Reviewed by Dan Bernstein.
authorap@apple.com <ap@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 1 Jul 2010 22:25:01 +0000 (22:25 +0000)
committerap@apple.com <ap@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 1 Jul 2010 22:25:01 +0000 (22:25 +0000)
        https://bugs.webkit.org/show_bug.cgi?id=41488
        <rdar://problem/7487420> Crash in SubresourceLoader::create when load is initiated from plug-in destructor

        Test: plugins/js-from-destroy.html

        * loader/SubresourceLoader.cpp: (WebCore::SubresourceLoader::create): Null check active
        document loader.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@62304 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/plugins/js-from-destroy-expected.txt [moved from LayoutTests/plugins/write-xssauditor-from-destroy-expected.txt with 100% similarity]
LayoutTests/plugins/js-from-destroy.html [moved from LayoutTests/plugins/write-xssauditor-from-destroy.html with 86% similarity]
LayoutTests/plugins/resources/js-from-destroy-frame.html [moved from LayoutTests/plugins/resources/write-xssauditor-from-destroy-frame.html with 79% similarity]
WebCore/ChangeLog
WebCore/loader/SubresourceLoader.cpp

index fcb026c..31e349c 100644 (file)
@@ -1,3 +1,20 @@
+2010-07-01  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        https://bugs.webkit.org/show_bug.cgi?id=41488
+        <rdar://problem/7487420> Crash in SubresourceLoader::create when load is initiated from plug-in destructor
+
+        Renamed write-xssauditor-from-destroy.html test, as it covers multiple issues that can happen
+        in this situation.
+
+        * plugins/js-from-destroy-expected.txt: Copied from LayoutTests/plugins/write-xssauditor-from-destroy-expected.txt.
+        * plugins/js-from-destroy.html: Copied from LayoutTests/plugins/write-xssauditor-from-destroy.html.
+        * plugins/resources/js-from-destroy-frame.html: Copied from LayoutTests/plugins/resources/write-xssauditor-from-destroy-frame.html.
+        * plugins/resources/write-xssauditor-from-destroy-frame.html: Removed.
+        * plugins/write-xssauditor-from-destroy-expected.txt: Removed.
+        * plugins/write-xssauditor-from-destroy.html: Removed.
+
 2010-07-01  Andy Estes  <aestes@apple.com>
 
         Reviewed by Darin Adler.
@@ -20,6 +20,6 @@ function runtest()
 
 </script>
 <body onload="runtest()">
-<iframe id="frame" src="resources/write-xssauditor-from-destroy-frame.html"></iframe>
+<iframe id="frame" src="resources/js-from-destroy-frame.html"></iframe>
 </body>
 </html>
@@ -4,7 +4,12 @@
 function pluginDestroyed()
 {
     try {
+        var req = new XMLHttpRequest;
+        req.open("GET", "/", true);
+        req.send();
+
         document.referrer;
+
         document.getElementById("playground").innerHTML = "<div onclick='alert(0)'></div>"
     } catch (ex) {
         alert("Unexpected exception: " + ex);
index 86688ea..3d72a3d 100644 (file)
@@ -1,3 +1,15 @@
+2010-07-01  Alexey Proskuryakov  <ap@apple.com>
+
+        Reviewed by Dan Bernstein.
+
+        https://bugs.webkit.org/show_bug.cgi?id=41488
+        <rdar://problem/7487420> Crash in SubresourceLoader::create when load is initiated from plug-in destructor
+
+        Test: plugins/js-from-destroy.html
+
+        * loader/SubresourceLoader.cpp: (WebCore::SubresourceLoader::create): Null check active
+        document loader.
+
 2010-07-01  Andy Estes  <aestes@apple.com>
 
         Reviewed by Darin Adler.
index 1b61a91..5d6d3f1 100644 (file)
@@ -66,7 +66,7 @@ PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, Subresourc
         return 0;
 
     FrameLoader* fl = frame->loader();
-    if (securityCheck == DoSecurityCheck && (fl->state() == FrameStateProvisional || fl->activeDocumentLoader()->isStopping()))
+    if (securityCheck == DoSecurityCheck && (fl->state() == FrameStateProvisional || !fl->activeDocumentLoader() || fl->activeDocumentLoader()->isStopping()))
         return 0;
 
     ResourceRequest newRequest = request;