Google Git
Sign in
webkit / WebKit / 670437fb246e7d4ac3e68e791d00bba77a8999c8^! / .
commit670437fb246e7d4ac3e68e791d00bba77a8999c8[log] [tgz]
authorakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon Feb 17 03:52:02 2014 +0000
committerakling@apple.com <akling@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon Feb 17 03:52:02 2014 +0000
tree4c005ed4d9eb4b8bdbf465bff15e46e4ca627124
parent4ec0748277d941d8224f3fd6bd9df2084d04f71a [diff]
Ensure that removing an iframe from the DOM tree disconnects its Frame.
<https://webkit.org/b/128889>
<rdar://problem/15671221>

Merged from Blink (patch by Adam Klein):
https://src.chromium.org/viewvc/blink?revision=156174&view=revision

Source/WebCore:

SubframeLoadingDisabler wasn't catching the case when an <iframe> was,
in its unload handler, removed and re-added to the same parent.
Fix this by using a count of SubframeLoadingDisablers that are on the
stack for a given root, rather than a simple boolean.

Test: fast/frames/reattach-in-unload.html

* html/HTMLFrameOwnerElement.h:
(WebCore::SubframeLoadingDisabler::disabledSubtreeRoots):

LayoutTests:

* fast/frames/reattach-in-unload-expected.txt: Added.
* fast/frames/reattach-in-unload.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@164204 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b2cc3f3..b1d31a7 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog

@@ -1,3 +1,15 @@
+2014-02-16  Andreas Kling  <akling@apple.com>
+
+        Ensure that removing an iframe from the DOM tree disconnects its Frame.
+        <https://webkit.org/b/128889>
+        <rdar://problem/15671221>
+
+        Merged from Blink (patch by Adam Klein):
+        https://src.chromium.org/viewvc/blink?revision=156174&view=revision
+
+        * fast/frames/reattach-in-unload-expected.txt: Added.
+        * fast/frames/reattach-in-unload.html: Added.
+
 2014-02-16  Benjamin Poulain  <benjamin@webkit.org>
 
         When applying style, attribute value matching should be case sensitive for SVG

diff --git a/LayoutTests/fast/frames/reattach-in-unload-expected.txt b/LayoutTests/fast/frames/reattach-in-unload-expected.txt
new file mode 100644
index 0000000..7a04163
--- /dev/null
+++ b/LayoutTests/fast/frames/reattach-in-unload-expected.txt

@@ -0,0 +1,12 @@
+Ensure that removing an iframe from the tree results in frame destruction
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS frame.contentWindow is null
+PASS frame.contentWindow is null
+Did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

diff --git a/LayoutTests/fast/frames/reattach-in-unload.html b/LayoutTests/fast/frames/reattach-in-unload.html
new file mode 100644
index 0000000..151ef19
--- /dev/null
+++ b/LayoutTests/fast/frames/reattach-in-unload.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<body>
+<script src="../../resources/js-test.js"></script>
+<script>
+description('Ensure that removing an iframe from the tree results in frame destruction');
+
+var frame = document.createElement('iframe');
+function handler() {
+    var p = frame.parentNode;
+    p.removeChild(frame);
+    p.appendChild(frame);
+}
+
+document.body.appendChild(frame);
+frame.contentWindow.onunload = handler;
+frame.parentNode.removeChild(frame)
+shouldBeNull("frame.contentWindow");
+
+var div = document.body.appendChild(document.createElement('div'));
+div.appendChild(frame);
+div.removeChild(frame);
+shouldBeNull("frame.contentWindow");
+debug('Did not crash');
+</script>
+</body>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index edbb3a8..4ca9e14 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog

@@ -1,3 +1,22 @@
+2014-02-16  Andreas Kling  <akling@apple.com>
+
+        Ensure that removing an iframe from the DOM tree disconnects its Frame.
+        <https://webkit.org/b/128889>
+        <rdar://problem/15671221>
+
+        Merged from Blink (patch by Adam Klein):
+        https://src.chromium.org/viewvc/blink?revision=156174&view=revision
+
+        SubframeLoadingDisabler wasn't catching the case when an <iframe> was,
+        in its unload handler, removed and re-added to the same parent.
+        Fix this by using a count of SubframeLoadingDisablers that are on the
+        stack for a given root, rather than a simple boolean.
+
+        Test: fast/frames/reattach-in-unload.html
+
+        * html/HTMLFrameOwnerElement.h:
+        (WebCore::SubframeLoadingDisabler::disabledSubtreeRoots):
+
 2014-02-16  Benjamin Poulain  <benjamin@webkit.org>
 
         When applying style, attribute value matching should be case sensitive for SVG

diff --git a/Source/WebCore/html/HTMLFrameOwnerElement.h b/Source/WebCore/html/HTMLFrameOwnerElement.h
index 7c0fc06..85c8483 100644
--- a/Source/WebCore/html/HTMLFrameOwnerElement.h
+++ b/Source/WebCore/html/HTMLFrameOwnerElement.h

@@ -22,6 +22,7 @@
 #define HTMLFrameOwnerElement_h
 
 #include "HTMLElement.h"
+#include <wtf/HashCountedSet.h>
 
 namespace WebCore {
 
@@ -88,9 +89,9 @@
     static bool canLoadFrame(HTMLFrameOwnerElement&);
 
 private:
-    static HashSet<ContainerNode*>& disabledSubtreeRoots()
+    static HashCountedSet<ContainerNode*>& disabledSubtreeRoots()
     {
-        DEFINE_STATIC_LOCAL(HashSet<ContainerNode*>, nodes, ());
+        DEFINE_STATIC_LOCAL(HashCountedSet<ContainerNode*>, nodes, ());
         return nodes;
     }