[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

steveblock at google.com steveblock at google.com
Wed Dec 22 12:04:46 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 52ca7c02240478e607ce3424eae7f60cba60dd43
Author: steveblock at google.com <steveblock at google.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Aug 13 17:02:07 2010 +0000

    2010-08-13  Steve Block  <steveblock at google.com>
    
            Reviewed by Alexey Proskuryakov.
    
            Geolocation activity started after frame has been disconnected can cause crash
            https://bugs.webkit.org/show_bug.cgi?id=39879
    
            New requests started after the Frame has been disconnected are ignored. We do
            not invoke the error callback as this would allow buggy or malicious pages to
            hose the CPU. Such a page could hold a reference to a Geolocation object from
            a since closed Page and register new requests from the error callback to
            create an infinite loop.
    
            Tests: fast/dom/Geolocation/disconnected-frame-already.html
    
            * page/Geolocation.cpp:
    2010-08-13  Steve Block  <steveblock at google.com>
    
            Reviewed by Alexey Proskuryakov.
    
            Geolocation activity started after frame has been disconnected can cause crash
            https://bugs.webkit.org/show_bug.cgi?id=39879
    
            Added new tests to GTK skipped list.
    
            * fast/dom/Geolocation/disconnected-frame-already.html: Added.
            * fast/dom/Geolocation/disconnected-frame-already-expected.txt: Added.
            * fast/dom/Geolocation/script-tests/disconnected-frame-already.js: Added.
            * fast/dom/Geolocation/resources/disconnected-frame-already-inner1.html: Added.
            * fast/dom/Geolocation/resources/disconnected-frame-already-inner2.html: Added.
            * platform/gtk/Skipped:
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@65329 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 8f20acb..59c9f6f 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,19 @@
+2010-08-13  Steve Block  <steveblock at google.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Geolocation activity started after frame has been disconnected can cause crash
+        https://bugs.webkit.org/show_bug.cgi?id=39879
+
+        Added new tests to GTK skipped list.
+
+        * fast/dom/Geolocation/disconnected-frame-already.html: Added.
+        * fast/dom/Geolocation/disconnected-frame-already-expected.txt: Added.
+        * fast/dom/Geolocation/script-tests/disconnected-frame-already.js: Added.
+        * fast/dom/Geolocation/resources/disconnected-frame-already-inner1.html: Added.
+        * fast/dom/Geolocation/resources/disconnected-frame-already-inner2.html: Added.
+        * platform/gtk/Skipped:
+
 2010-08-13  Ariya Hidayat  <ariya at sencha.com>
 
         Rubber-stamped by Simon Hausmann.
diff --git a/LayoutTests/fast/dom/Geolocation/disconnected-frame-already-expected.txt b/LayoutTests/fast/dom/Geolocation/disconnected-frame-already-expected.txt
new file mode 100644
index 0000000..12699cc
--- /dev/null
+++ b/LayoutTests/fast/dom/Geolocation/disconnected-frame-already-expected.txt
@@ -0,0 +1,10 @@
+Tests that when a request is made on a Geolocation object after its frame has been disconnected, no callbacks are made and no crash occurs.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Method called on Geolocation object with disconnected Frame.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/dom/Geolocation/disconnected-frame-already.html b/LayoutTests/fast/dom/Geolocation/disconnected-frame-already.html
new file mode 100644
index 0000000..6c7a7e9
--- /dev/null
+++ b/LayoutTests/fast/dom/Geolocation/disconnected-frame-already.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css">
+<script src="../../js/resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/disconnected-frame-already.js"></script>
+<script src="../../js/resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/Geolocation/resources/disconnected-frame-already-inner1.html b/LayoutTests/fast/dom/Geolocation/resources/disconnected-frame-already-inner1.html
new file mode 100644
index 0000000..2cb7e80
--- /dev/null
+++ b/LayoutTests/fast/dom/Geolocation/resources/disconnected-frame-already-inner1.html
@@ -0,0 +1,8 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+  <head>
+  </head>
+  <body onload="window.parent.onFirstIframeLoaded()">
+    <p>This frame should be replaced before the test ends</p>
+  </body>
+</html>
diff --git a/LayoutTests/fast/dom/Geolocation/resources/disconnected-frame-already-inner2.html b/LayoutTests/fast/dom/Geolocation/resources/disconnected-frame-already-inner2.html
new file mode 100644
index 0000000..fb48795
--- /dev/null
+++ b/LayoutTests/fast/dom/Geolocation/resources/disconnected-frame-already-inner2.html
@@ -0,0 +1,8 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+  <head>
+  </head>
+  <body onload="window.parent.onSecondIframeLoaded()">
+    <p>This frame should be visible when the test completes</p>
+  </body>
+</html>
diff --git a/LayoutTests/fast/dom/Geolocation/script-tests/disconnected-frame-already.js b/LayoutTests/fast/dom/Geolocation/script-tests/disconnected-frame-already.js
new file mode 100644
index 0000000..b217641
--- /dev/null
+++ b/LayoutTests/fast/dom/Geolocation/script-tests/disconnected-frame-already.js
@@ -0,0 +1,35 @@
+description("Tests that when a request is made on a Geolocation object after its frame has been disconnected, no callbacks are made and no crash occurs.");
+
+if (window.layoutTestController) {
+    layoutTestController.setGeolocationPermission(true);
+    layoutTestController.setMockGeolocationPosition(51.478, -0.166, 100);
+}
+
+function onFirstIframeLoaded() {
+    iframeGeolocation = iframe.contentWindow.navigator.geolocation;
+    iframe.src = 'resources/disconnected-frame-already-inner2.html';
+}
+
+var error;
+function onSecondIframeLoaded() {
+    iframeGeolocation.getCurrentPosition(function () {
+        testFailed('Success callback invoked unexpectedly');
+        finishJSTest();
+    }, function(e) {
+        testFailed('Error callback invoked unexpectedly');
+        finishJSTest();
+    });
+    setTimeout(finishTest, 1000);
+}
+
+function finishTest() {
+    debug('Method called on Geolocation object with disconnected Frame.');
+    finishJSTest();
+}
+
+var iframe = document.createElement('iframe');
+iframe.src = 'resources/disconnected-frame-already-inner1.html';
+document.body.appendChild(iframe);
+
+window.jsTestIsAsync = true;
+window.successfullyParsed = true;
diff --git a/LayoutTests/platform/gtk/Skipped b/LayoutTests/platform/gtk/Skipped
index 4f5e687..b705647 100644
--- a/LayoutTests/platform/gtk/Skipped
+++ b/LayoutTests/platform/gtk/Skipped
@@ -5677,6 +5677,7 @@ storage/indexeddb
 fast/dom/Geolocation/callback-to-remote-context.html
 fast/dom/Geolocation/callback-to-remote-context2.html
 fast/dom/Geolocation/callback-to-deleted-context.html
+fast/dom/Geolocation/disconnected-frame-already.html
 
 # GTK+ theme-rendered widgets do not support CSS transforms
 # https://bugs.webkit.org/show_bug.cgi?id=40139
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index ddadf7c..931918d 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2010-08-13  Steve Block  <steveblock at google.com>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Geolocation activity started after frame has been disconnected can cause crash
+        https://bugs.webkit.org/show_bug.cgi?id=39879
+
+        New requests started after the Frame has been disconnected are ignored. We do
+        not invoke the error callback as this would allow buggy or malicious pages to
+        hose the CPU. Such a page could hold a reference to a Geolocation object from
+        a since closed Page and register new requests from the error callback to
+        create an infinite loop.
+
+        Tests: fast/dom/Geolocation/disconnected-frame-already.html
+
+        * page/Geolocation.cpp:
+
 2010-08-13  Satish Sampath  <satish at chromium.org>
 
         Reviewed by Jeremy Orlow.
diff --git a/WebCore/page/Geolocation.cpp b/WebCore/page/Geolocation.cpp
index 20db4bf..bb55e3e 100644
--- a/WebCore/page/Geolocation.cpp
+++ b/WebCore/page/Geolocation.cpp
@@ -249,6 +249,9 @@ Geoposition* Geolocation::lastPosition()
 
 void Geolocation::getCurrentPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options)
 {
+    if (!m_frame)
+        return;
+
     RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options);
     ASSERT(notifier);
 
@@ -257,6 +260,9 @@ void Geolocation::getCurrentPosition(PassRefPtr<PositionCallback> successCallbac
 
 int Geolocation::watchPosition(PassRefPtr<PositionCallback> successCallback, PassRefPtr<PositionErrorCallback> errorCallback, PassRefPtr<PositionOptions> options)
 {
+    if (!m_frame)
+        return 0;
+
     RefPtr<GeoNotifier> notifier = startRequest(successCallback, errorCallback, options);
     ASSERT(notifier);
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list