Commit 0be72014 authored by levin@chromium.org's avatar levin@chromium.org

WebCore:

2009-05-13  David Levin  <levin@chromium.org>

        Reviewed by Darin Adler.

        Bug 25394: REGRESSION: crash in DocumentLoader::addResponse due to bad |this| pointer
        https://bugs.webkit.org/show_bug.cgi?id=25394

        Test: http/tests/xmlhttprequest/frame-unload-abort-crash.html

        * loader/SubresourceLoader.cpp:
        (WebCore::SubresourceLoader::create):
        Add another check to subresource loader to avoid doing any loads in frames
        when the loaders are being stopped.

LayoutTests:

2009-05-13  David Levin  <levin@chromium.org>

        Reviewed by Darin Adler.

        Bug 25394: REGRESSION: crash in DocumentLoader::addResponse due to bad |this| pointer
        https://bugs.webkit.org/show_bug.cgi?id=25394

        Request a subresource load for an IMG after 'unload' and before the next
        page load completes to expose the crash.

        * http/tests/xmlhttprequest/frame-unload-abort-crash-expected.txt: Added.
        * http/tests/xmlhttprequest/frame-unload-abort-crash.html: Added.
        * http/tests/xmlhttprequest/resources/xmlhttprequest-in-unload.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@43650 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 6c7d983a
2009-05-13 David Levin <levin@chromium.org>
Reviewed by Darin Adler.
Bug 25394: REGRESSION: crash in DocumentLoader::addResponse due to bad |this| pointer
https://bugs.webkit.org/show_bug.cgi?id=25394
Request a subresource load for an IMG after 'unload' and before the next
page load completes to expose the crash.
* http/tests/xmlhttprequest/frame-unload-abort-crash-expected.txt: Added.
* http/tests/xmlhttprequest/frame-unload-abort-crash.html: Added.
* http/tests/xmlhttprequest/resources/xmlhttprequest-in-unload.html: Added.
2009-05-13 Dan Bernstein <mitz@apple.com>
Reviewed by Dave Hyatt.
frame "<!--framePath //<!--frame0-->-->" - has 1 onunload handler(s)
Test for bug 25394: crash in DocumentLoader::addResponse due to bad |this| pointer
You should see a few messages followed by PASSED once.
Ready State: 1
Ready State: 4
PASSED
<html>
<body>
<p>Test for <a href="https://bugs.webkit.org/show_bug.cgi?id=25394">bug 25394</a>: crash in DocumentLoader::addResponse due to bad |this| pointer</p>
<p>You should see a few messages followed by PASSED once. </p>
<script>
var consoleMessages = document.createElement("ul");
document.body.appendChild(consoleMessages);
if (window.layoutTestController) {
layoutTestController.waitUntilDone();
layoutTestController.dumpAsText();
}
function subframeLoaded()
{
var frameDiv = document.getElementById('framediv');
frameDiv.innerHTML = 'PASSED';
if (window.layoutTestController)
layoutTestController.notifyDone();
}
function dumpRequestStatus(request)
{
try {
log("Ready State: " + request.readyState);
} catch (ex) {
log("Exception getting status: " + ex.message);
}
}
function log(message)
{
var item = document.createElement("li");
item.appendChild(document.createTextNode(message));
consoleMessages.appendChild(item);
}
</script>
<div id="framediv">
<iframe src="resources/xmlhttprequest-in-unload.html" width=50 height=10 border=0></iframe>
</div>
</body>
</html>
<html>
<head>
<script>
function loadXML()
{
url = 'endlessxml.php';
try {
xhr = new XMLHttpRequest();
xhr.overrideMimeType('text/xml');
xhr.onreadystatechange = readyStateChanged;
xhr.parent = window.parent;
xhr.open('GET', url);
xhr.onabort = loadImage;
xhr.send(null);
} catch (ex) {
window.parent.log("Exception doing XMLHttpRequest "+ ex.message);
}
}
function loadImage()
{
image = new Image();
image.src = "data:,foo";
document.body.appendChild(image);
}
function readyStateChanged(evt)
{
evt.target.parent.dumpRequestStatus(evt.target);
}
</script>
</head>
<body onload="window.parent.subframeLoaded()" onunload="loadXML()">
</body>
</html>
2009-05-13 David Levin <levin@chromium.org>
Reviewed by Darin Adler.
Bug 25394: REGRESSION: crash in DocumentLoader::addResponse due to bad |this| pointer
https://bugs.webkit.org/show_bug.cgi?id=25394
Test: http/tests/xmlhttprequest/frame-unload-abort-crash.html
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::create):
Add another check to subresource loader to avoid doing any loads in frames
when the loaders are being stopped.
2009-05-13 Stephan Haller <nomad@froevel.de>
Reviewed by Gustavo Noronha.
......@@ -66,7 +66,7 @@ PassRefPtr<SubresourceLoader> SubresourceLoader::create(Frame* frame, Subresourc
return 0;
FrameLoader* fl = frame->loader();
if (!skipCanLoadCheck && fl->state() == FrameStateProvisional)
if (!skipCanLoadCheck && (fl->state() == FrameStateProvisional || fl->activeDocumentLoader()->isStopping()))
return 0;
ResourceRequest newRequest = request;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment