Source/WebCore: Patch by Abhishek Arya <inferno@chromium.org> on 2011-07-13
authorinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Jul 2011 18:51:44 +0000 (18:51 +0000)
committerinferno@chromium.org <inferno@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Jul 2011 18:51:44 +0000 (18:51 +0000)
Reviewed by Adam Barth.

Issue with Frame lifetime due to deletion in beforeload event.
https://bugs.webkit.org/show_bug.cgi?id=64457

Copy the Frame protector higher in the stack from loadWithDocumentLoader
to loadFrameRequest since any of loadPostRequest or loadURL can call
loadWithDocumentLoader, thereby dispatching the beforeload event and
blowing away the frame. This deleted frame will be later accessed in
the loadFrameRequest function causing a crash.

Test: fast/events/form-iframe-target-before-load-crash2.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadFrameRequest):
(WebCore::FrameLoader::loadWithDocumentLoader):

LayoutTests: Tests that we do not crash when frame is blown away in a beforeload
event.
https://bugs.webkit.org/show_bug.cgi?id=64457

Reviewed by Adam Barth.

* fast/events/form-iframe-target-before-load-crash.html:
* fast/events/form-iframe-target-before-load-crash2-expected.txt: Added.
* fast/events/form-iframe-target-before-load-crash2.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@90936 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/events/form-iframe-target-before-load-crash.html
LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt [new file with mode: 0644]
LayoutTests/fast/events/form-iframe-target-before-load-crash2.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp

index d862e5e..a83ccc7 100644 (file)
@@ -1,3 +1,15 @@
+2011-07-13  Abhishek Arya  <inferno@chromium.org>
+
+        Tests that we do not crash when frame is blown away in a beforeload
+        event.
+        https://bugs.webkit.org/show_bug.cgi?id=64457
+
+        Reviewed by Adam Barth.
+
+        * fast/events/form-iframe-target-before-load-crash.html:
+        * fast/events/form-iframe-target-before-load-crash2-expected.txt: Added.
+        * fast/events/form-iframe-target-before-load-crash2.html: Added.
+
 2011-07-13  Mihnea Ovidenie  <mihnea@adobe.com>
 
         [CSSRegions]content:-webkit-from-flow not applied correctly
index 609b154..87ff1f6 100644 (file)
@@ -1,4 +1,5 @@
 <html>\r
+    <script src="../js/resources/js-test-pre.js"></script>\r
     <body onload="runTest()">\r
         <div id="console"></div>\r
         <form id="form1" style="display:none" method="post" target="test" action="http://anything.com"></form>\r
@@ -25,6 +26,7 @@
                 if (count == 2)\r
                 {\r
                     document.body.removeChild(document.getElementById('test'));\r
+                    gc();\r
                     document.body.offsetTop;\r
                 }\r
             }, true);\r
diff --git a/LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt b/LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt
new file mode 100644 (file)
index 0000000..69cfc5a
--- /dev/null
@@ -0,0 +1,2 @@
+PASS
+
diff --git a/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html b/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html
new file mode 100644 (file)
index 0000000..e5fa9da
--- /dev/null
@@ -0,0 +1,37 @@
+<html>\r
+    <script src="../js/resources/js-test-pre.js"></script>\r
+    <body onload="runTest()">\r
+        <div id="console"></div>\r
+        <form id="form1" style="display:none" target="test" action="about:blank"></form>\r
+        <script>\r
+            if (window.layoutTestController)\r
+            {\r
+                layoutTestController.dumpAsText();\r
+                layoutTestController.waitUntilDone();\r
+            }\r
+        \r
+            function runTest()\r
+            {\r
+                document.getElementById('form1').submit();\r
+                \r
+                if (window.layoutTestController)\r
+                    layoutTestController.notifyDone();\r
+                document.getElementById('console').innerHTML = 'PASS';\r
+            }\r
+\r
+            count = 0;\r
+            document.addEventListener("beforeload", function(event) {\r
+                event.preventDefault();\r
+                count = count + 1;\r
+                if (count == 2)\r
+                {\r
+                    document.body.removeChild(document.getElementById('test'));\r
+                    gc();\r
+                    document.body.offsetTop;\r
+                }\r
+            }, true);\r
+       </script>\r
+       <iframe id="test" src="about:blank"></iframe>\r
+   </body>\r
+</html>\r
+\r
index 4cce3ac..585c00d 100644 (file)
@@ -1,3 +1,22 @@
+2011-07-13  Abhishek Arya  <inferno@chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Issue with Frame lifetime due to deletion in beforeload event.
+        https://bugs.webkit.org/show_bug.cgi?id=64457
+
+        Copy the Frame protector higher in the stack from loadWithDocumentLoader
+        to loadFrameRequest since any of loadPostRequest or loadURL can call
+        loadWithDocumentLoader, thereby dispatching the beforeload event and
+        blowing away the frame. This deleted frame will be later accessed in
+        the loadFrameRequest function causing a crash.       
+        Test: fast/events/form-iframe-target-before-load-crash2.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::loadFrameRequest):
+        (WebCore::FrameLoader::loadWithDocumentLoader):
+
 2011-07-13  Mihnea Ovidenie  <mihnea@adobe.com>
 
         [CSSRegions]content:-webkit-from-flow not applied correctly
index 960cafe..3545a16 100644 (file)
@@ -1114,6 +1114,9 @@ static bool isFeedWithNestedProtocolInHTTPFamily(const KURL& url)
 void FrameLoader::loadFrameRequest(const FrameLoadRequest& request, bool lockHistory, bool lockBackForwardList,
     PassRefPtr<Event> event, PassRefPtr<FormState> formState, ReferrerPolicy referrerPolicy)
 {    
+    // Protect frame from getting blown away inside dispatchBeforeLoadEvent in loadWithDocumentLoader.
+    RefPtr<Frame> protect(m_frame);
+
     KURL url = request.resourceRequest().url();
 
     ASSERT(m_frame->document());