Diff
Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (111951 => 111952)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-03-24 00:58:40 UTC (rev 111951)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog 2012-03-24 01:03:22 UTC (rev 111952)
@@ -1,3 +1,15 @@
+2012-03-23 Maciej Stachowiak <[email protected]>
+
+ REGRESSION(r97353): Crash when accessing location or history properties inside a navigated window
+ https://bugs.webkit.org/show_bug.cgi?id=80133
+
+ Reviewed by Antti Koivisto.
+
+ * fast/dom/Window/navigated-window-properties-expected.txt: Added.
+ * fast/dom/Window/navigated-window-properties.html: Added.
+ * fast/dom/Window/resources/navigated-window-prop-subframe1.html: Added.
+ * fast/dom/Window/resources/navigated-window-prop-subframe2.html: Added.
+
2012-03-23 Ryosuke Niwa <[email protected]>
REGRESSION(r74971): Can't select a line of RTL text on Facebook
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/navigated-window-properties-expected.txt (0 => 111952)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/navigated-window-properties-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/navigated-window-properties-expected.txt 2012-03-24 01:03:22 UTC (rev 111952)
@@ -0,0 +1,3 @@
+Accessing properties of a navigated window shouldn't crash
+
+
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/navigated-window-properties-expected.txt
___________________________________________________________________
Added: svn:eol-style
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/navigated-window-properties.html (0 => 111952)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/navigated-window-properties.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/navigated-window-properties.html 2012-03-24 01:03:22 UTC (rev 111952)
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<title>Properties of a navigated window shouldn't crash</title>
+
+<p>Accessing properties of a navigated window shouldn't crash</p>
+
+<script>
+if (window.layoutTestController) {
+ layoutTestController.waitUntilDone();
+ layoutTestController.dumpAsText();
+}
+
+
+var func;
+function testPhase1() {
+ var subframe = document.getElementById("subframe");
+ func = subframe.contentWindow.testFunction;
+ subframe.src = ""
+}
+
+function testPhase2() {
+ func();
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+<iframe id="subframe" src=""
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/navigated-window-properties.html
___________________________________________________________________
Added: svn:eol-style
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/resources/navigated-window-prop-subframe1.html (0 => 111952)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/resources/navigated-window-prop-subframe1.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/resources/navigated-window-prop-subframe1.html 2012-03-24 01:03:22 UTC (rev 111952)
@@ -0,0 +1,9 @@
+<script>
+function testFunction() {
+ try {
+ var s = location.href + history.length;
+ } catch (e) {
+ }
+}
+parent.testPhase1();
+</script>
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/resources/navigated-window-prop-subframe1.html
___________________________________________________________________
Added: svn:eol-style
Added: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/resources/navigated-window-prop-subframe2.html (0 => 111952)
--- releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/resources/navigated-window-prop-subframe2.html (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/resources/navigated-window-prop-subframe2.html 2012-03-24 01:03:22 UTC (rev 111952)
@@ -0,0 +1,3 @@
+<script>
+parent.testPhase2();
+</script>
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/fast/dom/Window/resources/navigated-window-prop-subframe2.html
___________________________________________________________________
Added: svn:eol-style
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (111951 => 111952)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-03-24 00:58:40 UTC (rev 111951)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog 2012-03-24 01:03:22 UTC (rev 111952)
@@ -1,3 +1,22 @@
+2012-03-23 Maciej Stachowiak <[email protected]>
+
+ REGRESSION(r97353): Crash when accessing location or history properties inside a navigated window
+ https://bugs.webkit.org/show_bug.cgi?id=80133
+ <rdar://problem/10432233>
+
+ Reviewed by Antti Koivisto.
+
+ Test: fast/dom/Window/navigated-window-properties.html
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore): Remove custom getters for window.location and window.history; they
+ were unnecessary and did the wrong thing when DOMWindow returned null values
+ for these.
+ * page/DOMWindow.idl: ditto
+ * bindings/js/JSDOMBinding.cpp:
+ (WebCore::reportException): Remove assert about null values and update comment,
+ since this is now an expected state for navigated inner windows.
