[SCM] WebKit Debian packaging branch, webkit-1.2, updated. 1.2.5-1500-gb65db3c
Huzaifa Sidhpurwala
huzaifas at redhat.com
Tue Jan 11 11:41:50 UTC 2011
The following commit has been merged in the webkit-1.2 branch:
commit 3e8f261414a0bddd279fe639f8b947db59af556b
Author: Huzaifa Sidhpurwala <huzaifas at redhat.com>
Date: Wed Dec 1 09:30:56 2010 +0530
Backport crash fix by Huzaifa Sidhpurwala <huzaifas at redhat.com>
2010-10-26 Abhishek Arya <inferno at chromium.org>
Reviewed by Adam Barth.
Protect the frame from being blown away in loadWithDocumentLoader function call.
dispatchBeforeLoadEvent can cause the frame to be freed, which gets later used in
continueLoadAfterNavigationPolicy call.
https://bugs.webkit.org/show_bug.cgi?id=48281
Test: fast/events/form-iframe-target-before-load-crash.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadWithDocumentLoader):
2010-10-26 Abhishek Arya <inferno at chromium.org>
Reviewed by Adam Barth.
Tests that submit the form on a removed target iframe does not result in crash.
https://bugs.webkit.org/show_bug.cgi?id=48281
* fast/events/form-iframe-target-before-load-crash-expected.txt: Added.
* fast/events/form-iframe-target-before-load-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70517 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/fast/dom/beforeload/video-before-load-expected.txt b/LayoutTests/fast/events/form-iframe-target-before-load-crash-expected.txt
similarity index 100%
copy from LayoutTests/fast/dom/beforeload/video-before-load-expected.txt
copy to LayoutTests/fast/events/form-iframe-target-before-load-crash-expected.txt
diff --git a/LayoutTests/fast/events/form-iframe-target-before-load-crash.html b/LayoutTests/fast/events/form-iframe-target-before-load-crash.html
new file mode 100644
index 0000000..609b154
--- /dev/null
+++ b/LayoutTests/fast/events/form-iframe-target-before-load-crash.html
@@ -0,0 +1,35 @@
+<html>
+ <body onload="runTest()">
+ <div id="console"></div>
+ <form id="form1" style="display:none" method="post" target="test" action="http://anything.com"></form>
+ <script>
+ if (window.layoutTestController)
+ {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ }
+
+ function runTest()
+ {
+ document.getElementById('form1').submit();
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ document.getElementById('console').innerHTML = 'PASS';
+ }
+
+ count = 0;
+ document.addEventListener("beforeload", function(event) {
+ event.preventDefault();
+ count = count + 1;
+ if (count == 2)
+ {
+ document.body.removeChild(document.getElementById('test'));
+ document.body.offsetTop;
+ }
+ }, true);
+ </script>
+ <iframe id="test" src="about:blank"></iframe>
+ </body>
+</html>
+
diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index c49771a..4d44631 100644
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -2054,6 +2054,9 @@ void FrameLoader::load(DocumentLoader* newDocumentLoader)
void FrameLoader::loadWithDocumentLoader(DocumentLoader* loader, FrameLoadType type, PassRefPtr<FormState> prpFormState)
{
+ // Retain because dispatchBeforeLoadEvent may release the last reference to it.
+ RefPtr<Frame> protect(m_frame);
+
ASSERT(m_client->hasWebView());
// Unfortunately the view must be non-nil, this is ultimately due
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list