[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

Wed Dec 22 14:57:34 UTC 2010

The following commit has been merged in the debian/experimental branch:
commit 6e8e347e6ae321d8f4e3dabae4ff4aef817fbf1c
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Oct 26 13:29:04 2010 +0000

    2010-10-26  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Adam Barth.
    
            Protect the frame from being blown away in loadWithDocumentLoader function call.
            dispatchBeforeLoadEvent can cause the frame to be freed, which gets later used in
            continueLoadAfterNavigationPolicy call.
            https://bugs.webkit.org/show_bug.cgi?id=48281
    
            Test: fast/events/form-iframe-target-before-load-crash.html
    
            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::loadWithDocumentLoader):
    2010-10-26  Abhishek Arya  <inferno at chromium.org>
    
            Reviewed by Adam Barth.
    
            Tests that submit the form on a removed target iframe does not result in crash.
            https://bugs.webkit.org/show_bug.cgi?id=48281
    
            * fast/events/form-iframe-target-before-load-crash-expected.txt: Added.
            * fast/events/form-iframe-target-before-load-crash.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70517 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 73edd7c..dcf60f2 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-10-26  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Tests that submit the form on a removed target iframe does not result in crash.
+        https://bugs.webkit.org/show_bug.cgi?id=48281
+
+        * fast/events/form-iframe-target-before-load-crash-expected.txt: Added.
+        * fast/events/form-iframe-target-before-load-crash.html: Added.
+
 2010-10-26  Sheriff Bot  <webkit.review.bot at gmail.com>
 
         Unreviewed, rolling out r70512.
diff --git a/LayoutTests/fast/dom/beforeload/image-object-before-load-expected.txt b/LayoutTests/fast/events/form-iframe-target-before-load-crash-expected.txt
similarity index 100%
copy from LayoutTests/fast/dom/beforeload/image-object-before-load-expected.txt
copy to LayoutTests/fast/events/form-iframe-target-before-load-crash-expected.txt
diff --git a/LayoutTests/fast/events/form-iframe-target-before-load-crash.html b/LayoutTests/fast/events/form-iframe-target-before-load-crash.html
new file mode 100644
index 0000000..609b154
--- /dev/null
+++ b/LayoutTests/fast/events/form-iframe-target-before-load-crash.html
@@ -0,0 +1,35 @@
+<html>
+    <body onload="runTest()">
+        <div id="console"></div>
+        <form id="form1" style="display:none" method="post" target="test" action="http://anything.com"></form>
+        <script>
+            if (window.layoutTestController)
+            {
+                layoutTestController.dumpAsText();
+                layoutTestController.waitUntilDone();
+            }
+        
+            function runTest()
+            {
+                document.getElementById('form1').submit();
+                
+                if (window.layoutTestController)
+                    layoutTestController.notifyDone();
+                document.getElementById('console').innerHTML = 'PASS';
+            }
+
+            count = 0;
+            document.addEventListener("beforeload", function(event) {
+                event.preventDefault();
+                count = count + 1;
+                if (count == 2)
+                {
+                    document.body.removeChild(document.getElementById('test'));
+                    document.body.offsetTop;
+                }
+            }, true);
+       </script>
+       <iframe id="test" src="about:blank"></iframe>
+   </body>
+</html>
+
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 1c9b232..e348d57 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-10-26  Abhishek Arya  <inferno at chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Protect the frame from being blown away in loadWithDocumentLoader function call.
+        dispatchBeforeLoadEvent can cause the frame to be freed, which gets later used in
+        continueLoadAfterNavigationPolicy call.
+        https://bugs.webkit.org/show_bug.cgi?id=48281
+
+        Test: fast/events/form-iframe-target-before-load-crash.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::loadWithDocumentLoader):
+
 2010-10-26  Xan Lopez  <xlopez at igalia.com>
 
         Restore another mix-up in copy&paste error. Use height for the
diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index 377e5f0..79d3883 100644
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -1435,6 +1435,9 @@ void FrameLoader::load(DocumentLoader* newDocumentLoader)
 
 void FrameLoader::loadWithDocumentLoader(DocumentLoader* loader, FrameLoadType type, PassRefPtr<FormState> prpFormState)
 {
+    // Retain because dispatchBeforeLoadEvent may release the last reference to it.
+    RefPtr<Frame> protect(m_frame);
+
     ASSERT(m_client->hasWebView());
 
     // Unfortunately the view must be non-nil, this is ultimately due

-- 
WebKit Debian packaging

