<rdar://problem/9539920> and https://bugs.webkit.org/show_bug.cgi?id=61950
authorbeidson@apple.com <beidson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 Jun 2011 22:03:49 +0000 (22:03 +0000)
committerbeidson@apple.com <beidson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 Jun 2011 22:03:49 +0000 (22:03 +0000)
Repro crash loading certain webarchives after r87566.

Reviewed by Oliver Hunt.

Source/WebCore:

Test: webarchive/loading/javascript-url-iframe-crash.html

* bindings/ScriptControllerBase.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL): DocumentWriter::replaceDocument can
  cause the DocumentLoader to be destroyed, so protect it with a Ref here.

LayoutTests:

* webarchive/loading/javascript-url-iframe-crash-expected.txt: Added.
* webarchive/loading/javascript-url-iframe-crash.html: Added.
* webarchive/loading/resources/javascript-url-iframe-crash.webarchive: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@87959 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/webarchive/loading/javascript-url-iframe-crash-expected.txt [new file with mode: 0644]
LayoutTests/webarchive/loading/javascript-url-iframe-crash.html [new file with mode: 0644]
LayoutTests/webarchive/loading/resources/javascript-url-iframe-crash.webarchive [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/bindings/ScriptControllerBase.cpp

index 1e5312d..42bb7b3 100644 (file)
@@ -1,3 +1,14 @@
+2011-06-02  Brady Eidson  <beidson@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        <rdar://problem/9539920> and https://bugs.webkit.org/show_bug.cgi?id=61950
+        Repro crash loading certain webarchives after r87566.
+
+        * webarchive/loading/javascript-url-iframe-crash-expected.txt: Added.
+        * webarchive/loading/javascript-url-iframe-crash.html: Added.
+        * webarchive/loading/resources/javascript-url-iframe-crash.webarchive: Added.
+
 2011-06-02  Tony Chang  <tony@chromium.org>
 
         [chromium] mark media/audio-delete-while-slider-thumb-clicked.html as passing
diff --git a/LayoutTests/webarchive/loading/javascript-url-iframe-crash-expected.txt b/LayoutTests/webarchive/loading/javascript-url-iframe-crash-expected.txt
new file mode 100644 (file)
index 0000000..ed96976
--- /dev/null
@@ -0,0 +1,17 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - willPerformClientRedirectToURL: resources/javascript-url-iframe-crash.webarchive 
+main frame - didFinishDocumentLoadForFrame
+main frame - didFinishLoadForFrame
+main frame - didStartProvisionalLoadForFrame
+main frame - didCancelClientRedirectForFrame
+main frame - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFailProvisionalLoadWithError
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+Loading this webarchive with a "non-empty javascript URL iframe" should not crash.
+
diff --git a/LayoutTests/webarchive/loading/javascript-url-iframe-crash.html b/LayoutTests/webarchive/loading/javascript-url-iframe-crash.html
new file mode 100644 (file)
index 0000000..47fd0ca
--- /dev/null
@@ -0,0 +1,10 @@
+<html>
+<script>
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+        layoutTestController.waitUntilDone();
+    }
+    
+    window.location="resources/javascript-url-iframe-crash.webarchive";
+</script>
+</html>
diff --git a/LayoutTests/webarchive/loading/resources/javascript-url-iframe-crash.webarchive b/LayoutTests/webarchive/loading/resources/javascript-url-iframe-crash.webarchive
new file mode 100644 (file)
index 0000000..07c478d
Binary files /dev/null and b/LayoutTests/webarchive/loading/resources/javascript-url-iframe-crash.webarchive differ
index a3ede10..1ac3a0a 100755 (executable)
@@ -1,3 +1,16 @@
+2011-06-02  Brady Eidson  <beidson@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        <rdar://problem/9539920> and https://bugs.webkit.org/show_bug.cgi?id=61950
+        Repro crash loading certain webarchives after r87566.
+
+        Test: webarchive/loading/javascript-url-iframe-crash.html
+
+        * bindings/ScriptControllerBase.cpp:
+        (WebCore::ScriptController::executeIfJavaScriptURL): DocumentWriter::replaceDocument can
+          cause the DocumentLoader to be destroyed, so protect it with a Ref here.
+
 2011-06-02  Jay Civelli  <jcivelli@chromium.org>
 
         Reviewed by Adam Barth.
index d769651..8bc8509 100644 (file)
@@ -117,7 +117,10 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, ShouldReplaceDocu
     if (shouldReplaceDocumentIfJavaScriptURL == ReplaceDocumentIfJavaScriptURL) {
         // We're still in a frame, so there should be a DocumentLoader.
         ASSERT(m_frame->document()->loader());
-        if (DocumentLoader* loader = m_frame->document()->loader())
+        
+        // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
+        // so protect it with a RefPtr.
+        if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
             loader->writer()->replaceDocument(scriptResult);
     }
     return true;