[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.1.18-1-697-g2f78b87
beidson at apple.com
beidson at apple.com
Wed Jan 20 22:29:17 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit d287e764a8d41a3c184600a2aee6b329a6cab033
Author: beidson at apple.com <beidson at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Jan 19 18:17:50 2010 +0000
Crash in Page::backForwardList when using History object from a detached window
<rdar://problem/7556252> and https://bugs.webkit.org/show_bug.cgi?id=33828
Reviewed by Alexey Proskuryakov.
WebCore:
Test: fast/loader/stateobjects/state-api-on-detached-frame-crash.html
* page/History.cpp:
(WebCore::History::stateObjectAdded): Do an early return when detached. The spec
doesn't really cover expected behavior and we already do something similar in
other places, such as in History::length().
LayoutTests:
* fast/loader/stateobjects/state-api-on-detached-frame-crash-expected.txt: Added.
* fast/loader/stateobjects/state-api-on-detached-frame-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53472 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 5c74049..c5f6b2a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-01-19 Brady Eidson <beidson at apple.com>
+
+ Reviewed by Alexey Proskuryakov.
+
+ Crash in Page::backForwardList when using History object from a detached window
+ <rdar://problem/7556252> and https://bugs.webkit.org/show_bug.cgi?id=33828
+
+ * fast/loader/stateobjects/state-api-on-detached-frame-crash-expected.txt: Added.
+ * fast/loader/stateobjects/state-api-on-detached-frame-crash.html: Added.
+
2010-01-19 Yury Semikhatsky <yurys at chromium.org>
Reviewed by NOBODY (build fix).
diff --git a/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash-expected.txt b/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash-expected.txt
new file mode 100644
index 0000000..3eaff39
--- /dev/null
+++ b/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash-expected.txt
@@ -0,0 +1 @@
+If this test doesn't crash, it passed.
diff --git a/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash.html b/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash.html
new file mode 100644
index 0000000..8ecca69
--- /dev/null
+++ b/LayoutTests/fast/loader/stateobjects/state-api-on-detached-frame-crash.html
@@ -0,0 +1,29 @@
+<html>
+<script>
+
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+function runTest()
+{
+ var ifr = frames[0];
+ document.body.removeChild(document.getElementsByTagName("iframe")[0])
+ try {
+ ifr.history.replaceState("foo", "bar");
+ } catch(e) {
+ alert(e);
+ }
+ try {
+ ifr.history.pushState("fu", "barred");
+ } catch(e) {
+ alert(e);
+ }
+}
+
+</script>
+<body onload="runTest();">
+If this test doesn't crash, it passed.
+<iframe src="about:blank">
+</iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 6121d4f..4eb33fc 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2010-01-19 Brady Eidson <beidson at apple.com>
+
+ Reviewed by Alexey Proskuryakov.
+
+ Crash in Page::backForwardList when using History object from a detached window
+ <rdar://problem/7556252> and https://bugs.webkit.org/show_bug.cgi?id=33828
+
+ Test: fast/loader/stateobjects/state-api-on-detached-frame-crash.html
+
+ * page/History.cpp:
+ (WebCore::History::stateObjectAdded): Do an early return when detached. The spec
+ doesn't really cover expected behavior and we already do something similar in
+ other places, such as in History::length().
+
2010-01-19 Yury Semikhatsky <yurys at chromium.org>
Reviewed by NOBODY (build fix).
diff --git a/WebCore/page/History.cpp b/WebCore/page/History.cpp
index ea9819e..f352bc9 100644
--- a/WebCore/page/History.cpp
+++ b/WebCore/page/History.cpp
@@ -98,9 +98,8 @@ KURL History::urlForState(const String& urlString)
void History::stateObjectAdded(PassRefPtr<SerializedScriptValue> data, const String& title, const String& urlString, StateObjectType stateObjectType, ExceptionCode& ec)
{
- if (!m_frame)
+ if (!m_frame || !m_frame->page())
return;
- ASSERT(m_frame->page());
KURL fullURL = urlForState(urlString);
if (!fullURL.isValid()) {
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list