Ensure that removing an iframe from the DOM tree disconnects its Frame.
authorakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 17 Feb 2014 03:52:02 +0000 (03:52 +0000)
committerakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 17 Feb 2014 03:52:02 +0000 (03:52 +0000)
<https://webkit.org/b/128889>
<rdar://problem/15671221>

Merged from Blink (patch by Adam Klein):
https://src.chromium.org/viewvc/blink?revision=156174&view=revision

Source/WebCore:

SubframeLoadingDisabler wasn't catching the case when an <iframe> was,
in its unload handler, removed and re-added to the same parent.
Fix this by using a count of SubframeLoadingDisablers that are on the
stack for a given root, rather than a simple boolean.

Test: fast/frames/reattach-in-unload.html

* html/HTMLFrameOwnerElement.h:
(WebCore::SubframeLoadingDisabler::disabledSubtreeRoots):

LayoutTests:

* fast/frames/reattach-in-unload-expected.txt: Added.
* fast/frames/reattach-in-unload.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@164204 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/frames/reattach-in-unload-expected.txt [new file with mode: 0644]
LayoutTests/fast/frames/reattach-in-unload.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLFrameOwnerElement.h

index b2cc3f3ce6ded35233aa522c19db62d9a2bcbad7..b1d31a7d470b871ee8683a32b99902477961a561 100644 (file)
@@ -1,3 +1,15 @@
+2014-02-16  Andreas Kling  <akling@apple.com>
+
+        Ensure that removing an iframe from the DOM tree disconnects its Frame.
+        <https://webkit.org/b/128889>
+        <rdar://problem/15671221>
+
+        Merged from Blink (patch by Adam Klein):
+        https://src.chromium.org/viewvc/blink?revision=156174&view=revision
+
+        * fast/frames/reattach-in-unload-expected.txt: Added.
+        * fast/frames/reattach-in-unload.html: Added.
+
 2014-02-16  Benjamin Poulain  <benjamin@webkit.org>
 
         When applying style, attribute value matching should be case sensitive for SVG
diff --git a/LayoutTests/fast/frames/reattach-in-unload-expected.txt b/LayoutTests/fast/frames/reattach-in-unload-expected.txt
new file mode 100644 (file)
index 0000000..7a04163
--- /dev/null
@@ -0,0 +1,12 @@
+Ensure that removing an iframe from the tree results in frame destruction
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS frame.contentWindow is null
+PASS frame.contentWindow is null
+Did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/frames/reattach-in-unload.html b/LayoutTests/fast/frames/reattach-in-unload.html
new file mode 100644 (file)
index 0000000..151ef19
--- /dev/null
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<body>
+<script src="../../resources/js-test.js"></script>
+<script>
+description('Ensure that removing an iframe from the tree results in frame destruction');
+
+var frame = document.createElement('iframe');
+function handler() {
+    var p = frame.parentNode;
+    p.removeChild(frame);
+    p.appendChild(frame);
+}
+
+document.body.appendChild(frame);
+frame.contentWindow.onunload = handler;
+frame.parentNode.removeChild(frame)
+shouldBeNull("frame.contentWindow");
+
+var div = document.body.appendChild(document.createElement('div'));
+div.appendChild(frame);
+div.removeChild(frame);
+shouldBeNull("frame.contentWindow");
+debug('Did not crash');
+</script>
+</body>
index edbb3a82aef73415aa7301721ea73589e71045c4..4ca9e14099d0c3e160592cead0615df15e45919f 100644 (file)
@@ -1,3 +1,22 @@
+2014-02-16  Andreas Kling  <akling@apple.com>
+
+        Ensure that removing an iframe from the DOM tree disconnects its Frame.
+        <https://webkit.org/b/128889>
+        <rdar://problem/15671221>
+
+        Merged from Blink (patch by Adam Klein):
+        https://src.chromium.org/viewvc/blink?revision=156174&view=revision
+
+        SubframeLoadingDisabler wasn't catching the case when an <iframe> was,
+        in its unload handler, removed and re-added to the same parent.
+        Fix this by using a count of SubframeLoadingDisablers that are on the
+        stack for a given root, rather than a simple boolean.
+
+        Test: fast/frames/reattach-in-unload.html
+
+        * html/HTMLFrameOwnerElement.h:
+        (WebCore::SubframeLoadingDisabler::disabledSubtreeRoots):
+
 2014-02-16  Benjamin Poulain  <benjamin@webkit.org>
 
         When applying style, attribute value matching should be case sensitive for SVG
index 7c0fc0651d886502748088c940c5c1e6c78b7ba9..85c84834a1269a8c1f140c6b4d4e58a05bace983 100644 (file)
@@ -22,6 +22,7 @@
 #define HTMLFrameOwnerElement_h
 
 #include "HTMLElement.h"
+#include <wtf/HashCountedSet.h>
 
 namespace WebCore {
 
@@ -88,9 +89,9 @@ public:
     static bool canLoadFrame(HTMLFrameOwnerElement&);
 
 private:
-    static HashSet<ContainerNode*>& disabledSubtreeRoots()
+    static HashCountedSet<ContainerNode*>& disabledSubtreeRoots()
     {
-        DEFINE_STATIC_LOCAL(HashSet<ContainerNode*>, nodes, ());
+        DEFINE_STATIC_LOCAL(HashCountedSet<ContainerNode*>, nodes, ());
         return nodes;
     }