Source/WebCore: Patch by Abhishek Arya <inferno@chromium.org> on 2011-07-13
authorAbhishek Arya <inferno@chromium.org>
Wed, 13 Jul 2011 18:51:44 +0000 (18:51 +0000)
committerAdemar de Souza Reis Jr <ademar.reis@openbossa.org>
Thu, 14 Jul 2011 17:03:48 +0000 (14:03 -0300)
commit540415c552973a90a93de96fb068fca643e59d1d
tree0172cf2c506088b0ad20842dacfc66cdbbeb2774
parent5866e6f14059a1891cbb4520f61c2f7a808d34a8
Source/WebCore: Patch by Abhishek Arya <inferno@chromium.org> on 2011-07-13
Reviewed by Adam Barth.

Issue with Frame lifetime due to deletion in beforeload event.
https://bugs.webkit.org/show_bug.cgi?id=64457

Copy the Frame protector higher in the stack from loadWithDocumentLoader
to loadFrameRequest since any of loadPostRequest or loadURL can call
loadWithDocumentLoader, thereby dispatching the beforeload event and
blowing away the frame. This deleted frame will be later accessed in
the loadFrameRequest function causing a crash.

Test: fast/events/form-iframe-target-before-load-crash2.html

* loader/FrameLoader.cpp:
(WebCore::FrameLoader::loadFrameRequest):
(WebCore::FrameLoader::loadWithDocumentLoader):

LayoutTests: Tests that we do not crash when frame is blown away in a beforeload
event.
https://bugs.webkit.org/show_bug.cgi?id=64457

Reviewed by Adam Barth.

* fast/events/form-iframe-target-before-load-crash.html:
* fast/events/form-iframe-target-before-load-crash2-expected.txt: Added.
* fast/events/form-iframe-target-before-load-crash2.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@90936 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/events/form-iframe-target-before-load-crash.html
LayoutTests/fast/events/form-iframe-target-before-load-crash2-expected.txt [new file with mode: 0644]
LayoutTests/fast/events/form-iframe-target-before-load-crash2.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/FrameLoader.cpp