[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

japhet at chromium.org japhet at chromium.org
Wed Dec 22 15:26:51 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 7d4347c676c5401e68500c191962488568bb9fc6
Author: japhet at chromium.org <japhet at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Nov 3 19:04:41 2010 +0000

    2010-11-03  Nate Chapin  <japhet at chromium.org>
    
            Reviewed by Alexey Proskuryakov.
    
            Wait to stop all loads for a frame being detached until after its
            chidlren have been detached. This ensures that any loads started
            by a child's unload event handler will be properly cancelled.
            https://bugs.webkit.org/show_bug.cgi?id=46579
    
            Tests: fast/loader/ping-error.html
                   http/tests/navigation/image-load-in-subframe-unload-handler.html
    
            * loader/FrameLoader.cpp:
            (WebCore::FrameLoader::detachFromParent):
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@71256 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b111e42..24cd0ad 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2010-11-03  Nate Chapin  <japhet at chromium.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Tests for https://bugs.webkit.org/show_bug.cgi?id=46579
+
+        * fast/loader/ping-error-expected.txt: Added.
+        * fast/loader/ping-error.html: Added.
+        * fast/loader/resources/ping-error-frame.html: Added.
+        * fast/loader/resources/ping-error-window.html: Added.
+        * http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt: Added.
+        * http/tests/navigation/image-load-in-subframe-unload-handler.html: Added.
+        * http/tests/navigation/resources/image-load-in-subframe-unload-handler-helper.html: Added.
+        * http/tests/navigation/resources/subframe-with-unload-handler-in-parent.html: Added.
+
 2010-11-03  Tony Chang  <tony at chromium.org>
 
