Commit f12783fe authored by abarth@webkit.org's avatar abarth@webkit.org

Crash when calling document.open during unload

https://bugs.webkit.org/show_bug.cgi?id=98287

Reviewed by Nate Chapin.

Source/WebCore:

Calling document.open results in us nulling out m_documentLoader. This
code doesn't properly handle that case and crashes.

Test: fast/parser/document-open-in-unload.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::commitProvisionalLoad):

LayoutTests:

Test that we don't crash when calling document.open during the unload event.

* fast/parser/document-open-in-unload-expected.txt: Added.
* fast/parser/document-open-in-unload.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@130313 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 8297cd1b
2012-10-03 Adam Barth <abarth@webkit.org>
Crash when calling document.open during unload
https://bugs.webkit.org/show_bug.cgi?id=98287
Reviewed by Nate Chapin.
Test that we don't crash when calling document.open during the unload event.
* fast/parser/document-open-in-unload-expected.txt: Added.
* fast/parser/document-open-in-unload.html: Added.
2012-10-03 Hans Wennborg <hans@chromium.org>
Speech JavaScript API: Add SpeechRecognition.interimResults attribute
......
This test passes if it doesn't crash.
<iframe src="data:text/plain,Hi"></iframe>
<script>
if (window.testRunner)
testRunner.dumpAsText();
frames[0].onunload = function () {
document.open();
};
</script>
2012-10-03 Adam Barth <abarth@webkit.org>
Crash when calling document.open during unload
https://bugs.webkit.org/show_bug.cgi?id=98287
Reviewed by Nate Chapin.
Calling document.open results in us nulling out m_documentLoader. This
code doesn't properly handle that case and crashes.
Test: fast/parser/document-open-in-unload.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::commitProvisionalLoad):
2012-10-03 Benjamin Poulain <bpoulain@apple.com>
Element::computeInheritedLanguage: evaluate the while() condition after fetching the string
......
......@@ -1715,7 +1715,7 @@ void FrameLoader::commitProvisionalLoad()
transitionToCommitted(cachedPage);
if (pdl) {
if (pdl && m_documentLoader) {
// Check if the destination page is allowed to access the previous page's timing information.
RefPtr<SecurityOrigin> securityOrigin = SecurityOrigin::create(pdl->request().url());
m_documentLoader->timing()->setHasSameOriginAsPreviousDocument(securityOrigin->canRequest(m_previousUrl));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment