Changeset 87959 in webkit

Timestamp:

Jun 2, 2011, 3:03:49 PM (14 years ago)

Author:

beidson@apple.com

Message:

<rdar://problem/9539920> and ​https://bugs.webkit.org/show_bug.cgi?id=61950
Repro crash loading certain webarchives after r87566.

Reviewed by Oliver Hunt.

Source/WebCore:

Test: webarchive/loading/javascript-url-iframe-crash.html

• bindings/ScriptControllerBase.cpp:

(WebCore::ScriptController::executeIfJavaScriptURL): DocumentWriter::replaceDocument can

cause the DocumentLoader to be destroyed, so protect it with a Ref here.

LayoutTests:

• webarchive/loading/javascript-url-iframe-crash-expected.txt: Added.
• webarchive/loading/javascript-url-iframe-crash.html: Added.
• webarchive/loading/resources/javascript-url-iframe-crash.webarchive: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/webarchive/loading/javascript-url-iframe-crash-expected.txt (added)
• LayoutTests/webarchive/loading/javascript-url-iframe-crash.html (added)
• LayoutTests/webarchive/loading/resources/javascript-url-iframe-crash.webarchive (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/ScriptControllerBase.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-06-02  Brady Eidson  <beidson@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        <rdar://problem/9539920> and https://bugs.webkit.org/show_bug.cgi?id=61950
+        Repro crash loading certain webarchives after r87566.
+
+        * webarchive/loading/javascript-url-iframe-crash-expected.txt: Added.
+        * webarchive/loading/javascript-url-iframe-crash.html: Added.
+        * webarchive/loading/resources/javascript-url-iframe-crash.webarchive: Added.
+
 2011-06-02  Tony Chang  <tony@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-06-02  Brady Eidson  <beidson@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        <rdar://problem/9539920> and https://bugs.webkit.org/show_bug.cgi?id=61950
+        Repro crash loading certain webarchives after r87566.
+
+        Test: webarchive/loading/javascript-url-iframe-crash.html
+
+        * bindings/ScriptControllerBase.cpp:
+        (WebCore::ScriptController::executeIfJavaScriptURL): DocumentWriter::replaceDocument can
+          cause the DocumentLoader to be destroyed, so protect it with a Ref here.
+
 2011-06-02  Jay Civelli  <jcivelli@chromium.org>
 

trunk/Source/WebCore/bindings/ScriptControllerBase.cpp

@@ -118 +118 @@
         // We're still in a frame, so there should be a DocumentLoader.
         ASSERT(m_frame->document()->loader());
-        if (DocumentLoader* loader = m_frame->document()->loader())
+        
+        // DocumentWriter::replaceDocument can cause the DocumentLoader to get deref'ed and possible destroyed,
+        // so protect it with a RefPtr.
+        if (RefPtr<DocumentLoader> loader = m_frame->document()->loader())
             loader->writer()->replaceDocument(scriptResult);
     }