[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
aroben at apple.com
aroben at apple.com
Wed Dec 22 16:25:56 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 431088e6d6dd049e8238f5f79e27050a78e7911f
Author: aroben at apple.com <aroben at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Nov 23 16:54:18 2010 +0000
Don't rely on DocumentLoader outliving the load/unload events
DocumentLoader::m_documentLoadTiming is used to record how long firing
the load event took. But the DocumentLoader was being destroyed while
the event was being dispatched (due to a call to document.open), which
meant that when we tried to record the time when the load event
finished, we were writing into freed memory. We now protect the
DocumentLoader using a RefPtr. (I initially made a change where we
would only access the DocumentLoader after the event has finished
firing, but it seemed possible that a different DocumentLoader could
have come into existence by then, which would cause us to record the
times on the wrong DocumentLoadTiming struct.)
I only saw a crash when firing the load event, but the code for timing
the unload event seemed like it was vulnerable to the same issue, so I
made the same fix for it.
Fixes <http://webkit.org/b/49972> REGRESSION (r72415?): Crash in
DOMWindow::dispatchTimedEvent when running fast/dom/onload-open.html
Reviewed by Darin Fisher.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopLoading):
* page/DOMWindow.cpp:
(WebCore::DOMWindow::dispatchLoadEvent):
Protect the DocumentLoader (and thus its DocumentLoadTiming) with a
RefPtr.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@72611 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 85e406c..07231c7 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,34 @@
+2010-11-23 Adam Roben <aroben at apple.com>
+
+ Don't rely on DocumentLoader outliving the load/unload events
+
+ DocumentLoader::m_documentLoadTiming is used to record how long firing
+ the load event took. But the DocumentLoader was being destroyed while
+ the event was being dispatched (due to a call to document.open), which
+ meant that when we tried to record the time when the load event
+ finished, we were writing into freed memory. We now protect the
+ DocumentLoader using a RefPtr. (I initially made a change where we
+ would only access the DocumentLoader after the event has finished
+ firing, but it seemed possible that a different DocumentLoader could
+ have come into existence by then, which would cause us to record the
+ times on the wrong DocumentLoadTiming struct.)
+
+ I only saw a crash when firing the load event, but the code for timing
+ the unload event seemed like it was vulnerable to the same issue, so I
+ made the same fix for it.
+
+ Fixes <http://webkit.org/b/49972> REGRESSION (r72415?): Crash in
+ DOMWindow::dispatchTimedEvent when running fast/dom/onload-open.html
+
+ Reviewed by Darin Fisher.
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::stopLoading):
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::dispatchLoadEvent):
+ Protect the DocumentLoader (and thus its DocumentLoadTiming) with a
+ RefPtr.
+
2010-11-17 Zhenyao Mo <zmo at google.com>
Reviewed by Kenneth Russell.
diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index ee07615..35a492b 100644
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -382,8 +382,11 @@ void FrameLoader::stopLoading(UnloadEventPolicy unloadEventPolicy, DatabasePolic
m_frame->domWindow()->dispatchEvent(PageTransitionEvent::create(eventNames().pagehideEvent, m_frame->document()->inPageCache()), m_frame->document());
if (!m_frame->document()->inPageCache()) {
RefPtr<Event> unloadEvent(Event::create(eventNames().unloadEvent, false, false));
- if (m_provisionalDocumentLoader) {
- DocumentLoadTiming* timing = m_provisionalDocumentLoader->timing();
+ // The DocumentLoader (and thus its DocumentLoadTiming) might get destroyed
+ // while dispatching the event, so protect it to prevent writing the end
+ // time into freed memory.
+ if (RefPtr<DocumentLoader> documentLoader = m_provisionalDocumentLoader) {
+ DocumentLoadTiming* timing = documentLoader->timing();
ASSERT(timing->navigationStart);
ASSERT(!timing->unloadEventStart);
ASSERT(!timing->unloadEventEnd);
diff --git a/WebCore/page/DOMWindow.cpp b/WebCore/page/DOMWindow.cpp
index 27f40ec..ebb3db5 100644
--- a/WebCore/page/DOMWindow.cpp
+++ b/WebCore/page/DOMWindow.cpp
@@ -1508,7 +1508,9 @@ bool DOMWindow::removeEventListener(const AtomicString& eventType, EventListener
void DOMWindow::dispatchLoadEvent()
{
RefPtr<Event> loadEvent(Event::create(eventNames().loadEvent, false, false));
- if (DocumentLoader* documentLoader = m_frame ? m_frame->loader()->documentLoader() : 0) {
+ // The DocumentLoader (and thus its DocumentLoadTiming) might get destroyed while dispatching
+ // the event, so protect it to prevent writing the end time into freed memory.
+ if (RefPtr<DocumentLoader> documentLoader = m_frame ? m_frame->loader()->documentLoader() : 0) {
DocumentLoadTiming* timing = documentLoader->timing();
dispatchTimedEvent(loadEvent, document(), &timing->loadEventStart, &timing->loadEventEnd);
} else
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list