Merge webkit.org at r54731 : Initial merge by git

Change-Id: Ia79977b6cf3b0b00c06ef39419989b28e57e4f4a

5 files changed, 63 insertions, 21 deletions

diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index 9e264b5..be782f1 100644
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -464,7 +464,7 @@ void FrameLoader::submitForm(const char* action, const String& url, PassRefPtr<F
     if (u.isEmpty())
         return;
 
-    if (isSandboxed(SandboxForms))
+    if (isDocumentSandboxed(SandboxForms))
         return;
 
     if (protocolIsJavaScript(u)) {
@@ -1308,7 +1308,7 @@ bool FrameLoader::requestObject(RenderPart* renderer, const String& url, const A
         if (!m_client->allowPlugins(settings && settings->arePluginsEnabled())
             || (!settings->isJavaEnabled() && MIMETypeRegistry::isJavaAppletMIMEType(mimeType)))
             return false;
-        if (isSandboxed(SandboxPlugins))
+        if (isDocumentSandboxed(SandboxPlugins))
             return false;
         return loadPlugin(renderer, completedURL, mimeType, paramNames, paramValues, useFallback);
     }
@@ -2302,7 +2302,7 @@ bool FrameLoader::shouldAllowNavigation(Frame* targetFrame) const
         return true;
 
     // A sandboxed frame can only navigate itself and its descendants.
-    if (isSandboxed(SandboxNavigation) && !targetFrame->tree()->isDescendantOf(m_frame))
+    if (isDocumentSandboxed(SandboxNavigation) && !targetFrame->tree()->isDescendantOf(m_frame))
         return false;
 
     // Let a frame navigate the top-level window that contains it.  This is
@@ -4032,12 +4032,15 @@ void FrameLoader::updateSandboxFlags()
 
     m_sandboxFlags = flags;
 
-    m_frame->document()->updateSandboxFlags();
-
     for (Frame* child = m_frame->tree()->firstChild(); child; child = child->tree()->nextSibling())
         child->loader()->updateSandboxFlags();
 }
 
+bool FrameLoader::isDocumentSandboxed(SandboxFlags mask) const
+{
+    return m_frame->document() && m_frame->document()->securityOrigin()->isSandboxed(mask);
+}
+
 PassRefPtr<Widget> FrameLoader::createJavaAppletWidget(const IntSize& size, HTMLAppletElement* element, const HashMap<String, String>& args)
 {
     String baseURLString;
diff --git a/WebCore/loader/FrameLoader.h b/WebCore/loader/FrameLoader.h
index aa1913c..abe3b3a 100644
--- a/WebCore/loader/FrameLoader.h
+++ b/WebCore/loader/FrameLoader.h
@@ -456,7 +456,9 @@ private:
     bool shouldTreatURLAsSameAsCurrent(const KURL&) const;
 
     void updateSandboxFlags();
-    
+    // FIXME: isDocumentSandboxed should eventually replace isSandboxed.
+    bool isDocumentSandboxed(SandboxFlags) const;
+
     Frame* m_frame;
     FrameLoaderClient* m_client;
 
diff --git a/WebCore/loader/ImageLoader.cpp b/WebCore/loader/ImageLoader.cpp
index 9c237cd..c61d133 100644
--- a/WebCore/loader/ImageLoader.cpp
+++ b/WebCore/loader/ImageLoader.cpp
@@ -29,6 +29,24 @@
 #include "Element.h"
 #include "RenderImage.h"
 
+#if !ASSERT_DISABLED
+// ImageLoader objects are allocated as members of other objects, so generic pointer check would always fail.
+namespace WTF {
+
+template<> struct ValueCheck<WebCore::ImageLoader*> {
+    typedef WebCore::ImageLoader* TraitType;
+    static void checkConsistency(const WebCore::ImageLoader* p)
+    {
+        if (!p)
+            return;
+        ASSERT(p->element());
+        ValueCheck<WebCore::Element*>::checkConsistency(p->element());
+    }
+};
+
+}
+#endif
+
 namespace WebCore {
 
 class ImageEventSender : public Noncopyable {
@@ -40,6 +58,10 @@ public:
 
     void dispatchPendingEvents();
 
+#if !ASSERT_DISABLED
+    bool hasPendingEvents(ImageLoader* loader) { return m_dispatchSoonList.find(loader) != notFound; }
+#endif
+
 private:
     void timerFired(Timer<ImageEventSender>*);
 
