Skip to site navigation (Press enter)

[webkit-changes] [95667] trunk

commit-queue Wed, 21 Sep 2011 13:12:59 -0700

Title: [95667] trunk

Revision: 95667
Author: commit-qu...@webkit.org
Date: 2011-09-21 13:13:57 -0700 (Wed, 21 Sep 2011)

Log Message

[Chromium] Protect the Frame in V8HTMLDocument::openCallback
https://bugs.webkit.org/show_bug.cgi?id=68555


Patch by Sergey Glazunov <serg.glazu...@gmail.com> on 2011-09-21
Reviewed by Nate Chapin.

Source/WebCore:

Test: fast/dom/frame-deleted-in-document-open.html

* bindings/v8/custom/V8HTMLDocumentCustom.cpp:
(WebCore::V8HTMLDocument::openCallback):

LayoutTests:

* fast/dom/frame-deleted-in-document-open-expected.txt: Added.
* fast/dom/frame-deleted-in-document-open.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp

Added Paths

trunk/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt
trunk/LayoutTests/fast/dom/frame-deleted-in-document-open.html

Diff

Modified: trunk/LayoutTests/ChangeLog (95666 => 95667)


--- trunk/LayoutTests/ChangeLog	2011-09-21 19:59:39 UTC (rev 95666)
+++ trunk/LayoutTests/ChangeLog	2011-09-21 20:13:57 UTC (rev 95667)
@@ -1,3 +1,13 @@
+2011-09-21  Sergey Glazunov  <serg.glazu...@gmail.com>
+
+        [Chromium] Protect the Frame in V8HTMLDocument::openCallback
+        https://bugs.webkit.org/show_bug.cgi?id=68555
+
+        Reviewed by Nate Chapin.
+
+        * fast/dom/frame-deleted-in-document-open-expected.txt: Added.
+        * fast/dom/frame-deleted-in-document-open.html: Added.
+
 2011-09-21  Adam Klein  <ad...@chromium.org>
 
         Clean up CSS Counter code

Added: trunk/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt (0 => 95667)


--- trunk/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt	2011-09-21 20:13:57 UTC (rev 95667)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.

Added: trunk/LayoutTests/fast/dom/frame-deleted-in-document-open.html (0 => 95667)


--- trunk/LayoutTests/fast/dom/frame-deleted-in-document-open.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/frame-deleted-in-document-open.html	2011-09-21 20:13:57 UTC (rev 95667)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+window._onload_ = function()
+{
+    frame = document.body.appendChild(document.createElement("iframe"));
+
+    frame.contentWindow.open = null;
+    frame.contentWindow.__defineGetter__("open", function() {
+        document.body.removeChild(frame);
+        return function() { };
+    });
+    frame.contentDocument.open(1, 1, 1, 1, 1);
+}
+</script>
+</head>
+<body>
+This test passes if it doesn't crash.
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (95666 => 95667)


--- trunk/Source/WebCore/ChangeLog	2011-09-21 19:59:39 UTC (rev 95666)
+++ trunk/Source/WebCore/ChangeLog	2011-09-21 20:13:57 UTC (rev 95667)
@@ -1,3 +1,15 @@
+2011-09-21  Sergey Glazunov  <serg.glazu...@gmail.com>
+
+        [Chromium] Protect the Frame in V8HTMLDocument::openCallback
+        https://bugs.webkit.org/show_bug.cgi?id=68555
+
+        Reviewed by Nate Chapin.
+
+        Test: fast/dom/frame-deleted-in-document-open.html
+
+        * bindings/v8/custom/V8HTMLDocumentCustom.cpp:
+        (WebCore::V8HTMLDocument::openCallback):
+
 2011-09-21  Adam Klein  <ad...@chromium.org>
 
         Clean up CSS Counter code

Modified: trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp (95666 => 95667)


--- trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp	2011-09-21 19:59:39 UTC (rev 95666)
+++ trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp	2011-09-21 20:13:57 UTC (rev 95667)
@@ -132,9 +132,9 @@
     HTMLDocument* htmlDocument = V8HTMLDocument::toNative(args.Holder());
 
     if (args.Length() > 2) {
-        if (Frame* frame = htmlDocument->frame()) {
+        if (RefPtr<Frame> frame = htmlDocument->frame()) {
             // Fetch the global object for the frame.
-            v8::Local<v8::Context> context = V8Proxy::context(frame);
+            v8::Local<v8::Context> context = V8Proxy::context(frame.get());
             // Bail out if we cannot get the context.
             if (context.IsEmpty())
                 return v8::Undefined();
@@ -151,8 +151,9 @@
             for (int i = 0; i < args.Length(); i++)
                 params[i] = args[i];
 
-            V8Proxy* proxy = V8Proxy::retrieve(frame);
-            ASSERT(proxy);
+            V8Proxy* proxy = V8Proxy::retrieve(frame.get());
+            if (!proxy)
+                return v8::Undefined();
 
             v8::Local<v8::Value> result = proxy->callFunction(v8::Local<v8::Function>::Cast(function), global, args.Length(), params);
             delete[] params;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes