[webkit-changes] [115746] trunk/Source/WebCore

Tue, 01 May 2012 13:14:45 -0700

Title: [115746] trunk/Source/WebCore
Revision
115746
Author
[email protected]
Date
2012-05-01 13:15:26 -0700 (Tue, 01 May 2012)

Log Message

Crash calling disconnectFrame on a DOMWindowExtension a second time.
https://bugs.webkit.org/show_bug.cgi?id=85301

Reviewed by Darin Adler.

DOMWindowExtension::disconnectFrame assumed it would only be called when there was a frame
to disconnect. However, DOMWindow's destructor invokes disconnectFrame on all its
DOMWindowProperties, even if it already did so when it entered the page cache.

* page/DOMWindowExtension.cpp:
(WebCore::DOMWindowExtension::disconnectFrame):
Don't do anything if the frame has already been disconnected.

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (115745 => 115746)


--- trunk/Source/WebCore/ChangeLog	2012-05-01 19:27:51 UTC (rev 115745)
+++ trunk/Source/WebCore/ChangeLog	2012-05-01 20:15:26 UTC (rev 115746)
@@ -1,3 +1,18 @@
+2012-05-01  Jessie Berlin  <[email protected]>
+
+        Crash calling disconnectFrame on a DOMWindowExtension a second time.
+        https://bugs.webkit.org/show_bug.cgi?id=85301
+
+        Reviewed by Darin Adler.
+
+        DOMWindowExtension::disconnectFrame assumed it would only be called when there was a frame
+        to disconnect. However, DOMWindow's destructor invokes disconnectFrame on all its
+        DOMWindowProperties, even if it already did so when it entered the page cache.
+
+        * page/DOMWindowExtension.cpp:
+        (WebCore::DOMWindowExtension::disconnectFrame):
+        Don't do anything if the frame has already been disconnected.
+
 2012-05-01  Aaron Colwell  <[email protected]>
 
         Temporarily remove webkitSourceAddId() & webkitSourceRemoveId() from DOM

Modified: trunk/Source/WebCore/page/DOMWindowExtension.cpp (115745 => 115746)


--- trunk/Source/WebCore/page/DOMWindowExtension.cpp	2012-05-01 19:27:51 UTC (rev 115745)
+++ trunk/Source/WebCore/page/DOMWindowExtension.cpp	2012-05-01 20:15:26 UTC (rev 115746)
@@ -54,6 +54,13 @@
 
 void DOMWindowExtension::disconnectFrame()
 {
+    // The DOMWindow destructor calls disconnectFrame on all its DOMWindowProperties, even if it
+    // did that already when entering the page cache.
+    if (m_disconnectedFrame) {
+        ASSERT(!frame());
+        return;
+    }
+
     // Calling out to the client might result in this DOMWindowExtension being destroyed
     // while there is still work to do.
     RefPtr<DOMWindowExtension> protector = this;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to