotificationCenter* webkitNotifications() const;
 #endif
 
+        void pageDestroyed();
+
 #if ENABLE(INDEXED_DATABASE)
         IndexedDatabaseRequest* indexedDB() const;
 #endif
diff --git a/WebCore/page/Frame.cpp b/WebCore/page/Frame.cpp
index f558fc1..cbf472d 100644
--- a/WebCore/page/Frame.cpp
+++ b/WebCore/page/Frame.cpp
@@ -1347,6 +1347,9 @@ void Frame::pageDestroyed()
     if (Frame* parent = tree()->parent())
         parent->loader()->checkLoadComplete();
 
+    if (m_domWindow)
+        m_domWindow->pageDestroyed();
+
     // FIXME: It's unclear as to why this is called more than once, but it is,
     // so page() could be NULL.
     if (page() && page()->focusController()->focusedFrame() == this)

-- 
WebKit Debian packaging

