2011-06-29 Darin Adler <darin@apple.com>
Reviewed by Anders Carlsson.
[WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
https://bugs.webkit.org/show_bug.cgi?id=63483
* fast/loader/create-frame-in-DOMContentLoaded-expected.txt: Added.
* fast/loader/create-frame-in-DOMContentLoaded.html: Added.
2011-06-29 Darin Adler <darin@apple.com>
Reviewed by Anders Carlsson.
[WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
https://bugs.webkit.org/show_bug.cgi?id=63483
Test: fast/loader/create-frame-in-DOMContentLoaded.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::init): Added an assertion.
(WebCore::FrameLoader::finishedLoadingDocument): Removed a non-helpful #if
statement. The rule that we do not call the client when creating the initial
empty document was nominally specific to Windows and Chromium but is needed
for all platforms.
2011-06-29 Darin Adler <darin@apple.com>
Reviewed by Anders Carlsson.
[WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
https://bugs.webkit.org/show_bug.cgi?id=63483
* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::createFrame): Added a check for null when creating
a frame. Also added a check that was in the WebKit1 code, but not here. Strangely,
the comment from the second check was still here, but not the code.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@90038 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index e2599fc..f2fe1fb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2011-06-29 Darin Adler <darin@apple.com>
+
+ Reviewed by Anders Carlsson.
+
+ [WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
+ https://bugs.webkit.org/show_bug.cgi?id=63483
+
+ * fast/loader/create-frame-in-DOMContentLoaded-expected.txt: Added.
+ * fast/loader/create-frame-in-DOMContentLoaded.html: Added.
+
2011-06-29 Nat Duca <nduca@chromium.org>
[chromium] Unreviewed, mark fast/canvas/webgl/context-lost-restored failing
diff --git a/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded-expected.txt b/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded-expected.txt
new file mode 100644
index 0000000..c2f8922
--- /dev/null
+++ b/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded-expected.txt
@@ -0,0 +1,5 @@
+A) Entered DOMContentLoaded event handler function.
+C) Entered load event handler function.
+D) Exiting load event handler function.
+Test passed if messages A, B, C, D were all in order and there was no crash.
+B) Exiting DOMContentLoaded event handler function.
diff --git a/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded.html b/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded.html
new file mode 100644
index 0000000..3f0988c
--- /dev/null
+++ b/LayoutTests/fast/loader/create-frame-in-DOMContentLoaded.html
@@ -0,0 +1,31 @@
+<head>
+<script>
+var frame;
+function print(message)
+{
+ var line = document.createElement("div");
+ line.appendChild(document.createTextNode(message));
+ document.body.appendChild(line);
+}
+function handleDOMContentLoadedEvent()
+{
+ document.body.removeChild(document.body.firstChild);
+ print("A) Entered DOMContentLoaded event handler function.");
+ frame = document.createElement("iframe");
+ document.body.appendChild(frame);
+ print("B) Exiting DOMContentLoaded event handler function.");
+}
+function handleLoadEvent()
+{
+ print("C) Entered load event handler function.");
+ document.body.removeChild(frame);
+ print("D) Exiting load event handler function.");
+ print("Test passed if messages A, B, C, D were all in order and there was no crash.");
+}
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+addEventListener("load", handleLoadEvent);
+addEventListener("DOMContentLoaded", handleDOMContentLoadedEvent);
+</script>
+</head>
+<body>TEST DID NOT RUN YET</body>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 12f797a..b2fe020 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2011-06-29 Darin Adler <darin@apple.com>
+
+ Reviewed by Anders Carlsson.
+
+ [WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
+ https://bugs.webkit.org/show_bug.cgi?id=63483
+
+ Test: fast/loader/create-frame-in-DOMContentLoaded.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::init): Added an assertion.
+ (WebCore::FrameLoader::finishedLoadingDocument): Removed a non-helpful #if
+ statement. The rule that we do not call the client when creating the initial
+ empty document was nominally specific to Windows and Chromium but is needed
+ for all platforms.
+
2011-06-29 Emil A Eklund <eae@chromium.org>
Reviewed by Darin Adler.
diff --git a/Source/WebCore/loader/FrameLoader.cpp b/Source/WebCore/loader/FrameLoader.cpp
index 7c0943b..0a62b06 100644
--- a/Source/WebCore/loader/FrameLoader.cpp
+++ b/Source/WebCore/loader/FrameLoader.cpp
@@ -220,13 +220,15 @@
// This needs to be done early, so that an initial document gets correct sandbox flags in its SecurityOrigin.
updateSandboxFlags();
- // this somewhat odd set of steps is needed to give the frame an initial empty document
+ // This somewhat odd set of steps gives the frame an initial empty document.
+ // It would be better if this could be done with even fewer steps.
m_stateMachine.advanceTo(FrameLoaderStateMachine::CreatingInitialEmptyDocument);
setPolicyDocumentLoader(m_client->createDocumentLoader(ResourceRequest(KURL(ParsedURLString, "")), SubstituteData()).get());
setProvisionalDocumentLoader(m_policyDocumentLoader.get());
setState(FrameStateProvisional);
m_provisionalDocumentLoader->setResponse(ResourceResponse(KURL(), "text/html", 0, String(), String()));
m_provisionalDocumentLoader->finishedLoading();
+ ASSERT(!m_frame->document());
m_documentLoader->writer()->begin(KURL(), false);
m_documentLoader->writer()->end();
m_frame->document()->cancelParsing();
@@ -2050,11 +2052,8 @@
void FrameLoader::finishedLoadingDocument(DocumentLoader* loader)
{
- // FIXME: Platforms shouldn't differ here!
-#if PLATFORM(WIN) || PLATFORM(CHROMIUM)
if (m_stateMachine.creatingInitialEmptyDocument())
return;
-#endif
#if !ENABLE(WEB_ARCHIVE) && !ENABLE(MHTML)
m_client->finishedLoading(loader);
diff --git a/Source/WebKit2/ChangeLog b/Source/WebKit2/ChangeLog
index ce08ff2..450cf8d 100644
--- a/Source/WebKit2/ChangeLog
+++ b/Source/WebKit2/ChangeLog
@@ -1,3 +1,15 @@
+2011-06-29 Darin Adler <darin@apple.com>
+
+ Reviewed by Anders Carlsson.
+
+ [WebKit2] Crash loading page that adds/removes frame in DOMContentLoaded/loaded
+ https://bugs.webkit.org/show_bug.cgi?id=63483
+
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::createFrame): Added a check for null when creating
+ a frame. Also added a check that was in the WebKit1 code, but not here. Strangely,
+ the comment from the second check was still here, but not the code.
+
2011-06-28 Chang Shu <cshu@webkit.org>
Reviewed by Andreas Kling.
diff --git a/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp b/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
index 2cb4c1b..09392ca 100644
--- a/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
+++ b/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
@@ -1207,8 +1207,13 @@
RefPtr<WebFrame> subframe = WebFrame::createSubframe(webPage, name, ownerElement);
Frame* coreSubframe = subframe->coreFrame();
+ if (!coreSubframe)
+ return 0;
- // The creation of the frame may have run arbitrary JavaScript that removed it from the page already.
+ // The creation of the frame may have run arbitrary JavaScript that removed it from the page already.
+ if (!coreSubframe->page())
+ return 0;
+
m_frame->coreFrame()->loader()->loadURLIntoChildFrame(url, referrer, coreSubframe);
// The frame's onload handler may have removed it from the document.
