Changeset 71170 in webkit
- Timestamp:
- Nov 2, 2010 2:23:43 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 5 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r71167 r71170 1 2010-11-02 Mihai Parparita <mihaip@chromium.org> 2 3 Reviewed by Adam Barth. 4 5 [Chromium] Crash when encountering history.back() call during Page::goToItem execution 6 https://bugs.webkit.org/show_bug.cgi?id=48477 7 8 Add a reduced version of the page that was originally reported at 9 http://crbug.com/59554. 10 11 * http/tests/history/back-during-onload-triggered-by-back-expected.txt: Added. 12 * http/tests/history/back-during-onload-triggered-by-back.html: Added. 13 * http/tests/history/resources/back-during-onload-container.html: Added. 14 * http/tests/history/resources/back-during-onload-hung-page.php: Added. 15 * http/tests/history/resources/back-during-onload-middle.html: Added. 16 1 17 2010-11-02 Dmitry Titov <dimich@chromium.org> 2 18 -
trunk/WebCore/ChangeLog
r71164 r71170 1 2010-11-02 Mihai Parparita <mihaip@chromium.org> 2 3 Reviewed by Adam Barth. 4 5 [Chromium] Crash when encountering history.back() call during Page::goToItem execution 6 https://bugs.webkit.org/show_bug.cgi?id=48477 7 8 For the Chromium port, BackForwardList::itemAtIndex synthesizes a 9 HistoryItem and saves a pointer to it in m_pendingItem. During 10 Page::goToItem we call FrameLoader::stopAllLoaders, which can trigger 11 onload handlers (if a subframe was not considered committed by the frame 12 loader). If one of those handlers calls calls history.back() or another 13 operation that ends up in NavigationScheduler::scheduleHistoryNavigation, 14 we would call BackForwardList::itemAtIndex, which means that we would 15 lose the m_pendingItem RefPtr that pointed to the item being navigated 16 to, causing its ref count to go to 0*, and thus for the HistoryItem to 17 be deleted before we were done navigating to it. 18 19 This is fixed in two ways: 20 - Add a protector RefPtr in Page::goToItem to make sure that the item is 21 still around for when we pass it to HistoryController:goToItem. 22 - Change NavigationScheduler::scheduleHistoryNavigation to not use 23 BackForwardList::itemAtIndex and instead look at the 24 forward/backListCount() (since it doesn't actually care about the 25 returned HistoryItem). 26 27 * Full annotated stack trace of this is at http://crbug.com/59554#c9. 28 29 Test: http/tests/history/back-during-onload-triggered-by-back.html 30 31 * loader/NavigationScheduler.cpp: 32 (WebCore::NavigationScheduler::scheduleHistoryNavigation): 33 * page/Page.cpp: 34 (WebCore::Page::goToItem): 35 1 36 2010-10-28 Zhenyao Mo <zmo@google.com> 2 37 -
trunk/WebCore/loader/NavigationScheduler.cpp
r70960 r71170 353 353 // Invalid history navigations (such as history.forward() during a new load) have the side effect of cancelling any scheduled 354 354 // redirects. We also avoid the possibility of cancelling the current load by avoiding the scheduled redirection altogether. 355 HistoryItem* specifiedEntry = m_frame->page()->backForward()->itemAtIndex(steps);356 if ( !specifiedEntry) {355 BackForwardController* backForward = m_frame->page()->backForward(); 356 if (steps > backForward->forwardCount() || -steps > backForward->backCount()) { 357 357 cancel(); 358 358 return; -
trunk/WebCore/page/Page.cpp
r70960 r71170 348 348 if (defersLoading()) 349 349 return; 350 351 // stopAllLoaders may end up running onload handlers, which could cause further history traversals that may lead to the passed in HistoryItem 352 // being deref()-ed. Make sure we can still use it with HistoryController::goToItem later. 353 RefPtr<HistoryItem> protector(item); 350 354 351 355 // Abort any current load unless we're navigating the current document to a new state object
Note: See TracChangeset
for help on using the changeset viewer.