<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[191688] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/191688">191688</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2015-10-28 13:04:24 -0700 (Wed, 28 Oct 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Assertion failure in WebCore::FrameLoader::stopLoading() running fast/events tests
https://bugs.webkit.org/show_bug.cgi?id=150624
Source/WebCore:
Reviewed by Darin Adler.
After <a href="http://trac.webkit.org/projects/webkit/changeset/191652">r191652</a>, a form's target attribute can no longer refer to a frame's id,
only its name. This is because the frame's id no longer sets the Window name
when the frame's name attribute is missing. This caused a change in behavior
for the fast/events/form-iframe-target-before-load-crash*.html tests, which
exposed a pre-existing bug.
This patch updates the fast/events/form-iframe-target-before-load-crash*.html
tests so they keep testing the same thing as before <a href="http://trac.webkit.org/projects/webkit/changeset/191652">r191652</a>. It also adds a
variant to keep covering the newly exposed bug.
The issue was that the frame was no longer navigated when submitting the form
(due to the form's target not matching the frame name). Therefore, when
removing the iframe from the document, its navigation has not started yet and
DocumentLoadTiming::navigationStart() is not initialized yet when
FrameLoader::stopLoading() is called and we hit an assertion. This patch
replaces the assertion with an if check as we now know it can happen and we
have test coverage for it.
Test: fast/events/form-iframe-target-before-load-crash.html
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::stopLoading):
LayoutTests:
<rdar://problem/23294110>
Reviewed by Darin Adler.
* fast/events/form-iframe-target-before-load-crash2.html:
Set the frame name so that the test still tests the same thing as it was
originally testing before <a href="http://trac.webkit.org/projects/webkit/changeset/191652">r191652</a>. This is needed because the frame id
no longer sets the window name and therefore no longer matches the form's
target.
* fast/events/form-iframe-target-before-load-crash3-expected.txt: Added.
* fast/events/form-iframe-target-before-load-crash3.html: Added.
This is a version on fast/events/form-iframe-target-before-load-crash.html
with the frame name set so that it tests the same thing it was originally
testing before <a href="http://trac.webkit.org/projects/webkit/changeset/191652">r191652</a>. form-iframe-target-before-load-crash.html is kept
as is (without frame name) as it exposed a new crash.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsfasteventsformiframetargetbeforeloadcrash2html">trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoadercpp">trunk/Source/WebCore/loader/FrameLoader.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfasteventsformiframetargetbeforeloadcrash3expectedtxt">trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash3-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfasteventsformiframetargetbeforeloadcrash3html">trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash3.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (191687 => 191688)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-10-28 20:00:36 UTC (rev 191687)
+++ trunk/LayoutTests/ChangeLog 2015-10-28 20:04:24 UTC (rev 191688)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2015-10-28 Chris Dumez <cdumez@apple.com>
+
+ Assertion failure in WebCore::FrameLoader::stopLoading() running fast/events tests
+ https://bugs.webkit.org/show_bug.cgi?id=150624
+ <rdar://problem/23294110>
+
+ Reviewed by Darin Adler.
+
+ * fast/events/form-iframe-target-before-load-crash2.html:
+ Set the frame name so that the test still tests the same thing as it was
+ originally testing before r191652. This is needed because the frame id
+ no longer sets the window name and therefore no longer matches the form's
+ target.
+
+ * fast/events/form-iframe-target-before-load-crash3-expected.txt: Added.
+ * fast/events/form-iframe-target-before-load-crash3.html: Added.
+ This is a version on fast/events/form-iframe-target-before-load-crash.html
+ with the frame name set so that it tests the same thing it was originally
+ testing before r191652. form-iframe-target-before-load-crash.html is kept
+ as is (without frame name) as it exposed a new crash.
+
</ins><span class="cx"> 2015-10-28 Mark Lam <mark.lam@apple.com>
</span><span class="cx">
</span><span class="cx"> Update FTL to support UntypedUse operands for op_sub.
</span></span></pre></div>
<a id="trunkLayoutTestsfasteventsformiframetargetbeforeloadcrash2html"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html (191687 => 191688)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html 2015-10-28 20:00:36 UTC (rev 191687)
+++ trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html 2015-10-28 20:04:24 UTC (rev 191688)
</span><span class="lines">@@ -31,7 +31,7 @@
</span><span class="cx"> }
</span><span class="cx"> }, true);
</span><span class="cx"> </script>
</span><del>- <iframe id="test" src="about:blank"></iframe>
</del><ins>+ <iframe id="test" name="test" src="about:blank"></iframe>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsfasteventsformiframetargetbeforeloadcrash3expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash3-expected.txt (0 => 191688)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash3-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash3-expected.txt 2015-10-28 20:04:24 UTC (rev 191688)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfasteventsformiframetargetbeforeloadcrash3htmlfromrev191687trunkLayoutTestsfasteventsformiframetargetbeforeloadcrash2html"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash3.html (from rev 191687, trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash2.html) (0 => 191688)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash3.html (rev 0)
+++ trunk/LayoutTests/fast/events/form-iframe-target-before-load-crash3.html 2015-10-28 20:04:24 UTC (rev 191688)
</span><span class="lines">@@ -0,0 +1,37 @@
</span><ins>+<html>
+ <script src="../../resources/js-test-pre.js"></script>
+ <body onload="runTest()">
+ <div id="console"></div>
+ <form id="form1" style="display:none" method="post" target="test" action="http://anything.com"></form>
+ <script>
+ if (window.testRunner)
+ {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ function runTest()
+ {
+ document.getElementById('form1').submit();
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ document.getElementById('console').innerHTML = 'PASS';
+ }
+
+ count = 0;
+ document.addEventListener("beforeload", function(event) {
+ event.preventDefault();
+ count = count + 1;
+ if (count == 2)
+ {
+ document.body.removeChild(document.getElementById('test'));
+ gc();
+ document.body.offsetTop;
+ }
+ }, true);
+ </script>
+ <iframe id="test" name="test" src="about:blank"></iframe>
+ </body>
+</html>
+
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (191687 => 191688)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-10-28 20:00:36 UTC (rev 191687)
+++ trunk/Source/WebCore/ChangeLog 2015-10-28 20:04:24 UTC (rev 191688)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2015-10-28 Chris Dumez <cdumez@apple.com>
+
+ Assertion failure in WebCore::FrameLoader::stopLoading() running fast/events tests
+ https://bugs.webkit.org/show_bug.cgi?id=150624
+
+ Reviewed by Darin Adler.
+
+ After r191652, a form's target attribute can no longer refer to a frame's id,
+ only its name. This is because the frame's id no longer sets the Window name
+ when the frame's name attribute is missing. This caused a change in behavior
+ for the fast/events/form-iframe-target-before-load-crash*.html tests, which
+ exposed a pre-existing bug.
+
+ This patch updates the fast/events/form-iframe-target-before-load-crash*.html
+ tests so they keep testing the same thing as before r191652. It also adds a
+ variant to keep covering the newly exposed bug.
+
+ The issue was that the frame was no longer navigated when submitting the form
+ (due to the form's target not matching the frame name). Therefore, when
+ removing the iframe from the document, its navigation has not started yet and
+ DocumentLoadTiming::navigationStart() is not initialized yet when
+ FrameLoader::stopLoading() is called and we hit an assertion. This patch
+ replaces the assertion with an if check as we now know it can happen and we
+ have test coverage for it.
+
+ Test: fast/events/form-iframe-target-before-load-crash.html
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::stopLoading):
+
</ins><span class="cx"> 2015-10-28 Brian Burg <bburg@apple.com>
</span><span class="cx">
</span><span class="cx"> Builtins generator should emit ENABLE(FEATURE) guards based on @conditional annotation
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (191687 => 191688)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.cpp 2015-10-28 20:00:36 UTC (rev 191687)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2015-10-28 20:04:24 UTC (rev 191688)
</span><span class="lines">@@ -440,9 +440,8 @@
</span><span class="cx"> // time into freed memory.
</span><span class="cx"> RefPtr<DocumentLoader> documentLoader = m_provisionalDocumentLoader;
</span><span class="cx"> m_pageDismissalEventBeingDispatched = PageDismissalType::Unload;
</span><del>- if (documentLoader && !documentLoader->timing().unloadEventStart() && !documentLoader->timing().unloadEventEnd()) {
- DocumentLoadTiming& timing = documentLoader->timing();
- ASSERT(timing.navigationStart());
</del><ins>+ if (documentLoader && documentLoader->timing().navigationStart() && !documentLoader->timing().unloadEventStart() && !documentLoader->timing().unloadEventEnd()) {
+ auto& timing = documentLoader->timing();
</ins><span class="cx"> timing.markUnloadEventStart();
</span><span class="cx"> m_frame.document()->domWindow()->dispatchEvent(unloadEvent, m_frame.document());
</span><span class="cx"> timing.markUnloadEventEnd();
</span></span></pre>
</div>
</div>
</body>
</html>