+
2012-03-23 Ryosuke Niwa <[email protected]>
REGRESSION(r74971): Can't select a line of RTL text on Facebook
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/bindings/js/JSDOMBinding.cpp (111951 => 111952)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/bindings/js/JSDOMBinding.cpp 2012-03-24 00:58:40 UTC (rev 111951)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/bindings/js/JSDOMBinding.cpp 2012-03-24 01:03:22 UTC (rev 111952)
@@ -161,9 +161,8 @@
errorMessage = stringToUString(exceptionBase->message() + ": " + exceptionBase->description());
ScriptExecutionContext* scriptExecutionContext = static_cast<JSDOMGlobalObject*>(exec->lexicalGlobalObject())->scriptExecutionContext();
- ASSERT(scriptExecutionContext);
- // Crash data indicates null-dereference crashes at this point in the Safari 4 Public Beta.
+ // scriptExecutionContext can be null when the relevant global object is a stale inner window object.
// It's harmless to return here without reporting the exception to the log and the debugger in this case.
if (!scriptExecutionContext)
return;
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (111951 => 111952)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2012-03-24 00:58:40 UTC (rev 111951)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2012-03-24 01:03:22 UTC (rev 111952)
@@ -404,30 +404,6 @@
// Custom Attributes
-JSValue JSDOMWindow::history(ExecState* exec) const
-{
- History* history = impl()->history();
- if (JSDOMWrapper* wrapper = getCachedWrapper(currentWorld(exec), history))
- return wrapper;
-
- JSDOMWindow* window = const_cast<JSDOMWindow*>(this);
- JSHistory* jsHistory = JSHistory::create(getDOMStructure<JSHistory>(exec, window), window, history);
- cacheWrapper(currentWorld(exec), history, jsHistory);
- return jsHistory;
-}
-
-JSValue JSDOMWindow::location(ExecState* exec) const
-{
- Location* location = impl()->location();
- if (JSDOMWrapper* wrapper = getCachedWrapper(currentWorld(exec), location))
- return wrapper;
-
- JSDOMWindow* window = const_cast<JSDOMWindow*>(this);
- JSLocation* jsLocation = JSLocation::create(getDOMStructure<JSLocation>(exec, window), window, location);
- cacheWrapper(currentWorld(exec), location, jsLocation);
- return jsLocation;
-}
-
void JSDOMWindow::setLocation(ExecState* exec, JSValue value)
{
#if ENABLE(DASHBOARD_SUPPORT)
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/page/DOMWindow.idl (111951 => 111952)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/page/DOMWindow.idl 2012-03-24 00:58:40 UTC (rev 111951)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/page/DOMWindow.idl 2012-03-24 01:03:22 UTC (rev 111952)
@@ -44,7 +44,7 @@
] DOMWindow {
// DOM Level 0
attribute [Replaceable] Screen screen;
- attribute [Replaceable, DoNotCheckDomainSecurityOnGetter, JSCustomGetter] History history;
+ attribute [Replaceable, DoNotCheckDomainSecurityOnGetter] History history;
attribute [Replaceable] BarInfo locationbar;
attribute [Replaceable] BarInfo menubar;
attribute [Replaceable] BarInfo personalbar;
@@ -55,7 +55,7 @@
attribute [Replaceable] Navigator clientInformation;
readonly attribute Crypto crypto;
#if !defined(LANGUAGE_CPP) || !LANGUAGE_CPP
- attribute [DoNotCheckDomainSecurity, JSCustom, V8CustomSetter, V8Unforgeable] Location location;
+ attribute [DoNotCheckDomainSecurity, CustomSetter, V8CustomSetter, V8Unforgeable] Location location;
#endif
attribute [Replaceable, CustomGetter, V8CustomSetter] Event event;
Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/platform/sql/SQLiteStatement.cpp (111951 => 111952)
--- releases/WebKitGTK/webkit-1.8/Source/WebCore/platform/sql/SQLiteStatement.cpp 2012-03-24 00:58:40 UTC (rev 111951)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/platform/sql/SQLiteStatement.cpp 2012-03-24 01:03:22 UTC (rev 111952)
@@ -97,7 +97,7 @@
MutexLocker databaseLock(m_database.databaseMutex());
if (m_database.isInterrupted())
return SQLITE_INTERRUPT;
- ASSERT(m_isPrepared);
+ //ASSERT(m_isPrepared);
if (!m_statement)
return SQLITE_OK;