@@ -75,8 +97,12 @@ ImageLoader::~ImageLoader()
 {
     if (m_image)
         m_image->removeClient(this);
+
+    ASSERT(!m_firedBeforeLoad || !beforeLoadEventSender().hasPendingEvents(this));
     if (!m_firedBeforeLoad)
         beforeLoadEventSender().cancelEvent(this);
+
+    ASSERT(!m_firedLoad || !loadEventSender().hasPendingEvents(this));
     if (!m_firedLoad)
         loadEventSender().cancelEvent(this);
 }
@@ -86,9 +112,15 @@ void ImageLoader::setImage(CachedImage* newImage)
     ASSERT(m_failedLoadURL.isEmpty());
     CachedImage* oldImage = m_image.get();
     if (newImage != oldImage) {
-        setLoadingImage(newImage);
-        m_firedBeforeLoad = true;
-        m_firedLoad = true;
+        m_image = newImage;
+        if (!m_firedBeforeLoad) {
+            beforeLoadEventSender().cancelEvent(this);
+            m_firedBeforeLoad = true;
+        }
+        if (!m_firedLoad) {
+            loadEventSender().cancelEvent(this);
+            m_firedLoad = true;
+        }
         m_imageComplete = true;
         if (newImage)
             newImage->addClient(this);
@@ -103,14 +135,6 @@ void ImageLoader::setImage(CachedImage* newImage)
     }
 }
 
-void ImageLoader::setLoadingImage(CachedImage* loadingImage)
-{
-    m_image = loadingImage;
-    m_firedBeforeLoad = !loadingImage;
-    m_firedLoad = !loadingImage;
-    m_imageComplete = !loadingImage;
-}
-
 void ImageLoader::updateFromElement()
 {
     // If we're not making renderers for the page, then don't load images.  We don't want to slow
@@ -146,7 +170,16 @@ void ImageLoader::updateFromElement()
     
     CachedImage* oldImage = m_image.get();
     if (newImage != oldImage) {
-        setLoadingImage(newImage);
+        if (!m_firedBeforeLoad)
+            beforeLoadEventSender().cancelEvent(this);
+        if (!m_firedLoad)
+            loadEventSender().cancelEvent(this);
+
+        m_image = newImage;
+        m_firedBeforeLoad = !newImage;
+        m_firedLoad = !newImage;
+        m_imageComplete = !newImage;
+
         if (newImage) {
             newImage->addClient(this);
             if (!m_element->document()->hasListenerType(Document::BEFORELOAD_LISTENER))
@@ -180,6 +213,9 @@ void ImageLoader::notifyFinished(CachedResource*)
     if (haveFiredBeforeLoadEvent())
         updateRenderer();
 
+    if (m_firedLoad)
+        return;
+
     loadEventSender().dispatchEventSoon(this);
 }
 
@@ -282,6 +318,8 @@ void ImageEventSender::dispatchPendingEvents()
 
     m_timer.stop();
 
+    m_dispatchSoonList.checkConsistency();
+
     m_dispatchingList.swap(m_dispatchSoonList);
     size_t size = m_dispatchingList.size();
     for (size_t i = 0; i < size; ++i) {
diff --git a/WebCore/loader/ImageLoader.h b/WebCore/loader/ImageLoader.h
index e7463d5..44fe98e 100644
--- a/WebCore/loader/ImageLoader.h
+++ b/WebCore/loader/ImageLoader.h
@@ -49,7 +49,7 @@ public:
     bool imageComplete() const { return m_imageComplete; }
 
     CachedImage* image() const { return m_image.get(); }
-    void setImage(CachedImage*);
+    void setImage(CachedImage*); // Cancels pending beforeload and load events, and doesn't dispatch new ones.
 
     void setLoadManually(bool loadManually) { m_loadManually = loadManually; }
 
@@ -70,8 +70,6 @@ private:
     void dispatchPendingBeforeLoadEvent();
     void dispatchPendingLoadEvent();
 
-    void setLoadingImage(CachedImage*);
-
     void updateRenderer();
 
     Element* m_element;
diff --git a/WebCore/loader/loader.cpp b/WebCore/loader/loader.cpp
index d693341..4d2b474 100644
--- a/WebCore/loader/loader.cpp
+++ b/WebCore/loader/loader.cpp
@@ -322,6 +322,7 @@ void Loader::Host::servePendingRequests(RequestQueue& requestsPending, bool& ser
         bool shouldLimitRequests = !m_name.isNull() || docLoader->doc()->parsing() || !docLoader->doc()->haveStylesheetsLoaded();
         if (shouldLimitRequests && m_requestsLoading.size() + m_nonCachedRequestsInFlight >= m_maxRequestsInFlight) {
             serveLowerPriority = false;
+            cache()->loader()->scheduleServePendingRequests();
             return;
         }
         requestsPending.removeFirst();