Title: [99311] trunk/Source/WebCore
- Revision
- 99311
- Author
- [email protected]
- Date
- 2011-11-04 13:24:38 -0700 (Fri, 04 Nov 2011)
Log Message
[V8] Null out V8NPObject::rootObject when the owning
Frame goes away.
https://bugs.webkit.org/show_bug.cgi?id=71569
Reviewed by Adam Barth.
No new tests, this has only been successfully triggered
using ppapi flash.
* bindings/v8/V8Helpers.cpp:
(WebCore::toV8Context):
* bindings/v8/npruntime.cpp:
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (99310 => 99311)
--- trunk/Source/WebCore/ChangeLog 2011-11-04 19:53:21 UTC (rev 99310)
+++ trunk/Source/WebCore/ChangeLog 2011-11-04 20:24:38 UTC (rev 99311)
@@ -1,3 +1,18 @@
+2011-11-04 Nate Chapin <[email protected]>
+
+ [V8] Null out V8NPObject::rootObject when the owning
+ Frame goes away.
+ https://bugs.webkit.org/show_bug.cgi?id=71569
+
+ Reviewed by Adam Barth.
+
+ No new tests, this has only been successfully triggered
+ using ppapi flash.
+
+ * bindings/v8/V8Helpers.cpp:
+ (WebCore::toV8Context):
+ * bindings/v8/npruntime.cpp:
+
2011-11-04 Vineet Chaudhary <[email protected]>
Send the submissions character encoding in hidden _charset_ field.
Modified: trunk/Source/WebCore/bindings/v8/V8Helpers.cpp (99310 => 99311)
--- trunk/Source/WebCore/bindings/v8/V8Helpers.cpp 2011-11-04 19:53:21 UTC (rev 99310)
+++ trunk/Source/WebCore/bindings/v8/V8Helpers.cpp 2011-11-04 20:24:38 UTC (rev 99311)
@@ -32,6 +32,7 @@
#include "V8Helpers.h"
#include "DOMWindow.h"
+#include "Frame.h"
#include "NPV8Object.h"
#include "V8Proxy.h"
@@ -40,6 +41,9 @@
v8::Local<v8::Context> toV8Context(NPP npp, NPObject* npObject)
{
V8NPObject* object = reinterpret_cast<V8NPObject*>(npObject);
+ DOMWindow* domWindow = object->rootObject;
+ if (!domWindow || domWindow != domWindow->frame()->domWindow())
+ return v8::Local<v8::Context>();
return V8Proxy::mainWorldContext(object->rootObject->frame());
}
Modified: trunk/Source/WebCore/bindings/v8/npruntime.cpp (99310 => 99311)
--- trunk/Source/WebCore/bindings/v8/npruntime.cpp 2011-11-04 19:53:21 UTC (rev 99310)
+++ trunk/Source/WebCore/bindings/v8/npruntime.cpp 2011-11-04 20:24:38 UTC (rev 99311)
@@ -418,6 +418,13 @@
set->remove(sub_object);
liveObjectMap.remove(sub_object);
+ // Script objects hold a refernce to their DOMWindow*, which is going away if
+ // we're unregistering the associated owner NPObject. Clear it out.
+ if (sub_object->_class == npScriptObjectClass) {
+ V8NPObject* v8npObject = reinterpret_cast<V8NPObject*>(sub_object);
+ v8npObject->rootObject = 0;
+ }
+
// Remove the JS references to the object.
forgetV8ObjectForNPObject(sub_object);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
