[webkit-changes] [99452] branches/chromium/874/Source/WebCore/bindings/v8

[japhet]

Title: [99452] branches/chromium/874/Source/WebCore/bindings/v8

Revision

99452

Author

jap...@chromium.org

Date

2011-11-07 11:46:54 -0800 (Mon, 07 Nov 2011)

Log Message

Merge 99311 - [V8] Null out V8NPObject::rootObject when the owning
Frame goes away.
https://bugs.webkit.org/show_bug.cgi?id=71569

Reviewed by Adam Barth.

No new tests, this has only been successfully triggered
using ppapi flash.

* bindings/v8/V8Helpers.cpp:
(WebCore::toV8Context):
* bindings/v8/npruntime.cpp:


TBR=jap...@chromium.org
Review URL: http://codereview.chromium.org/8493015

Modified Paths

• branches/chromium/874/Source/WebCore/bindings/v8/V8Helpers.cpp
• branches/chromium/874/Source/WebCore/bindings/v8/npruntime.cpp

Diff

Modified: branches/chromium/874/Source/WebCore/bindings/v8/V8Helpers.cpp (99451 => 99452)

--- branches/chromium/874/Source/WebCore/bindings/v8/V8Helpers.cpp	2011-11-07 19:32:04 UTC (rev 99451)
+++ branches/chromium/874/Source/WebCore/bindings/v8/V8Helpers.cpp	2011-11-07 19:46:54 UTC (rev 99452)
@@ -32,6 +32,7 @@
 #include "V8Helpers.h"
 
 #include "DOMWindow.h"
+#include "Frame.h"
 #include "NPV8Object.h"
 #include "V8Proxy.h"
 
@@ -40,6 +41,9 @@
 v8::Local<v8::Context> toV8Context(NPP npp, NPObject* npObject)
 {
     V8NPObject* object = reinterpret_cast<V8NPObject*>(npObject);
+    DOMWindow* domWindow = object->rootObject;
+    if (!domWindow || domWindow != domWindow->frame()->domWindow())
+        return v8::Local<v8::Context>();
     return V8Proxy::mainWorldContext(object->rootObject->frame());
 }
 

Modified: branches/chromium/874/Source/WebCore/bindings/v8/npruntime.cpp (99451 => 99452)

--- branches/chromium/874/Source/WebCore/bindings/v8/npruntime.cpp	2011-11-07 19:32:04 UTC (rev 99451)
+++ branches/chromium/874/Source/WebCore/bindings/v8/npruntime.cpp	2011-11-07 19:46:54 UTC (rev 99452)
@@ -418,6 +418,13 @@
             set->remove(sub_object);
             liveObjectMap.remove(sub_object);
 
+            // Script objects hold a refernce to their DOMWindow*, which is going away if
+            // we're unregistering the associated owner NPObject. Clear it out.
+            if (sub_object->_class == npScriptObjectClass) {
+                V8NPObject* v8npObject = reinterpret_cast<V8NPObject*>(sub_object);
+                v8npObject->rootObject = 0;
+            }
+
             // Remove the JS references to the object.
             forgetV8ObjectForNPObject(sub_object);
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes