Changeset 20090 in webkit


Ignore:
Timestamp:
Mar 9, 2007 8:05:37 AM (17 years ago)
Author:
weinig
Message:

LayoutTests:

Reviewed by Darin.

  • http/tests/misc/onload-remove-iframe-crash-2-expected.txt: Added.
  • http/tests/misc/onload-remove-iframe-crash-2.html: Added.
  • http/tests/misc/resources/onload-remove-iframe-crash-2.html: Added.
  • http/tests/misc/resources/onload-remove-iframe.html: Added.

WebCore:

Reviewed by Darin.

Test: http/tests/misc/onload-remove-iframe-crash-2.html

The resulted from an iframe's load event handler removing the iframe
from the document.

  • dom/Document.cpp: (WebCore::Document::implicitClose): Bail out early if an event handler removed the frame.
  • loader/FrameLoader.cpp: (WebCore::FrameLoader::FrameLoader): (WebCore::FrameLoader::clear): (WebCore::FrameLoader::checkCompleted): Protect the frame from deletion by event handlers. (WebCore::FrameLoader::checkCompletedTimerFired): (WebCore::FrameLoader::scheduleCheckCompleted): (WebCore::FrameLoader::detachFromParent): Schedule a completion check on the parent (in case the child is what has been keeping it from completing).
  • loader/FrameLoader.h:
Location:
trunk
Files:
4 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r20088 r20090  
     12007-03-09  Mitz Pettel  <mitz@webkit.org>
     2
     3        Reviewed by Darin.
     4
     5        - test for http://bugs.webkit.org/show_bug.cgi?id=9929
     6          REGRESSION: crash on logging in on mijnpostbank.nl
     7
     8        * http/tests/misc/onload-remove-iframe-crash-2-expected.txt: Added.
     9        * http/tests/misc/onload-remove-iframe-crash-2.html: Added.
     10        * http/tests/misc/resources/onload-remove-iframe-crash-2.html: Added.
     11        * http/tests/misc/resources/onload-remove-iframe.html: Added.
     12
    1132007-03-08  Justin Garcia  <justin.garcia@apple.com>
    214
  • trunk/WebCore/ChangeLog

    r20089 r20090  
     12007-03-09  Mitz Pettel  <mitz@webkit.org>
     2
     3        Reviewed by Darin.
     4
     5        - fix http://bugs.webkit.org/show_bug.cgi?id=9929
     6          REGRESSION: crash on logging in on mijnpostbank.nl
     7
     8        Test: http/tests/misc/onload-remove-iframe-crash-2.html
     9
     10        The resulted from an iframe's load event handler removing the iframe
     11        from the document.
     12
     13        * dom/Document.cpp:
     14        (WebCore::Document::implicitClose): Bail out early if an event handler
     15        removed the frame.
     16        * loader/FrameLoader.cpp:
     17        (WebCore::FrameLoader::FrameLoader):
     18        (WebCore::FrameLoader::clear):
     19        (WebCore::FrameLoader::checkCompleted): Protect the frame from deletion
     20        by event handlers.
     21        (WebCore::FrameLoader::checkCompletedTimerFired):
     22        (WebCore::FrameLoader::scheduleCheckCompleted):
     23        (WebCore::FrameLoader::detachFromParent): Schedule a completion check
     24        on the parent (in case the child is what has been keeping it from completing).
     25        * loader/FrameLoader.h:
     26
    1272007-03-08  David Kilzer  <ddkilzer@webkit.org>
    228
  • trunk/WebCore/dom/Document.cpp

    r20028 r20090  
    13901390    m_processingLoadEvent = false;
    13911391
     1392    // An event handler may have removed the frame
     1393    if (!frame())
     1394        return;
     1395
    13921396    // Make sure both the initial layout and reflow happen after the onload
    13931397    // fires. This will improve onload scores, and other browsers do it.
    13941398    // If they wanna cheat, we can too. -dwh
    13951399
    1396     if (frame() && frame()->loader()->isScheduledLocationChangePending() && elapsedTime() < cLayoutScheduleThreshold) {
     1400    if (frame()->loader()->isScheduledLocationChangePending() && elapsedTime() < cLayoutScheduleThreshold) {
    13971401        // Just bail out. Before or during the onload we were shifted to another page.
    13981402        // The old i-Bench suite does this. When this happens don't bother painting or laying out.       
     
    14011405    }
    14021406
    1403     if (frame())
    1404         frame()->loader()->checkEmitLoadEvent();
     1407    frame()->loader()->checkEmitLoadEvent();
    14051408
    14061409    // Now do our painting/layout, but only if we aren't in a subframe or if we're in a subframe
  • trunk/WebCore/loader/FrameLoader.cpp

    r20046 r20090  
    224224    , m_containsPlugIns(false)
    225225    , m_redirectionTimer(this, &FrameLoader::redirectionTimerFired)
     226    , m_checkCompletedTimer(this, &FrameLoader::checkCompletedTimerFired)
    226227    , m_opener(0)
    227228    , m_openedByJavaScript(false)
     
    743744    m_scheduledRedirection.clear();
    744745
     746    m_checkCompletedTimer.stop();
     747
    745748    m_receivedData = false;
    746749
     
    10831086    m_isComplete = true;
    10841087
     1088    RefPtr<Frame> protect(m_frame);
    10851089    checkEmitLoadEvent(); // if we didn't do it before
    10861090
     
    10911095
    10921096    completed();
     1097}
     1098
     1099void FrameLoader::checkCompletedTimerFired(Timer<FrameLoader>*)
     1100{
     1101    checkCompleted();
     1102}
     1103
     1104void FrameLoader::scheduleCheckCompleted()
     1105{
     1106    if (!m_checkCompletedTimer.isActive())
     1107        m_checkCompletedTimer.startOneShot(0);
    10931108}
    10941109
     
    28422857    setDocumentLoader(0);
    28432858    m_client->detachedFromParent3();
    2844     if (Frame* parent = m_frame->tree()->parent())
     2859    if (Frame* parent = m_frame->tree()->parent()) {
    28452860        parent->tree()->removeChild(m_frame);
    2846     else {
     2861        parent->loader()->scheduleCheckCompleted();
     2862    } else {
    28472863        m_frame->setView(0);
    28482864        m_frame->pageDestroyed();
  • trunk/WebCore/loader/FrameLoader.h

    r20027 r20090  
    8383    struct WindowFeatures;
    8484
    85     template <typename T> class Timer;
    86 
    8785    bool isBackForwardLoadType(FrameLoadType);
    8886
     
    363361        void finishedParsing();
    364362        void checkCompleted();
     363        void scheduleCheckCompleted();
    365364
    366365        void clearRecordedFormValues();
     
    436435   
    437436        void redirectionTimerFired(Timer<FrameLoader>*);
     437        void checkCompletedTimerFired(Timer<FrameLoader>*);
    438438
    439439        void cancelRedirection(bool newLoadInProgress = false);
     
    587587   
    588588        Timer<FrameLoader> m_redirectionTimer;
     589        Timer<FrameLoader> m_checkCompletedTimer;
    589590
    590591        Frame* m_opener;
Note: See TracChangeset for help on using the changeset viewer.