[webkit-changes] [95811] branches/chromium/874

Fri, 23 Sep 2011 09:13:43 -0700

Title: [95811] branches/chromium/874
Revision
95811
Author
[email protected]
Date
2011-09-23 09:14:44 -0700 (Fri, 23 Sep 2011)

Log Message

Merge 95667 - [Chromium] Protect the Frame in V8HTMLDocument::openCallback
BUG=97451
Review URL: http://codereview.chromium.org/8015007


Modified Paths




Added Paths

Diff

Copied: branches/chromium/874/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt (from rev 95667, trunk/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt) (0 => 95811)


--- branches/chromium/874/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt	                        (rev 0)
+++ branches/chromium/874/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt	2011-09-23 16:14:44 UTC (rev 95811)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.

Copied: branches/chromium/874/LayoutTests/fast/dom/frame-deleted-in-document-open.html (from rev 95667, trunk/LayoutTests/fast/dom/frame-deleted-in-document-open.html) (0 => 95811)


--- branches/chromium/874/LayoutTests/fast/dom/frame-deleted-in-document-open.html	                        (rev 0)
+++ branches/chromium/874/LayoutTests/fast/dom/frame-deleted-in-document-open.html	2011-09-23 16:14:44 UTC (rev 95811)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+
+window._onload_ = function()
+{
+    frame = document.body.appendChild(document.createElement("iframe"));
+
+    frame.contentWindow.open = null;
+    frame.contentWindow.__defineGetter__("open", function() {
+        document.body.removeChild(frame);
+        return function() { };
+    });
+    frame.contentDocument.open(1, 1, 1, 1, 1);
+}
+</script>
+</head>
+<body>
+This test passes if it doesn't crash.
+</body>
+</html>

Modified: branches/chromium/874/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp (95810 => 95811)


--- branches/chromium/874/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp	2011-09-23 16:13:18 UTC (rev 95810)
+++ branches/chromium/874/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp	2011-09-23 16:14:44 UTC (rev 95811)
@@ -132,9 +132,9 @@
     HTMLDocument* htmlDocument = V8HTMLDocument::toNative(args.Holder());
 
     if (args.Length() > 2) {
-        if (Frame* frame = htmlDocument->frame()) {
+        if (RefPtr<Frame> frame = htmlDocument->frame()) {
             // Fetch the global object for the frame.
-            v8::Local<v8::Context> context = V8Proxy::context(frame);
+            v8::Local<v8::Context> context = V8Proxy::context(frame.get());
             // Bail out if we cannot get the context.
             if (context.IsEmpty())
                 return v8::Undefined();
@@ -151,8 +151,9 @@
             for (int i = 0; i < args.Length(); i++)
                 params[i] = args[i];
 
-            V8Proxy* proxy = V8Proxy::retrieve(frame);
-            ASSERT(proxy);
+            V8Proxy* proxy = V8Proxy::retrieve(frame.get());
+            if (!proxy)
+                return v8::Undefined();
 
             v8::Local<v8::Value> result = proxy->callFunction(v8::Local<v8::Function>::Cast(function), global, args.Length(), params);
             delete[] params;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to