[WK1] Crash loading Blink layout test fast/dom/Window/property-access-on-cached-windo...
authorjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Nov 2015 01:42:12 +0000 (01:42 +0000)
committerjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 19 Nov 2015 01:42:12 +0000 (01:42 +0000)
https://bugs.webkit.org/show_bug.cgi?id=150198
<rdar://problem/23136026>

Reviewed by Brent Fulgham.

Source/WebCore:

Test: fast/dom/Window/property-access-on-cached-window-after-frame-removed.html

Properties of a contentWindow could be accessed even if the frame who owns the window is
detached. Therefore, check whether the document loader is still alive before using it.

* page/PerformanceTiming.cpp:
(WebCore::PerformanceTiming::monotonicTimeToIntegerMilliseconds):

Tools:

* WebKitTestRunner/InjectedBundle/mac/TestRunnerMac.mm:
(WTR::TestRunner::inspectorTestStubURL):
Since WebInspectorUI.framework is not available for iOS, the framework
and corresponding functions are disabled in iOS.

LayoutTests:

* fast/dom/Window/666869-expected.txt: Added.
* fast/dom/Window/666869.html: Added.
Test case is from Mozilla.
* fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt: Added.
* fast/dom/Window/property-access-on-cached-window-after-frame-removed.html: Added.
* fast/dom/Window/resources/window-property-collector.js: Added.
(collectProperties):
(emitExpectedResult):
(collectPropertiesHelper):
Test case is from Blink r168256:
https://codereview.chromium.org/131113003
* platform/mac-wk2/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@192604 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/Window/666869-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/Window/666869.html [new file with mode: 0644]
LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed.html [new file with mode: 0644]
LayoutTests/fast/dom/Window/resources/window-property-collector.js [new file with mode: 0644]
LayoutTests/platform/mac-wk2/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/page/PerformanceTiming.cpp
Tools/ChangeLog
Tools/WebKitTestRunner/InjectedBundle/mac/TestRunnerMac.mm

index 968197e..acc5415 100644 (file)
@@ -1,3 +1,24 @@
+2015-11-18  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WK1] Crash loading Blink layout test fast/dom/Window/property-access-on-cached-window-after-frame-removed.html
+        https://bugs.webkit.org/show_bug.cgi?id=150198
+        <rdar://problem/23136026>
+
+        Reviewed by Brent Fulgham.
+
+        * fast/dom/Window/666869-expected.txt: Added.
+        * fast/dom/Window/666869.html: Added.
+        Test case is from Mozilla.
+        * fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt: Added.
+        * fast/dom/Window/property-access-on-cached-window-after-frame-removed.html: Added.
+        * fast/dom/Window/resources/window-property-collector.js: Added.
+        (collectProperties):
+        (emitExpectedResult):
+        (collectPropertiesHelper):
+        Test case is from Blink r168256:
+        https://codereview.chromium.org/131113003
+        * platform/mac-wk2/TestExpectations:
+
 2015-11-18  Eric Carlson  <eric.carlson@apple.com>
 
         MediaStream: Implement MediaDevices.getSupportedConstraints
diff --git a/LayoutTests/fast/dom/Window/666869-expected.txt b/LayoutTests/fast/dom/Window/666869-expected.txt
new file mode 100644 (file)
index 0000000..2afa0bf
--- /dev/null
@@ -0,0 +1 @@
+PASS. WebKit didn't crash.
diff --git a/LayoutTests/fast/dom/Window/666869.html b/LayoutTests/fast/dom/Window/666869.html
new file mode 100644 (file)
index 0000000..65102ce
--- /dev/null
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    function boom()
+    {
+        var f = document.getElementById("f");
+        var frameWin = f.contentWindow;
+        document.body.removeChild(f);
+        frameWin.performance;
+
+        document.write("PASS. WebKit didn't crash.");
+    }
+</script>
+</head>
+<body onload="boom();"><iframe id="f" src="data:text/html,1"></iframe></body>
+</html>
diff --git a/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt b/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed-expected.txt
new file mode 100644 (file)
index 0000000..9cc8405
--- /dev/null
@@ -0,0 +1 @@
+Pass. WebKit didn't crash.
diff --git a/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed.html b/LayoutTests/fast/dom/Window/property-access-on-cached-window-after-frame-removed.html
new file mode 100644 (file)
index 0000000..fc2402f
--- /dev/null
@@ -0,0 +1,31 @@
+<html>
+<head>
+<script src="../../../resources/js-test.js"></script>
+<script src="resources/window-property-collector.js"></script>
+<script>
+var childWindow;
+var propertiesToVerify = [];
+
+function insertExpectedResult(path, expected)
+{
+    var propertyPath = path.join('.');
+    propertiesToVerify.push({'property': "childWindow." + propertyPath, 'expected': expected});
+}
+
+function runTest()
+{
+    var frame = document.getElementById("frame");
+    childWindow = frame.contentWindow;
+    // Have expected results assume that the frame has been closed (=> window.closed = true.)
+    collectProperties(true);
+    frame.parentNode.removeChild(frame);
+    for (var i = 0; i < propertiesToVerify.length; ++i)
+        shouldBe(propertiesToVerify[i].property, propertiesToVerify[i].expected);
+    document.write("Pass. WebKit didn't crash.");
+}
+</script>
+</head>
+<body>
+<iframe id="frame" src="about:blank" onload="runTest()"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/Window/resources/window-property-collector.js b/LayoutTests/fast/dom/Window/resources/window-property-collector.js
new file mode 100644 (file)
index 0000000..5cbd316
--- /dev/null
@@ -0,0 +1,121 @@
+function collectProperties(windowHasBeenGCed)
+{
+    // Collect properties of the top-level window, since touching the properties
+    // of a DOMWindow affects its internal C++ state.
+    collectPropertiesHelper(window, windowHasBeenGCed, []);
+
+    propertiesToVerify.sort(function (a, b)
+    {
+        if (a.property < b.property)
+            return -1
+        if (a.property > b.property)
+            return 1;
+        return 0;
+    });
+}
+
+function emitExpectedResult(path, expected)
+{
+    // Skip internals properties, since they aren't web accessible.
+    if (path[0] == 'internals'
+        || path[0] == 'propertiesToVerify' // Skip the list we're building...
+        || path[0] == 'clientInformation' // Just an alias for navigator.
+        || path[0] == 'testRunner' // Skip testRunner since they are only for testing.
+        || path[0] == 'layoutTestController' // Just an alias for testRunner.
+        || path[0] == 'eventSender') { // Skip eventSender since they are only for testing.
+        return;
+    }
+
+    // Skip the properties which are hard to expect a stable result.
+    if (path[0] == 'accessibilityController' // we can hardly estimate the states of the cached WebAXObjects.
+        || path[0] == 'localStorage') { // local storage is not reliably cleared between tests.
+        return;
+    }
+
+    // FIXME: Skip MemoryInfo for now, since it's not implemented as a DOMWindowProperty, and has
+    // no way of knowing when it's detached. Eventually this should have the same behavior.
+    if (path.length >= 2 && (path[0] == 'console' || path[0] == 'performance') && path[1] == 'memory')
+        return;
+
+    // Skip things that are assumed to be constants.
+    if (path[path.length - 1].toUpperCase() == path[path.length - 1])
+        return;
+
+    // Various special cases for legacy reasons. Please do not add entries to this list.
+    var propertyPath = path.join('.');
+
+    // Connection type depends on the host, skip.
+    if (propertyPath == 'navigator.connection.type')
+      return;
+    if (propertyPath == 'navigator.connection.downlinkMax')
+      return;
+
+    switch (propertyPath) {
+    case "location.href":
+        expected = "'about:blank'";
+        break;
+    case "location.origin":
+        expected = "'null'";
+        break;
+    case "location.pathname":
+        expected = "'blank'";
+        break;
+    case "location.protocol":
+        expected = "'about:'";
+        break;
+    case "navigator.appCodeName":
+    case "navigator.appName":
+    case "navigator.hardwareConcurrency":
+    case "navigator.language":
+    case "navigator.onLine":
+    case "navigator.platform":
+    case "navigator.product":
+    case "navigator.productSub":
+    case "navigator.vendor":
+        expected = "window." + propertyPath;
+        break;
+    case "screen.orientation":
+        expected = "'portrait-primary'";
+        break;
+    case "history.scrollRestoration":
+        expected = "'auto'";
+        break;
+    }
+
+    insertExpectedResult(path, expected);
+}
+
+function collectPropertiesHelper(object, windowHasBeenGCed, path)
+{
+    if (path.length > 20)
+        throw 'Error: probably looping';
+
+    for (var property in object) {
+        // Skip internals properties, since they aren't web accessible.
+        if (property === 'internals')
+            continue;
+        path.push(property);
+        var type = typeof(object[property]);
+        if (type == "object") {
+            if (object[property] === null) {
+                emitExpectedResult(path, "null");
+            } else if (!object[property].Window
+                && !(object[property] instanceof Node)
+                && !(object[property] instanceof MimeTypeArray)
+                && !(object[property] instanceof PluginArray)) {
+                // Skip some traversing through types that will end up in cycles...
+                collectPropertiesHelper(object[property], windowHasBeenGCed, path);
+            }
+        } else if (type == "string") {
+            emitExpectedResult(path, "''");
+        } else if (type == "number") {
+            emitExpectedResult(path, "0");
+        } else if (type == "boolean") {
+            expected = "false";
+            if (path == "closed" && windowHasBeenGCed )
+                expected = "true";
+            emitExpectedResult(path, expected);
+        }
+        path.pop();
+    }
+}
index 0f219c2..1a0160b 100644 (file)
@@ -351,6 +351,9 @@ webkit.org/b/142726 [ Yosemite ] fast/images/animated-png.html [ Skip ]
 
