Title: [95667] trunk
- Revision
- 95667
- Author
- commit-qu...@webkit.org
- Date
- 2011-09-21 13:13:57 -0700 (Wed, 21 Sep 2011)
Log Message
[Chromium] Protect the Frame in V8HTMLDocument::openCallback
https://bugs.webkit.org/show_bug.cgi?id=68555
Patch by Sergey Glazunov <serg.glazu...@gmail.com> on 2011-09-21
Reviewed by Nate Chapin.
Source/WebCore:
Test: fast/dom/frame-deleted-in-document-open.html
* bindings/v8/custom/V8HTMLDocumentCustom.cpp:
(WebCore::V8HTMLDocument::openCallback):
LayoutTests:
* fast/dom/frame-deleted-in-document-open-expected.txt: Added.
* fast/dom/frame-deleted-in-document-open.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (95666 => 95667)
--- trunk/LayoutTests/ChangeLog 2011-09-21 19:59:39 UTC (rev 95666)
+++ trunk/LayoutTests/ChangeLog 2011-09-21 20:13:57 UTC (rev 95667)
@@ -1,3 +1,13 @@
+2011-09-21 Sergey Glazunov <serg.glazu...@gmail.com>
+
+ [Chromium] Protect the Frame in V8HTMLDocument::openCallback
+ https://bugs.webkit.org/show_bug.cgi?id=68555
+
+ Reviewed by Nate Chapin.
+
+ * fast/dom/frame-deleted-in-document-open-expected.txt: Added.
+ * fast/dom/frame-deleted-in-document-open.html: Added.
+
2011-09-21 Adam Klein <ad...@chromium.org>
Clean up CSS Counter code
Added: trunk/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt (0 => 95667)
--- trunk/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt 2011-09-21 20:13:57 UTC (rev 95667)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
Added: trunk/LayoutTests/fast/dom/frame-deleted-in-document-open.html (0 => 95667)
--- trunk/LayoutTests/fast/dom/frame-deleted-in-document-open.html (rev 0)
+++ trunk/LayoutTests/fast/dom/frame-deleted-in-document-open.html 2011-09-21 20:13:57 UTC (rev 95667)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+window._onload_ = function()
+{
+ frame = document.body.appendChild(document.createElement("iframe"));
+
+ frame.contentWindow.open = null;
+ frame.contentWindow.__defineGetter__("open", function() {
+ document.body.removeChild(frame);
+ return function() { };
+ });
+ frame.contentDocument.open(1, 1, 1, 1, 1);
+}
+</script>
+</head>
+<body>
+This test passes if it doesn't crash.
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (95666 => 95667)
--- trunk/Source/WebCore/ChangeLog 2011-09-21 19:59:39 UTC (rev 95666)
+++ trunk/Source/WebCore/ChangeLog 2011-09-21 20:13:57 UTC (rev 95667)
@@ -1,3 +1,15 @@
+2011-09-21 Sergey Glazunov <serg.glazu...@gmail.com>
+
+ [Chromium] Protect the Frame in V8HTMLDocument::openCallback
+ https://bugs.webkit.org/show_bug.cgi?id=68555
+
+ Reviewed by Nate Chapin.
+
+ Test: fast/dom/frame-deleted-in-document-open.html
+
+ * bindings/v8/custom/V8HTMLDocumentCustom.cpp:
+ (WebCore::V8HTMLDocument::openCallback):
+
2011-09-21 Adam Klein <ad...@chromium.org>
Clean up CSS Counter code
Modified: trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp (95666 => 95667)
--- trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp 2011-09-21 19:59:39 UTC (rev 95666)
+++ trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp 2011-09-21 20:13:57 UTC (rev 95667)
@@ -132,9 +132,9 @@
HTMLDocument* htmlDocument = V8HTMLDocument::toNative(args.Holder());
if (args.Length() > 2) {
- if (Frame* frame = htmlDocument->frame()) {
+ if (RefPtr<Frame> frame = htmlDocument->frame()) {
// Fetch the global object for the frame.
- v8::Local<v8::Context> context = V8Proxy::context(frame);
+ v8::Local<v8::Context> context = V8Proxy::context(frame.get());
// Bail out if we cannot get the context.
if (context.IsEmpty())
return v8::Undefined();
@@ -151,8 +151,9 @@
for (int i = 0; i < args.Length(); i++)
params[i] = args[i];
- V8Proxy* proxy = V8Proxy::retrieve(frame);
- ASSERT(proxy);
+ V8Proxy* proxy = V8Proxy::retrieve(frame.get());
+ if (!proxy)
+ return v8::Undefined();
v8::Local<v8::Value> result = proxy->callFunction(v8::Local<v8::Function>::Cast(function), global, args.Length(), params);
delete[] params;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes