[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
bweinstein at apple.com
bweinstein at apple.com
Wed Dec 22 13:55:59 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 15e6c2d7d127da75edc05efdd22bbbe3dc33ab6c
Author: bweinstein at apple.com <bweinstein at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Sep 29 22:59:49 2010 +0000
REGRESSION (r66129): Loading full-frame .swf file crashes with flash blocker extension enabled
<https://bugs.webkit.org/show_bug.cgi?id=46773>
<rdar://problem/8390975>
Reviewed by Brady Eidson.
WebCore:
After r66129, start scripts were run on plugin documents, and cancelling the load of a plugin
document could cause Safari to crash.
If a plugin load on an initial document is cancelled, we cancel the main resource load (where the
main resource is the plugin), and if the load is restarted and allowed, we don't go through the manual
loading path like we do on the initial load of a plugin in a plugin document.
Tests: plugins/plugin-document-load-prevented-userscript.html
plugins/plugin-document-willSendRequest-null.html
* html/HTMLEmbedElement.cpp:
(WebCore::HTMLEmbedElement::updateWidget): If the plugin load was cancelled, and this is in a
plugin document, call a function on PluginDocument that cancels the main resource load, and
sets a plugin document flag.
* html/PluginDocument.cpp:
(WebCore::PluginDocumentParser::appendBytes): Null check the widget's renderer, because it could be
null if the load was cancelled.
(WebCore::PluginDocument::PluginDocument): Initialize the new variable.
(WebCore::PluginDocument::cancelManualPluginLoad): Cancel the main resource load of the plugin document
(which is a plugin in the case of a plugin document).
* html/PluginDocument.h:
(WebCore::PluginDocument::shouldLoadPluginManually): Returns whether or not we should load the plugin
manually.
(WebCore::PluginDocument::setShouldLoadPluginManually): Set whether or not we should load the plugin
manually.
(WebCore::toPluginDocument):
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::loadPlugin): Check if we should load the plugin manually according to the plugin
document.
LayoutTests:
Add tests testing how plugin documents behave when the loading of their plugins are cancelled.
* plugins/plugin-document-load-prevented-userscript-expected.txt: Added.
* plugins/plugin-document-load-prevented-userscript.html: Added. Tests cancelling the load of a
plugin in a plugin document using beforeload and preventDefault.
* plugins/plugin-document-willSendRequest-null-expected.txt: Added.
* plugins/plugin-document-willSendRequest-null.html: Added. Tests cancelling the load of a plugin
in a plugin document by having willSendRequest return null.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@68702 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 6f99c12..b52900d 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,20 @@
+2010-09-29 Brian Weinstein <bweinstein at apple.com>
+
+ Reviewed by Brady Eidson.
+
+ REGRESSION (r66129): Loading full-frame .swf file crashes with flash blocker extension enabled
+ <https://bugs.webkit.org/show_bug.cgi?id=46773>
+ <rdar://problem/8390975>
+
+ Add tests testing how plugin documents behave when the loading of their plugins are cancelled.
+
+ * plugins/plugin-document-load-prevented-userscript-expected.txt: Added.
+ * plugins/plugin-document-load-prevented-userscript.html: Added. Tests cancelling the load of a
+ plugin in a plugin document using beforeload and preventDefault.
+ * plugins/plugin-document-willSendRequest-null-expected.txt: Added.
+ * plugins/plugin-document-willSendRequest-null.html: Added. Tests cancelling the load of a plugin
+ in a plugin document by having willSendRequest return null.
+
2010-09-29 MORITA Hajime <morrita at google.com>
Reviewed by Eric Seidel.
diff --git a/LayoutTests/plugins/plugin-document-load-prevented-userscript-expected.txt b/LayoutTests/plugins/plugin-document-load-prevented-userscript-expected.txt
new file mode 100644
index 0000000..8bd3054
--- /dev/null
+++ b/LayoutTests/plugins/plugin-document-load-prevented-userscript-expected.txt
@@ -0,0 +1 @@
+This tests https://bugs.webkit.org/show_bug.cgi?id=46773 by having the load of the plugin inside the plugin document be cancelled. If there is no crash, the test passed.
diff --git a/LayoutTests/plugins/plugin-document-load-prevented-userscript.html b/LayoutTests/plugins/plugin-document-load-prevented-userscript.html
new file mode 100644
index 0000000..28f2914
--- /dev/null
+++ b/LayoutTests/plugins/plugin-document-load-prevented-userscript.html
@@ -0,0 +1,15 @@
+<html>
+<head>
+ <script>
+ if (window.layoutTestController) {
+ window.layoutTestController.dumpAsText();
+ window.layoutTestController.addUserScript("document.addEventListener('beforeload', function(event) { if (event.url.indexOf('swf') >= 0) event.preventDefault(); }, true);", true, true);
+ }
+ </script>
+</head>
+<body>
+ This tests https://bugs.webkit.org/show_bug.cgi?id=46773 by having the load of the plugin
+ inside the plugin document be cancelled. If there is no crash, the test passed.
+ <iframe src="resources/simple_blank.swf"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/plugins/plugin-document-willSendRequest-null-expected.txt b/LayoutTests/plugins/plugin-document-willSendRequest-null-expected.txt
new file mode 100644
index 0000000..0963662
--- /dev/null
+++ b/LayoutTests/plugins/plugin-document-willSendRequest-null-expected.txt
@@ -0,0 +1 @@
+This tests https://bugs.webkit.org/show_bug.cgi?id=46773 by having willSendRequest on the plugin document return null. If there is no crash, the test passed.
diff --git a/LayoutTests/plugins/plugin-document-willSendRequest-null.html b/LayoutTests/plugins/plugin-document-willSendRequest-null.html
new file mode 100644
index 0000000..b5d376e
--- /dev/null
+++ b/LayoutTests/plugins/plugin-document-willSendRequest-null.html
@@ -0,0 +1,15 @@
+<html>
+<head>
+ <script>
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setWillSendRequestReturnsNull(true);
+ }
+ </script>
+</head>
+<body>
+ This tests https://bugs.webkit.org/show_bug.cgi?id=46773 by having willSendRequest on the
+ plugin document return null. If there is no crash, the test passed.
+ <iframe src="resources/simple_blank.swf"></iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 2a54f92..1f494ce 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,41 @@
+2010-09-29 Brian Weinstein <bweinstein at apple.com>
+
+ Reviewed by Brady Eidson.
+
+ REGRESSION (r66129): Loading full-frame .swf file crashes with flash blocker extension enabled
+ <https://bugs.webkit.org/show_bug.cgi?id=46773>
+ <rdar://problem/8390975>
+
+ After r66129, start scripts were run on plugin documents, and cancelling the load of a plugin
+ document could cause Safari to crash.
+
+ If a plugin load on an initial document is cancelled, we cancel the main resource load (where the
+ main resource is the plugin), and if the load is restarted and allowed, we don't go through the manual
+ loading path like we do on the initial load of a plugin in a plugin document.
+
+ Tests: plugins/plugin-document-load-prevented-userscript.html
+ plugins/plugin-document-willSendRequest-null.html
+
+ * html/HTMLEmbedElement.cpp:
+ (WebCore::HTMLEmbedElement::updateWidget): If the plugin load was cancelled, and this is in a
+ plugin document, call a function on PluginDocument that cancels the main resource load, and
+ sets a plugin document flag.
+ * html/PluginDocument.cpp:
+ (WebCore::PluginDocumentParser::appendBytes): Null check the widget's renderer, because it could be
+ null if the load was cancelled.
+ (WebCore::PluginDocument::PluginDocument): Initialize the new variable.
+ (WebCore::PluginDocument::cancelManualPluginLoad): Cancel the main resource load of the plugin document
+ (which is a plugin in the case of a plugin document).
+ * html/PluginDocument.h:
+ (WebCore::PluginDocument::shouldLoadPluginManually): Returns whether or not we should load the plugin
+ manually.
+ (WebCore::PluginDocument::setShouldLoadPluginManually): Set whether or not we should load the plugin
+ manually.
+ (WebCore::toPluginDocument):
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::loadPlugin): Check if we should load the plugin manually according to the plugin
+ document.
+
2010-09-29 David Hyatt <hyatt at apple.com>
Reviewed by Sam Weinig.
diff --git a/WebCore/html/HTMLEmbedElement.cpp b/WebCore/html/HTMLEmbedElement.cpp
index e88ee81..74df57d 100644
--- a/WebCore/html/HTMLEmbedElement.cpp
+++ b/WebCore/html/HTMLEmbedElement.cpp
@@ -27,11 +27,14 @@
#include "Attribute.h"
#include "CSSHelper.h"
#include "CSSPropertyNames.h"
+#include "DocumentLoader.h"
#include "Frame.h"
#include "HTMLDocument.h"
#include "HTMLImageLoader.h"
#include "HTMLNames.h"
#include "HTMLObjectElement.h"
+#include "MainResourceLoader.h"
+#include "PluginDocument.h"
#include "RenderEmbeddedObject.h"
#include "RenderImage.h"
#include "RenderWidget.h"
@@ -158,8 +161,15 @@ void HTMLEmbedElement::updateWidget(bool onlyCreateNonNetscapePlugins)
Vector<String> paramValues;
parametersForPlugin(paramNames, paramValues);
- if (!dispatchBeforeLoadEvent(m_url))
+ if (!dispatchBeforeLoadEvent(m_url)) {
+ if (document()->isPluginDocument()) {
+ // Plugins inside plugin documents load differently than other plugins. By the time
+ // we are here in a plugin document, the load of the plugin (which is the plugin document's
+ // main resource) has already started. We need to explicitly cancel the main resource load here.
