[webkit-changes] [95810] branches/chromium/874

Fri, 23 Sep 2011 09:12:27 -0700

Title: [95810] branches/chromium/874
Revision
95810
Author
[email protected]
Date
2011-09-23 09:13:18 -0700 (Fri, 23 Sep 2011)

Log Message

Merge 95689 - [Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorGetter
BUG=97520
Review URL: http://codereview.chromium.org/8016003


Modified Paths




Added Paths

Diff

Copied: branches/chromium/874/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt (from rev 95689, trunk/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt) (0 => 95810)


--- branches/chromium/874/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt	                        (rev 0)
+++ branches/chromium/874/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt	2011-09-23 16:13:18 UTC (rev 95810)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.

Copied: branches/chromium/874/LayoutTests/fast/dom/message-port-deleted-by-accessor.html (from rev 95689, trunk/LayoutTests/fast/dom/message-port-deleted-by-accessor.html) (0 => 95810)


--- branches/chromium/874/LayoutTests/fast/dom/message-port-deleted-by-accessor.html	                        (rev 0)
+++ branches/chromium/874/LayoutTests/fast/dom/message-port-deleted-by-accessor.html	2011-09-23 16:13:18 UTC (rev 95810)
@@ -0,0 +1,25 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+window._onload_ = function()
+{
+    channel = new MessageChannel;
+    event = document.createEvent("MessageEvent");
+
+    event.initMessageEvent(0, 0, 0, 0, 0, 0, 0, [channel.port1, channel.port2]);
+
+    Array.prototype.__defineSetter__(0, function() {
+        event.initMessageEvent(0, 0, 0, 0, 0, 0, 0, [ ]);
+    });
+
+    event.ports;
+}
+</script>
+</head>
+<body>
+This test passes if it doesn't crash.
+</body>
+</html>

Modified: branches/chromium/874/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp (95809 => 95810)


--- branches/chromium/874/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp	2011-09-23 16:10:58 UTC (rev 95809)
+++ branches/chromium/874/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp	2011-09-23 16:13:18 UTC (rev 95810)
@@ -88,10 +88,12 @@
     MessagePortArray* ports = event->ports();
     if (!ports)
         return v8::Array::New(0);
+    
+    MessagePortArray portsCopy(*ports);
 
-    v8::Local<v8::Array> portArray = v8::Array::New(ports->size());
-    for (size_t i = 0; i < ports->size(); ++i)
-        portArray->Set(v8::Integer::New(i), toV8((*ports)[i].get()));
+    v8::Local<v8::Array> portArray = v8::Array::New(portsCopy.size());
+    for (size_t i = 0; i < portsCopy.size(); ++i)
+        portArray->Set(v8::Integer::New(i), toV8(portsCopy[i].get()));
 
     return portArray;
 }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to