[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

abarth at webkit.org abarth at webkit.org
Wed Dec 22 12:07:23 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 37e1f5a4de1a10ec5ff70bc8670e49c41215add3
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sun Aug 15 15:34:25 2010 +0000

    2010-08-15  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Eric Seidel.
    
            Don't try to replace a non-existent document after executing JavaScript URLs
            https://bugs.webkit.org/show_bug.cgi?id=44024
    
            Test what happens if a JavaScript URL returns a value after deleting
            the frame it was supposed to operate on.
    
            * fast/frames/javascript-url-for-deleted-frame-expected.txt: Added.
            * fast/frames/javascript-url-for-deleted-frame.html: Added.
    2010-08-15  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Eric Seidel.
    
            Don't try to replace a non-existent document after executing JavaScript URLs
            https://bugs.webkit.org/show_bug.cgi?id=44024
    
            Synchronous JavaScript execution is evil.  Previously, the frame was
            deleted after executing the JavaScript URL, so we'd get confused when
            we tried to replace its document.
    
            Test: fast/frames/javascript-url-for-deleted-frame.html
    
            * bindings/ScriptControllerBase.cpp:
            (WebCore::ScriptController::executeIfJavaScriptURL):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65381 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f13a0a5..3bf0c73 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-08-15  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Don't try to replace a non-existent document after executing JavaScript URLs
+        https://bugs.webkit.org/show_bug.cgi?id=44024
+
+        Test what happens if a JavaScript URL returns a value after deleting
+        the frame it was supposed to operate on.
+
+        * fast/frames/javascript-url-for-deleted-frame-expected.txt: Added.
+        * fast/frames/javascript-url-for-deleted-frame.html: Added.
+
 2010-08-14  Martin Robinson  <mrobinson at igalia.com>
 
         [GTK] Some test results are one pixel different between the x86_64 and i386 bots
diff --git a/LayoutTests/fast/frames/javascript-url-for-deleted-frame-expected.txt b/LayoutTests/fast/frames/javascript-url-for-deleted-frame-expected.txt
new file mode 100644
index 0000000..730ebf6
--- /dev/null
+++ b/LayoutTests/fast/frames/javascript-url-for-deleted-frame-expected.txt
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
diff --git a/LayoutTests/fast/frames/javascript-url-for-deleted-frame.html b/LayoutTests/fast/frames/javascript-url-for-deleted-frame.html
new file mode 100644
index 0000000..d827463
--- /dev/null
+++ b/LayoutTests/fast/frames/javascript-url-for-deleted-frame.html
@@ -0,0 +1,14 @@
+<body>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+var ifr = document.createElement('iframe');
+ifr.setAttribute('src', 'javascript:parent.boom(), "<div>Crash?</div>"');
+document.body.appendChild(ifr);
+
+function boom() {
+    document.body.removeChild(ifr);
+}
+</script>
+This test passes if it doesn't crash.
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index b474357..a4da24f 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2010-08-15  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Don't try to replace a non-existent document after executing JavaScript URLs
+        https://bugs.webkit.org/show_bug.cgi?id=44024
+
+        Synchronous JavaScript execution is evil.  Previously, the frame was
+        deleted after executing the JavaScript URL, so we'd get confused when
+        we tried to replace its document.
+
+        Test: fast/frames/javascript-url-for-deleted-frame.html
+
+        * bindings/ScriptControllerBase.cpp:
+        (WebCore::ScriptController::executeIfJavaScriptURL):
+
 2010-08-14  Sheriff Bot  <webkit.review.bot at gmail.com>
 
         Unreviewed, rolling out r65374.
diff --git a/WebCore/bindings/ScriptControllerBase.cpp b/WebCore/bindings/ScriptControllerBase.cpp
index 9bea8ae..01911d8 100644
--- a/WebCore/bindings/ScriptControllerBase.cpp
+++ b/WebCore/bindings/ScriptControllerBase.cpp
@@ -72,12 +72,19 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, bool userGesture,
     if (!protocolIsJavaScript(url))
         return false;
 
-    if (m_frame->page() && !m_frame->page()->javaScriptURLsAreAllowed())
+    if (!m_frame->page())
+        return true;
+
+    if (!m_frame->page()->javaScriptURLsAreAllowed())
         return true;
 
     if (m_frame->inViewSourceMode())
         return true;
 
+    // We need to hold onto the Frame here because executing script can
+    // destroy the frame.
+    RefPtr<Frame> protector(m_frame);
+
     const int javascriptSchemeLength = sizeof("javascript:") - 1;
 
     String decodedURL = decodeURLEscapeSequences(url.string());
@@ -85,6 +92,11 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, bool userGesture,
     if (xssAuditor()->canEvaluateJavaScriptURL(decodedURL))
         result = executeScript(decodedURL.substring(javascriptSchemeLength), userGesture, AllowXSS);
 
+    // If executing script caused this frame to be removed from the page, we
+    // don't want to try to replace its document!
+    if (!m_frame->page())
+        return true;
+
     String scriptResult;
 #if USE(JSC)
     JSDOMWindowShell* shell = windowShell(mainThreadNormalWorld());

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list