Google Git
Sign in
webkit / WebKit / dbef5a5c1c295b288f597dfa98e161ba97dbde15
commitdbef5a5c1c295b288f597dfa98e161ba97dbde15[log] [tgz]
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon Sep 17 09:05:13 2012 +0000
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon Sep 17 09:05:13 2012 +0000
tree33790efd482c34c8339ae250f38dad337316d6de
parent9725ba605bd7dede7ce07dd1d919295c37cbece9 [diff]
Don't GC img elements blocked by CSP until error events fire.
https://bugs.webkit.org/show_bug.cgi?id=94677

Patch by Mike West <mkwst@chromium.org> on 2012-09-17
Reviewed by Jochen Eisinger.

Source/WebCore:

Currently, the GC checks that no load events are pending for an image
element before reclaiming its memory. It's not, however, checking that
error events are taken care of. This leads to the potential of firing an
event on a DOM element that we've already collected. That's a Bad Thing.

This patch adjusts the check to catch error events as well as load
events, which should ensure that the element isn't collected until it's
really ready. As a drive-by, it also changes the name of the check to
'hasPendingActivity' from 'hasPendingLoadEvent' for clarity.

http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html
should no longer crash, and the new
http/tests/security/contentSecurityPolicy/img-blocked-no-gc-crash.html
and fast/events/onerror-img-after-gc.html shouldn't crash either.

Tests: fast/events/onerror-img-after-gc.html
       http/tests/security/contentSecurityPolicy/img-blocked-no-gc-crash.html

* bindings/v8/V8GCController.cpp:
(WebCore::calculateGroupId):
    Switch to using ImageLoader::hasPendingActivity().
* html/HTMLImageElement.h:
(WebCore::HTMLImageElement::hasPendingActivity):
    Switch to using ImageLoader::hasPendingActivity().
* loader/ImageLoader.h:
(WebCore::ImageLoader::hasPendingActivity):
    Added a check against pending error events in order to ensure that
    elements aren't garbage collected prematurely. Aslo renamed from
    ImageLoader::hasPendingLoadEvent for clarity.
* svg/SVGImageElement.cpp:
(WebCore::SVGImageElement::haveLoadedRequiredResources):
    Switch to using ImageLoader::hasPendingActivity().

LayoutTests:

* fast/events/onerror-img-after-gc.html:
* fast/events/onerror-img-after-gc-expected.txt:
* http/tests/security/contentSecurityPolicy/img-blocked-no-gc-crash.html:
* http/tests/security/contentSecurityPolicy/img-blocked-no-gc-crash-expected.txt:
    Explicitly triggering GC before the error in the hopes of proving
    that we don't crash anymore.
* platform/gtk/TestExpectations:
* platform/qt/Skipped:
    Unskipping no-longer-crashing test.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128730 268f45cc-cd09-0410-ab3c-d52691b4dbfc
12 files changed
tree: 33790efd482c34c8339ae250f38dad337316d6de
  1. Examples/
  2. LayoutTests/
  3. ManualTests/
  4. PerformanceTests/
  5. Source/
  6. Tools/
  7. WebKit.xcworkspace/
  8. WebKitLibraries/
  9. Websites/
  10. .dir-locals.el
  11. .gitattributes
  12. .gitignore
  13. .qmake.conf
  14. autogen.sh
  15. ChangeLog
  16. ChangeLog-2012-05-22
  17. CMakeLists.txt
  18. configure.ac
  19. GNUmakefile.am
  20. Makefile
  21. Makefile.shared
  22. WebKit.pro
  23. wscript