 [ Debug ] editing/undo/remove-css-property-and-remove-style.html [ Pass Failure ]
 
+# Test for WK1 only
+fast/dom/Window/property-access-on-cached-window-after-frame-removed.html [ Skip ]
+
 ### END OF (3) Unclassified failures
 ########################################
 
index 752a899..ff04229 100644 (file)
@@ -1,3 +1,19 @@
+2015-11-18  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WK1] Crash loading Blink layout test fast/dom/Window/property-access-on-cached-window-after-frame-removed.html
+        https://bugs.webkit.org/show_bug.cgi?id=150198
+        <rdar://problem/23136026>
+
+        Reviewed by Brent Fulgham.
+
+        Test: fast/dom/Window/property-access-on-cached-window-after-frame-removed.html
+
+        Properties of a contentWindow could be accessed even if the frame who owns the window is
+        detached. Therefore, check whether the document loader is still alive before using it.
+
+        * page/PerformanceTiming.cpp:
+        (WebCore::PerformanceTiming::monotonicTimeToIntegerMilliseconds):
+
 2015-11-18  Eric Carlson  <eric.carlson@apple.com>
 
         MediaStream: Implement MediaDevices.getSupportedConstraints
index 160fadb..7d571b5 100644 (file)
@@ -340,9 +340,9 @@ unsigned long long PerformanceTiming::resourceLoadTimeRelativeToFetchStart(int r
 unsigned long long PerformanceTiming::monotonicTimeToIntegerMilliseconds(double monotonicSeconds) const
 {
     ASSERT(monotonicSeconds >= 0);
-    const DocumentLoadTiming* timing = documentLoadTiming();
-    ASSERT(timing);
-    return toIntegerMilliseconds(timing->monotonicTimeToPseudoWallTime(monotonicSeconds));
+    if (const DocumentLoadTiming* timing = documentLoadTiming())
+        return toIntegerMilliseconds(timing->monotonicTimeToPseudoWallTime(monotonicSeconds));
+    return 0;
 }
 
 } // namespace WebCore
index a8ff94c..a35e09e 100644 (file)
@@ -1,3 +1,16 @@
+2015-11-18  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WK1] Crash loading Blink layout test fast/dom/Window/property-access-on-cached-window-after-frame-removed.html
+        https://bugs.webkit.org/show_bug.cgi?id=150198
+        <rdar://problem/23136026>
+
+        Reviewed by Brent Fulgham.
+
+        * WebKitTestRunner/InjectedBundle/mac/TestRunnerMac.mm:
+        (WTR::TestRunner::inspectorTestStubURL):
+        Since WebInspectorUI.framework is not available for iOS, the framework
+        and corresponding functions are disabled in iOS.
+
 2015-11-18  Alexey Proskuryakov  <ap@apple.com>
 
         [Mac] Swipe tests depend on user preferences
index 62256de..90caec7 100644 (file)
 
 #import "InjectedBundle.h"
 #import <JavaScriptCore/JSStringRefCF.h>
+
+#if !PLATFORM(IOS)
 #import <WebCore/SoftLinking.h>
 
 SOFT_LINK_STAGED_FRAMEWORK(WebInspectorUI, PrivateFrameworks, A)
+#endif
 
 namespace WTR {
 
@@ -69,6 +72,9 @@ JSRetainPtr<JSStringRef> TestRunner::pathToLocalResource(JSStringRef url)
 
 JSRetainPtr<JSStringRef> TestRunner::inspectorTestStubURL()
 {
+#if PLATFORM(IOS)
+    return nullptr;
+#else
     // Call the soft link framework function to dlopen it, then CFBundleGetBundleWithIdentifier will work.
     WebInspectorUILibrary();
 
@@ -82,6 +88,7 @@ JSRetainPtr<JSStringRef> TestRunner::inspectorTestStubURL()
 
     CFStringRef urlString = CFURLGetString(url.get());
     return adopt(JSStringCreateWithCFString(urlString));
+#endif
 }
 
 } // namespace WTR