Reviewed by Beth Dakin.

        - fix <rdar://problem/5516272> Reproducible crash in RenderObject::setStyle involving going Back from a non-HTML document (Bookmarks view, PDF view)

        The root cause for the crash is that when a non-HTML view enters the
        frame, the frame's document pointer keeps pointing at the last HTML-type
        document it contained. This patch does not address the root cause, but
        makes changes to account for that condition.

        * loader/FrameLoader.cpp:
        (WebCore::FrameLoader::receivedMainResourceError): Do not change the
        frame's current document's page cache state here.
        (WebCore::FrameLoader::invalidateCurrentItemCachedPage): If the frame's
        current document is in fact the history item being invalidated, then
        set its page cache state here.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@27760 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index e1c9ea3cfd9ee0abc1d42be7aeb50665d68dc675..7d693a0da6bcfc49197458d3776c5af4879bd5e4 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2007-11-13  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Beth Dakin.
+
+        - fix <rdar://problem/5516272> Reproducible crash in RenderObject::setStyle involving going Back from a non-HTML document (Bookmarks view, PDF view)
+
+        The root cause for the crash is that when a non-HTML view enters the
+        frame, the frame's document pointer keeps pointing at the last HTML-type
+        document it contained. This patch does not address the root cause, but
+        makes changes to account for that condition.
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::receivedMainResourceError): Do not change the
+        frame's current document's page cache state here.
+        (WebCore::FrameLoader::invalidateCurrentItemCachedPage): If the frame's
+        current document is in fact the history item being invalidated, then
+        set its page cache state here.
+
 2007-11-12  Antti Koivisto  <antti@apple.com>
 
         Reviewed by Adele.

diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index 0601e091585d47c1131bb383aabc55a78fba40aa..8f12e0ac2d93d168045ce7ee6eaeb92e69f6fb8d 100644 (file)
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -3365,7 +3365,6 @@ void FrameLoader::receivedMainResourceError(const ResourceError& error, bool isC
         // We might have made a page cache item, but now we're bailing out due to an error before we ever
         // transitioned to the new page (before WebFrameState == commit).  The goal here is to restore any state
         // so that the existing view (that wenever got far enough to replace) can continue being used.
-        m_frame->document()->setInPageCache(false);
         invalidateCurrentItemCachedPage();
         
         // Call clientRedirectCancelledOrFinished here so that the frame load delegate is notified that the redirect's
@@ -3918,8 +3917,10 @@ void FrameLoader::invalidateCurrentItemCachedPage()
     // Both Xcode and FileMaker see this crash, Safari does not.
     
     ASSERT(!cachedPage || cachedPage->document() == m_frame->document());
-    if (cachedPage && cachedPage->document() == m_frame->document())
+    if (cachedPage && cachedPage->document() == m_frame->document()) {
+        cachedPage->document()->setInPageCache(false);
         cachedPage->clear();
+    }
     
     if (cachedPage)
         pageCache()->remove(m_currentHistoryItem.get());