         Unreviewed, updated test expectation due to last change.
diff --git a/LayoutTests/fast/loader/ping-error-expected.txt b/LayoutTests/fast/loader/ping-error-expected.txt
new file mode 100644
index 0000000..5fc8dd0
--- /dev/null
+++ b/LayoutTests/fast/loader/ping-error-expected.txt
@@ -0,0 +1,2 @@
+frame "<!--framePath //<!--frame0-->-->" - has 1 onunload handler(s)
+Test for bug 46579: Reproducible crash in appcache code when closing pgatour.com
diff --git a/LayoutTests/fast/loader/ping-error.html b/LayoutTests/fast/loader/ping-error.html
new file mode 100644
index 0000000..334c3e8
--- /dev/null
+++ b/LayoutTests/fast/loader/ping-error.html
@@ -0,0 +1,18 @@
+<body>
+<p>Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=46579">bug 46579</a>:
+Reproducible crash in appcache code when closing pgatour.com</p>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setCanOpenWindows();
+}
+
+function done()
+{
+    if (window.layoutTestController) 
+        setTimeout('layoutTestController.notifyDone()', 0);
+}
+
+window.open("resources/ping-error-window.html");
+</script>
diff --git a/LayoutTests/fast/loader/resources/ping-error-frame.html b/LayoutTests/fast/loader/resources/ping-error-frame.html
new file mode 100644
index 0000000..430ca84
--- /dev/null
+++ b/LayoutTests/fast/loader/resources/ping-error-frame.html
@@ -0,0 +1,5 @@
+<script>
+addEventListener("unload", function() {
+    parent.frameUnloaded();
+}, true);
+</script>
diff --git a/LayoutTests/fast/loader/resources/ping-error-window.html b/LayoutTests/fast/loader/resources/ping-error-window.html
new file mode 100644
index 0000000..9e765a3
--- /dev/null
+++ b/LayoutTests/fast/loader/resources/ping-error-window.html
@@ -0,0 +1,11 @@
+<body onload="window.close()">
+<iframe src="ping-error-frame.html"></iframe>
+<script>
+function frameUnloaded()
+{
+    var img = document.createElement("img");
+    img.src = 'does-not-exist.jpg';
+    document.body.appendChild(img);
+    opener.done();
+}
+</script>
diff --git a/LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt b/LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt
new file mode 100644
index 0000000..afdc715
--- /dev/null
+++ b/LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler-expected.txt
@@ -0,0 +1,2 @@
+frame "<!--framePath //target/<!--frame0-->-->" - has 1 onunload handler(s)
+This test triggers an unload handler that starts an image load in a different frame (and deletes both frames), but ensures the main frame is not destroyed. We pass if we don't crash.
diff --git a/LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler.html b/LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler.html
new file mode 100644
index 0000000..8cdbf24
--- /dev/null
+++ b/LayoutTests/http/tests/navigation/image-load-in-subframe-unload-handler.html
@@ -0,0 +1,23 @@
+<html>
+<body>
+<script>
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.waitUntilDone();
+    }
+    
+    function test() {
+        document.getElementsByTagName("body")[0].removeChild(document.getElementById("target"));
+    }
+    
+    function finish() {
+        setTimeout(function() {
+            if (window.layoutTestController)
+                layoutTestController.notifyDone();
+        }, 300);
+    }
+</script>
+<iframe id="target" src="resources/image-load-in-subframe-unload-handler-helper.html"></iframe>
+This test triggers an unload handler that starts an image load in a different frame (and deletes both frames), but ensures the main frame is not destroyed. We pass if we don't crash.
+</body>
+</html>
diff --git a/LayoutTests/http/tests/navigation/resources/image-load-in-subframe-unload-handler-helper.html b/LayoutTests/http/tests/navigation/resources/image-load-in-subframe-unload-handler-helper.html
new file mode 100644
index 0000000..f289000
--- /dev/null
+++ b/LayoutTests/http/tests/navigation/resources/image-load-in-subframe-unload-handler-helper.html
@@ -0,0 +1,16 @@
+<html>
+<body>
+<script>
+    function imageLoad() {
+        var img = new Image(1, 1);
+        // We're using a redirect here because it guarantees that if we're
+        // receiving callbacks in a detached Frame, we'll acceess members
+        // that are now invalid (e.g., DocumentLoaders).
+        img.src = "redirect302.pl";
+        document.getElementsByTagName("body")[0].appendChild(img);
+        window.top.finish();
+    }
+</script>
+<iframe src="subframe-with-unload-handler-in-parent.html">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/navigation/resources/subframe-with-unload-handler-in-parent.html b/LayoutTests/http/tests/navigation/resources/subframe-with-unload-handler-in-parent.html
new file mode 100644
index 0000000..eec5d3e
--- /dev/null
+++ b/LayoutTests/http/tests/navigation/resources/subframe-with-unload-handler-in-parent.html
@@ -0,0 +1,16 @@
+<html>
+<head>
+<script>
+function unload() { 
+    window.parent.imageLoad();
+}
+
+function load() {
+    window.top.test();
+}
+</script>
+</head>
+<body onload="load();" onunload="unload();">
+This subframe has an unload handler.
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 9b551ea..05e4999 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-11-03  Nate Chapin  <japhet at chromium.org>
+
+        Reviewed by Alexey Proskuryakov.
+
+        Wait to stop all loads for a frame being detached until after its
+        chidlren have been detached. This ensures that any loads started
+        by a child's unload event handler will be properly cancelled.
+        https://bugs.webkit.org/show_bug.cgi?id=46579
+
+        Tests: fast/loader/ping-error.html
+               http/tests/navigation/image-load-in-subframe-unload-handler.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::detachFromParent):
+
 2010-11-03  Pavel Feldman  <pfeldman at chromium.org>
 
         Reviewed by Simon Fraser.
diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index 3322069..052a85b 100644
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -2583,9 +2583,12 @@ void FrameLoader::detachFromParent()
     RefPtr<Frame> protect(m_frame);
 
     closeURL();
-    stopAllLoaders();
     history()->saveScrollPositionAndViewStateToItem(history()->currentItem());
     detachChildren();
+    // stopAllLoaders() needs to be called after detachChildren(), because detachedChildren()
+    // will trigger the unload event handlers of any child frames, and those event
+    // handlers might start a new subresource load in this frame.
+    stopAllLoaders();
 
 #if ENABLE(INSPECTOR)
     if (Page* page = m_frame->page())

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list