Source/WebCore: Crash in WebCore::FrameLoader::checkCompleted()
authorjaphet@chromium.org <japhet@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Feb 2013 23:13:53 +0000 (23:13 +0000)
committerjaphet@chromium.org <japhet@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 20 Feb 2013 23:13:53 +0000 (23:13 +0000)
https://bugs.webkit.org/show_bug.cgi?id=110237

Reviewed by Abhishek Arya.

Test: http/tests/misc/delete-frame-during-readystatechange.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::checkCompleted): Protect before setReadyState() is called.

LayoutTests: Test for https://bugs.webkit.org/show_bug.cgi?id=110237

Reviewed by Abhishek Arya.

* http/tests/misc/delete-frame-during-readystatechange-expected.txt: Added.
* http/tests/misc/delete-frame-during-readystatechange.html: Added.
* http/tests/misc/resources/delete-frame-during-readystatechange-frame.html: Added.
* http/tests/misc/resources/empty.ogv: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@143514 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/misc/delete-frame-during-readystatechange-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/misc/delete-frame-during-readystatechange.html [new file with mode: 0644]
LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame.html [new file with mode: 0644]
LayoutTests/http/tests/misc/resources/empty.ogv [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp

index 79493f5..fde6edf 100644 (file)
@@ -1,3 +1,14 @@
+2013-02-20  Nate Chapin  <japhet@chromium.org>
+
+        Test for https://bugs.webkit.org/show_bug.cgi?id=110237
+
+        Reviewed by Abhishek Arya.
+
+        * http/tests/misc/delete-frame-during-readystatechange-expected.txt: Added.
+        * http/tests/misc/delete-frame-during-readystatechange.html: Added.
+        * http/tests/misc/resources/delete-frame-during-readystatechange-frame.html: Added.
+        * http/tests/misc/resources/empty.ogv: Added.
+
 2013-02-20  David Hyatt  <hyatt@apple.com>
 
         [New Multicolumn] Resize RenderMultiColumnSets around their columns.
diff --git a/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-expected.txt b/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-expected.txt
new file mode 100644 (file)
index 0000000..4bfc0c2
--- /dev/null
@@ -0,0 +1 @@
+Test deleting a subframe from within its readystatechange event. We pass if we don't crash.
diff --git a/LayoutTests/http/tests/misc/delete-frame-during-readystatechange.html b/LayoutTests/http/tests/misc/delete-frame-during-readystatechange.html
new file mode 100644 (file)
index 0000000..902c1fb
--- /dev/null
@@ -0,0 +1,14 @@
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function r()
+{
+    document.body.removeChild(document.getElementById("f"));
+    setTimeout(function() { testRunner.notifyDone();}, 0);
+}
+</script>
+Test deleting a subframe from within its readystatechange event. We pass if we don't crash.
+<iframe id="f" src="resources/delete-frame-during-readystatechange-frame.html"></iframe>
diff --git a/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame.html b/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame.html
new file mode 100644 (file)
index 0000000..518e8c9
--- /dev/null
@@ -0,0 +1,21 @@
+<html>
+<head>
+<script>
+i = 0;
+document.addEventListener('readystatechange', function() {
+    if (i == 1)
+        parent.r();
+    i++;
+});
+
+window.addEventListener('DOMContentLoaded', function() {
+    document.getElementById("v").load(); 
+    document.body.removeChild(document.getElementById("v"));
+});
+
+</script>
+</head>
+<body>
+<video id=v src=empty.ogv></video>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/misc/resources/empty.ogv b/LayoutTests/http/tests/misc/resources/empty.ogv
new file mode 100644 (file)
index 0000000..8d1c8b6
--- /dev/null
@@ -0,0 +1 @@
index 66e3960..d0a53f3 100644 (file)
@@ -1,3 +1,15 @@
+2013-02-20  Nate Chapin  <japhet@chromium.org>
+
+        Crash in WebCore::FrameLoader::checkCompleted()
+        https://bugs.webkit.org/show_bug.cgi?id=110237
+
+        Reviewed by Abhishek Arya.
+
+        Test: http/tests/misc/delete-frame-during-readystatechange.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::checkCompleted): Protect before setReadyState() is called.
+
 2013-02-20  David Grogan  <dgrogan@chromium.org>
 
         IndexedDB: Limit LevelDB's max open files
index c6dd12e..976b7ae 100644 (file)
@@ -744,6 +744,7 @@ bool FrameLoader::allAncestorsAreComplete() const
 
 void FrameLoader::checkCompleted()
 {
+    RefPtr<Frame> protect(m_frame);
     m_shouldCallCheckCompleted = false;
 
     if (m_frame->view())
@@ -774,7 +775,6 @@ void FrameLoader::checkCompleted()
     m_requestedHistoryItem = 0;
     m_frame->document()->setReadyState(Document::Complete);
 
-    RefPtr<Frame> protect(m_frame);
     checkCallImplicitClose(); // if we didn't do it before
 
     m_frame->navigationScheduler()->startTimer();