+ toPluginDocument(document())->cancelManualPluginLoad();
+ }
return;
+ }
SubframeLoader* loader = document()->frame()->loader()->subframeLoader();
// FIXME: beforeLoad could have detached the renderer! Just like in the <object> case above.
diff --git a/WebCore/html/PluginDocument.cpp b/WebCore/html/PluginDocument.cpp
index ad11dfb..ee51b23 100644
--- a/WebCore/html/PluginDocument.cpp
+++ b/WebCore/html/PluginDocument.cpp
@@ -125,8 +125,13 @@ void PluginDocumentParser::appendBytes(DocumentWriter*, const char*, int, bool)
document()->updateLayout();
if (RenderPart* renderer = m_embedElement->renderPart()) {
- frame->loader()->client()->redirectDataToPlugin(renderer->widget());
- frame->loader()->activeDocumentLoader()->mainResourceLoader()->setShouldBufferData(false);
+ if (Widget* widget = renderer->widget()) {
+ frame->loader()->client()->redirectDataToPlugin(widget);
+ // In a plugin document, the main resource is the plugin. If we have a null widget, that means
+ // the loading of the plugin was cancelled, which gives us a null mainResourceLoader(), so we
+ // need to have this call in a null check of the widget or of mainResourceLoader().
+ frame->loader()->activeDocumentLoader()->mainResourceLoader()->setShouldBufferData(false);
+ }
}
finish();
@@ -134,11 +139,12 @@ void PluginDocumentParser::appendBytes(DocumentWriter*, const char*, int, bool)
PluginDocument::PluginDocument(Frame* frame, const KURL& url)
: HTMLDocument(frame, url)
+ , m_shouldLoadPluginManually(true)
{
setCompatibilityMode(QuirksMode);
lockCompatibilityMode();
}
-
+
PassRefPtr<DocumentParser> PluginDocument::createParser()
{
return PluginDocumentParser::create(this);
@@ -158,4 +164,15 @@ Node* PluginDocument::pluginNode()
return 0;
}
+void PluginDocument::cancelManualPluginLoad()
+{
+ // PluginDocument::cancelManualPluginLoad should only be called once, but there are issues
+ // with how many times we call beforeload on object elements. <rdar://problem/8441094>.
+ if (!shouldLoadPluginManually())
+ return;
+
+ frame()->loader()->activeDocumentLoader()->mainResourceLoader()->cancel();
+ setShouldLoadPluginManually(false);
+}
+
}
diff --git a/WebCore/html/PluginDocument.h b/WebCore/html/PluginDocument.h
index 3bb5d99..cb83fa7 100644
--- a/WebCore/html/PluginDocument.h
+++ b/WebCore/html/PluginDocument.h
@@ -43,11 +43,34 @@ public:
virtual bool isPluginDocument() const { return true; }
+ void cancelManualPluginLoad();
+
+ bool shouldLoadPluginManually() { return m_shouldLoadPluginManually; }
+
private:
PluginDocument(Frame*, const KURL&);
virtual PassRefPtr<DocumentParser> createParser();
+
+ void setShouldLoadPluginManually(bool loadManually) { m_shouldLoadPluginManually = loadManually; }
+
+ bool m_shouldLoadPluginManually;
};
+
+inline PluginDocument* toPluginDocument(Document* document)
+{
+ ASSERT(!document || document->isPluginDocument());
+ return static_cast<PluginDocument*>(document);
+}
+
+inline const PluginDocument* toPluginDocument(const Document* document)
+{
+ ASSERT(!document || document->isPluginDocument());
+ return static_cast<const PluginDocument*>(document);
+}
+
+// This will catch anyone doing an unnecessary cast.
+void toPluginDocument(const PluginDocument*);
}
diff --git a/WebCore/loader/SubframeLoader.cpp b/WebCore/loader/SubframeLoader.cpp
index e247e5b..6c59ab4 100644
--- a/WebCore/loader/SubframeLoader.cpp
+++ b/WebCore/loader/SubframeLoader.cpp
@@ -42,6 +42,7 @@
#include "MIMETypeRegistry.h"
#include "Page.h"
#include "PluginData.h"
+#include "PluginDocument.h"
#include "RenderEmbeddedObject.h"
#include "RenderView.h"
#include "Settings.h"
@@ -354,7 +355,7 @@ bool SubframeLoader::loadPlugin(HTMLPlugInImageElement* pluginElement, const KUR
frameLoader->checkIfRunInsecureContent(document()->securityOrigin(), url);
IntSize contentSize(renderer->contentWidth(), renderer->contentHeight());
- bool loadManually = document()->isPluginDocument() && !m_containsPlugins;
+ bool loadManually = document()->isPluginDocument() && !m_containsPlugins && toPluginDocument(document())->shouldLoadPluginManually();
RefPtr<Widget> widget = frameLoader->client()->createPlugin(contentSize,
pluginElement, url, paramNames, paramValues, mimeType, loadManually);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list