2009-04-13 Darin Fisher <darin@chromium.org>

Reviewed by Darin Adler. https://bugs.webkit.org/show_bug.cgi?id=25136 CRASH in DocumentLoader::removeSubresourceLoader due to null m_frame Test: fast/frames/frame-unload-crash.html * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::updateLoading): Added null check of m_frame. git-svn-id: svn://svn.chromium.org/blink/trunk@42442 bbb929c8-8fbe-4397-9dbb-9b2b20218538

2009-04-13 Darin Fisher <darin@chromium.org>
Reviewed by Darin Adler. https://bugs.webkit.org/show_bug.cgi?id=25136 CRASH in DocumentLoader::removeSubresourceLoader due to null m_frame Test: fast/frames/frame-unload-crash.html * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::updateLoading): Added null check of m_frame. git-svn-id: svn://svn.chromium.org/blink/trunk@42442 bbb929c8-8fbe-4397-9dbb-9b2b20218538
4623ee51 · darin@chromium.org · 714a4726 · 4623ee51 · 4623ee51 · 4623ee51
Commit 4623ee51 authored Apr 13, 2009 by darin@chromium.org
8 changed files
--- a/third_party/WebKit/LayoutTests/ChangeLog
+++ b/third_party/WebKit/LayoutTests/ChangeLog
+2009-04-13  Darin Fisher  <darin@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=25136
+        CRASH in DocumentLoader::removeSubresourceLoader due to null m_frame
+
+        * fast/frames/frame-unload-crash-expected.txt: Added.
+        * fast/frames/frame-unload-crash.html: Added.
+        * fast/frames/resources/frame-unload-crash-1.html: Added.
+        * fast/frames/resources/frame-unload-crash-2.html: Added.
+        * fast/frames/resources/frame-unload-crash-3.html: Added.
+
 2009-04-13  Sam Weinig  <sam@webkit.org>

        Reviewed by Tim Hatcher.

--- a/third_party/WebKit/LayoutTests/fast/frames/frame-unload-crash-expected.txt
+++ b/third_party/WebKit/LayoutTests/fast/frames/frame-unload-crash-expected.txt
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - has 1 onunload handler(s)
+This is a test for bug 25136: CRASH in DocumentLoader::removeSubresourceLoader due to null m_frame. If success ful, PASS should be printed below.
+
+PASS
+
+
--- a/third_party/WebKit/LayoutTests/fast/frames/frame-unload-crash.html
+++ b/third_party/WebKit/LayoutTests/fast/frames/frame-unload-crash.html
+<html>
+<head>
+<link rel="stylesheet" href="../js/resources/js-test-style.css">
+<script>
+
+if (window.layoutTestController) {
+    layoutTestController.waitUntilDone();
+    layoutTestController.dumpAsText();
+}
+
+function done()
+{
+    document.getElementById("results").appendChild(document.createTextNode("PASS"));
+    layoutTestController.notifyDone();
+}
+
+</script>
+</head>
+<body>
+<p>
+  This is a test for <a href="https://bugs.webkit.org/show_bug.cgi?id=25136">bug 25136</a>: <i>CRASH in DocumentLoader::removeSubresourceLoader
+  due to null m_frame.</i> If successful, PASS should be printed below.
+</p>
+<p id="results" class="pass"></p>
+<iframe style="border: 0" src="resources/frame-unload-crash-1.html">
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/fast/frames/resources/frame-unload-crash-1.html
+++ b/third_party/WebKit/LayoutTests/fast/frames/resources/frame-unload-crash-1.html
+<html>
+<body onload="location='frame-unload-crash-3.html'">
+  <iframe src="frame-unload-crash-2.html">
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/fast/frames/resources/frame-unload-crash-2.html
+++ b/third_party/WebKit/LayoutTests/fast/frames/resources/frame-unload-crash-2.html
+<html>
+<head>
+<script>
+// When we create an XHR from onunload, we expect it to be cancelled almost
+// immediately afterwards.  When that happens the XHR's onabort handler is
+// called.  The XHR created from there is cancelled again, but at a later point
+// after this FRAME has already been detached from its parent.
+var requests = [];
+function startRequest() {
+  var x = new XMLHttpRequest();
+  x.open("GET", location, true);
+  x.onabort = startRequest;
+  x.send(null);
+  requests.push(x);
+}
+</script>
+</head>
+<body onunload="startRequest()"></body>
+</html>
--- a/third_party/WebKit/LayoutTests/fast/frames/resources/frame-unload-crash-3.html
+++ b/third_party/WebKit/LayoutTests/fast/frames/resources/frame-unload-crash-3.html
+<html>
+<body onload="parent.done()"></body>
+</html>
--- a/third_party/WebKit/WebCore/ChangeLog
+++ b/third_party/WebKit/WebCore/ChangeLog
+2009-04-13  Darin Fisher  <darin@chromium.org>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=25136
+        CRASH in DocumentLoader::removeSubresourceLoader due to null m_frame
+
+        Test: fast/frames/frame-unload-crash.html
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::updateLoading): Added null check of m_frame.
+
 2009-04-13  Sam Weinig  <sam@webkit.org>

        Reviewed by Tim Hatcher.
--- a/third_party/WebKit/WebCore/loader/DocumentLoader.cpp
+++ b/third_party/WebKit/WebCore/loader/DocumentLoader.cpp
@@ -405,6 +405,10 @@ void DocumentLoader::setupForReplaceByMIMEType(const String& newMIMEType)

 void DocumentLoader::updateLoading()
 {
+    if (!m_frame) {
+        setLoading(false);
+        return;
+    }
    ASSERT(this == frameLoader()->activeDocumentLoader());
    setLoading(frameLoader()->isLoading());
 }