Crash in Safari opening new tabs to "same page"

<rdar://problem/7593857> and https://bugs.webkit.org/show_bug.cgi?id=34444

Reviewed by Adele Peterson.

WebCore: 

Test: fast/loader/crash-copying-backforwardlist.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadItem): Null check currentItem().

* page/Page.cpp:
(WebCore::Page::goToItem): Ditto.

WebKitTools: 

Add a mode (Mac-only for now) that exercises the WebView SPI _loadBackForwardListFromOtherView:

* DumpRenderTree/LayoutTestController.cpp:
(LayoutTestController::LayoutTestController):
(setNewWindowsCopyBackForwardListCallback):
(LayoutTestController::staticFunctions):

* DumpRenderTree/LayoutTestController.h:
(LayoutTestController::newWindowsCopyBackForwardList):
(LayoutTestController::setNewWindowsCopyBackForwardList):

* DumpRenderTree/mac/UIDelegate.mm:
(-[UIDelegate webView:createWebViewWithRequest:]):

LayoutTests: 

* fast/loader/crash-copying-backforwardlist-expected.txt: Added.
* fast/loader/crash-copying-backforwardlist.html: Added.
* platform/gtk/Skipped:
* platform/qt/Skipped:
* platform/win/Skipped:



git-svn-id: svn://svn.chromium.org/blink/trunk@54145 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/ChangeLog

+2010-02-01  Brady Eidson  <beidson@apple.com>
+
+        Reviewed by Adele Peterson.
+
+        Crash in Safari opening new tabs to "same page"
+        <rdar://problem/7593857> and https://bugs.webkit.org/show_bug.cgi?id=34444
+
+        * fast/loader/crash-copying-backforwardlist-expected.txt: Added.
+        * fast/loader/crash-copying-backforwardlist.html: Added.
+        * platform/gtk/Skipped:
+        * platform/qt/Skipped:
+        * platform/win/Skipped:
+
 2010-02-01  Eric Carlson  <eric.carlson@apple.com>
 
         Reviewed by Adele Peterson.

third_party/WebKit/LayoutTests/fast/loader/crash-copying-backforwardlist-expected.txt

+This test only works in DRT by tickling the [WebView _loadBackForwardListFromOtherView:] method.
+If it doesn't crash, then the test passes.
+

third_party/WebKit/LayoutTests/fast/loader/crash-copying-backforwardlist.html

+<html>
+<head>
+<script>
+
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setCanOpenWindows(true);
+    layoutTestController.setNewWindowsCopyBackForwardList(true);
+}
+
+</script>
+</head>
+<body onload="window.open('data:text/html,<script>if (window.layoutTestController) layoutTestController.notifyDone();</script>');">
+<pre>
+This test only works in DRT by tickling the [WebView _loadBackForwardListFromOtherView:] method.
+If it doesn't crash, then the test passes.
+</pre>
+</body>
+</html>

third_party/WebKit/LayoutTests/platform/gtk/Skipped

@@ -5785,3 +5785,7 @@ scrollbars/scrollbar-middleclick-nopaste.html
 
 # https://bugs.webkit.org/show_bug.cgi?id=34246
 fast/dom/Window/window-postmessage-clone-frames.html
+
+# Relies on WebKit API [WebView _loadBackForwardListFromOtherView:]
+fast/loader/crash-copying-backforwardlist.html
+

third_party/WebKit/LayoutTests/platform/qt/Skipped

@@ -5109,3 +5109,6 @@ http/tests/history/redirect-307.pl
 # small caps vs. normal text
 # https://bugs.webkit.org/show_bug.cgi?id=34286
 css2.1/t1505-c524-font-var-00-b.html
+
+# Relies on WebKit API [WebView _loadBackForwardListFromOtherView:]
+fast/loader/crash-copying-backforwardlist.html

third_party/WebKit/LayoutTests/platform/win/Skipped

@@ -739,3 +739,7 @@ fast/dom/Window/window-properties-geolocation.html
 # Needs to pass cookies to the media player
 # See http://bugs.webkit.org/show_bug.cgi?id=33954
 http/tests/media/video-cookie.html
+
+# Relies on WebKit API [WebView _loadBackForwardListFromOtherView:]
+fast/loader/crash-copying-backforwardlist.html
+

third_party/WebKit/WebCore/ChangeLog

+2010-02-01  Brady Eidson  <beidson@apple.com>
+
+        Reviewed by Adele Peterson.
+
+        Crash in Safari opening new tabs to "same page"
+        <rdar://problem/7593857> and https://bugs.webkit.org/show_bug.cgi?id=34444
+
+        Test: fast/loader/crash-copying-backforwardlist.html
+
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::loadItem): Null check currentItem().
+
+        * page/Page.cpp:
+        (WebCore::Page::goToItem): Ditto.
+
 2010-02-01  Kevin Watters  <kevinwatters@gmail.com>
 
         Reviewed by Kevin Ollivier.

third_party/WebKit/WebCore/loader/FrameLoader.cpp

@@ -3818,7 +3818,9 @@ void FrameLoader::loadItem(HistoryItem* item, FrameLoadType loadType)
     // - The HistoryItem has a history state object
     // - Navigating to an anchor within the page, with no form data stored on the target item or the current history entry,
     //   and the URLs in the frame tree match the history item for fragment scrolling.
-    bool sameDocumentNavigation = (!item->formData() && !(history()->currentItem() && history()->currentItem()->formData()) && history()->urlsMatchItem(item)) || item->documentSequenceNumber() == history()->currentItem()->documentSequenceNumber();
+    HistoryItem* currentItem = history()->currentItem();
+    bool sameDocumentNavigation = (!item->formData() && !(currentItem && currentItem->formData()) && history()->urlsMatchItem(item))
+                                  || (currentItem && item->documentSequenceNumber() == currentItem->documentSequenceNumber());
 
 #if ENABLE(WML)
     // All WML decks should go through the real load mechanism, not the scroll-to-anchor code

third_party/WebKit/WebCore/page/Page.cpp

@@ -290,7 +290,8 @@ void Page::goBackOrForward(int distance)
 void Page::goToItem(HistoryItem* item, FrameLoadType type)
 {
     // Abort any current load unless we're navigating the current document to a new state object
-    if (!item->stateObject() || item->documentSequenceNumber() != m_mainFrame->loader()->history()->currentItem()->documentSequenceNumber()) {
+    HistoryItem* currentItem = m_mainFrame->loader()->history()->currentItem();
+    if (!item->stateObject() || !currentItem || item->documentSequenceNumber() != currentItem->documentSequenceNumber()) {
         // Define what to do with any open database connections. By default we stop them and terminate the database thread.
         DatabasePolicy databasePolicy = DatabasePolicyStop;
 

third_party/WebKit/WebKitTools/ChangeLog

+2010-02-01  Brady Eidson  <beidson@apple.com>
+
+        Reviewed by Adele Peterson.
+
+        Crash in Safari opening new tabs to "same page"
+        <rdar://problem/7593857> and https://bugs.webkit.org/show_bug.cgi?id=34444
+
+        Add a mode (Mac-only for now) that exercises the WebView SPI _loadBackForwardListFromOtherView:
+
+        * DumpRenderTree/LayoutTestController.cpp:
+        (LayoutTestController::LayoutTestController):
+        (setNewWindowsCopyBackForwardListCallback):
+        (LayoutTestController::staticFunctions):
+
+        * DumpRenderTree/LayoutTestController.h:
+        (LayoutTestController::newWindowsCopyBackForwardList):
+        (LayoutTestController::setNewWindowsCopyBackForwardList):
+
+        * DumpRenderTree/mac/UIDelegate.mm:
+        (-[UIDelegate webView:createWebViewWithRequest:]):
+
 2010-02-01  Carol Szabo  <carol.szabo@nokia.com>
 
         Unreviewed.

third_party/WebKit/WebKitTools/DumpRenderTree/LayoutTestController.cpp

@@ -61,6 +61,7 @@ LayoutTestController::LayoutTestController(const std::string& testPathOrURL, con
     , m_callCloseOnWebViews(true)
     , m_canOpenWindows(false)
     , m_closeRemainingWindowsWhenComplete(true)
+    , m_newWindowsCopyBackForwardList(false)
     , m_stopProvisionalFrameLoads(false)
     , m_testOnscreen(false)
     , m_testRepaint(false)
@@ -743,6 +744,18 @@ static JSValueRef setMockGeolocationErrorCallback(JSContextRef context, JSObject
     return JSValueMakeUndefined(context);
 }
 
+static JSValueRef setNewWindowsCopyBackForwardListCallback(JSContextRef context, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
+{
+    // Has mac implementation
+    if (argumentCount < 1)
+        return JSValueMakeUndefined(context);
+    
+    LayoutTestController* controller = static_cast<LayoutTestController*>(JSObjectGetPrivate(thisObject));
+    controller->setNewWindowsCopyBackForwardList(JSValueToBoolean(context, arguments[0]));
+
+    return JSValueMakeUndefined(context);
+}
+
 static JSValueRef setGeolocationPermissionCallback(JSContextRef context, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
 {
     // Has mac implementation
@@ -1324,6 +1337,7 @@ JSStaticFunction* LayoutTestController::staticFunctions()
         { "setMainFrameIsFirstResponder", setMainFrameIsFirstResponderCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
         { "setMockGeolocationPosition", setMockGeolocationPositionCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
         { "setMockGeolocationError", setMockGeolocationErrorCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
+        { "setNewWindowsCopyBackForwardList", setNewWindowsCopyBackForwardListCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
         { "setPersistentUserStyleSheetLocation", setPersistentUserStyleSheetLocationCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
         { "setPopupBlockingEnabled", setPopupBlockingEnabledCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },
         { "setPrivateBrowsingEnabled", setPrivateBrowsingEnabledCallback, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontDelete },

third_party/WebKit/WebKitTools/DumpRenderTree/LayoutTestController.h

@@ -66,28 +66,29 @@ public:
     void queueReload();
     void removeAllVisitedLinks();
     void setAcceptsEditing(bool acceptsEditing);
-    void setAppCacheMaximumSize(unsigned long long quota);
     void setAllowUniversalAccessFromFileURLs(bool);
+    void setAppCacheMaximumSize(unsigned long long quota);
     void setAuthorAndUserStylesEnabled(bool);
     void setCacheModel(int);
     void setCustomPolicyDelegate(bool setDelegate, bool permissive);
     void setDatabaseQuota(unsigned long long quota);
     void setDomainRelaxationForbiddenForURLScheme(bool forbidden, JSStringRef scheme);
-    void setMockGeolocationPosition(double latitude, double longitude, double accuracy);
-    void setMockGeolocationError(int code, JSStringRef message);
     void setIconDatabaseEnabled(bool iconDatabaseEnabled);
     void setJavaScriptProfilingEnabled(bool profilingEnabled);
     void setMainFrameIsFirstResponder(bool flag);
+    void setMockGeolocationError(int code, JSStringRef message);
+    void setMockGeolocationPosition(double latitude, double longitude, double accuracy);
     void setPersistentUserStyleSheetLocation(JSStringRef path);
     void setPopupBlockingEnabled(bool flag);
     void setPrivateBrowsingEnabled(bool flag);
-    void setXSSAuditorEnabled(bool flag);
     void setSelectTrailingWhitespaceEnabled(bool flag);
     void setSmartInsertDeleteEnabled(bool flag);
     void setTabKeyCyclesThroughElements(bool cycles);
     void setUseDashboardCompatibilityMode(bool flag);
     void setUserStyleSheetEnabled(bool flag);
     void setUserStyleSheetLocation(JSStringRef path);
+    void setXSSAuditorEnabled(bool flag);
+
     void waitForPolicyDelegate();
     size_t webHistoryItemCount();
     unsigned workerThreadCount() const;
@@ -161,6 +162,9 @@ public:
     bool closeRemainingWindowsWhenComplete() const { return m_closeRemainingWindowsWhenComplete; }
     void setCloseRemainingWindowsWhenComplete(bool closeRemainingWindowsWhenComplete) { m_closeRemainingWindowsWhenComplete = closeRemainingWindowsWhenComplete; }
     
+    bool newWindowsCopyBackForwardList() const { return m_newWindowsCopyBackForwardList; }
+    void setNewWindowsCopyBackForwardList(bool newWindowsCopyBackForwardList) { m_newWindowsCopyBackForwardList = newWindowsCopyBackForwardList; }
+    
     bool stopProvisionalFrameLoads() const { return m_stopProvisionalFrameLoads; }
     void setStopProvisionalFrameLoads(bool stopProvisionalFrameLoads) { m_stopProvisionalFrameLoads = stopProvisionalFrameLoads; }
 
@@ -248,6 +252,7 @@ private:
     bool m_callCloseOnWebViews;
     bool m_canOpenWindows;
     bool m_closeRemainingWindowsWhenComplete;
+    bool m_newWindowsCopyBackForwardList;
     bool m_stopProvisionalFrameLoads;
     bool m_testOnscreen;
     bool m_testRepaint;

third_party/WebKit/WebKitTools/DumpRenderTree/mac/UIDelegate.mm

@@ -38,6 +38,7 @@
 #import <WebKit/WebSecurityOriginPrivate.h>
 #import <WebKit/WebUIDelegatePrivate.h>
 #import <WebKit/WebView.h>
+#import <WebKit/WebViewPrivate.h>
 #import <wtf/Assertions.h>
 
 DumpRenderTreeDraggingInfo *draggingInfo = nil;
@@ -122,6 +123,9 @@ DumpRenderTreeDraggingInfo *draggingInfo = nil;
 
     WebView *webView = createWebViewAndOffscreenWindow();
     
+    if (gLayoutTestController->newWindowsCopyBackForwardList())
+        [webView _loadBackForwardListFromOtherView:sender];
+    
     return [webView autorelease];
 }