Title: [116191] trunk
- Revision
- 116191
- Author
- [email protected]
- Date
- 2012-05-04 16:42:56 -0700 (Fri, 04 May 2012)
Log Message
Prevent early EventListener deletion
https://bugs.webkit.org/show_bug.cgi?id=73970
Reviewed by Oliver Hunt.
Source/WebCore:
Test: fast/events/attribute-listener-deletion-crash.html
* bindings/js/JSEventListener.h:
(WebCore::JSEventListener::jsFunction):
LayoutTests:
* fast/events/attribute-listener-deletion-crash-expected.txt: Added.
* fast/events/attribute-listener-deletion-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (116190 => 116191)
--- trunk/LayoutTests/ChangeLog 2012-05-04 23:42:33 UTC (rev 116190)
+++ trunk/LayoutTests/ChangeLog 2012-05-04 23:42:56 UTC (rev 116191)
@@ -1,3 +1,13 @@
+2012-05-04 Jeffrey Pfau <[email protected]>
+
+ Prevent early EventListener deletion
+ https://bugs.webkit.org/show_bug.cgi?id=73970
+
+ Reviewed by Oliver Hunt.
+
+ * fast/events/attribute-listener-deletion-crash-expected.txt: Added.
+ * fast/events/attribute-listener-deletion-crash.html: Added.
+
2012-05-04 Filip Pizlo <[email protected]>
Unreviewed, updating expectations.
Added: trunk/LayoutTests/fast/events/attribute-listener-deletion-crash-expected.txt (0 => 116191)
--- trunk/LayoutTests/fast/events/attribute-listener-deletion-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/events/attribute-listener-deletion-crash-expected.txt 2012-05-04 23:42:56 UTC (rev 116191)
@@ -0,0 +1,21 @@
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token '|'
+PASS
Added: trunk/LayoutTests/fast/events/attribute-listener-deletion-crash.html (0 => 116191)
--- trunk/LayoutTests/fast/events/attribute-listener-deletion-crash.html (rev 0)
+++ trunk/LayoutTests/fast/events/attribute-listener-deletion-crash.html 2012-05-04 23:42:56 UTC (rev 116191)
@@ -0,0 +1,45 @@
+<html>
+<head>
+<script>
+function runTest() {
+ if (!window.layoutTestController)
+ return;
+
+ window.layoutTestController.dumpAsText();
+
+ var span = document.getElementById("root");
+ eventSender.mouseMoveTo(span.offsetLeft + 10, span.offsetTop + span.offsetHeight / 2);
+ for (var i = 0; i < 20; ++i) {
+ eventSender.mouseDown();
+ eventSender.mouseUp();
+ }
+}
+window.addEventListener("DOMNodeRemoved", function(e) {
+ document.body.setAttribute("onclick", "|");
+}, false);
+window.addEventListener("error", function(e) {
+ document.body.removeChild(document.body.firstChild);
+
+ span = document.createElement("span");
+ span.innerHTML = "PASS";
+ span.setAttribute("onclick", "dispatchError()");
+ var child;
+ while (child = document.body.firstChild)
+ document.body.removeChild(child);
+
+ document.body.appendChild(span);
+}, false);
+
+var dispatchError = function() {
+ var evt = document.createEvent("Event");
+ evt.initEvent("error", false, false);
+ window.dispatchEvent(evt);
+}
+
+window._onload_ = function() { runTest() };
+</script>
+</head>
+<body>
+ <span _onclick_="dispatchError()" id="root">This test passes if it doesn't crash</span>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (116190 => 116191)
--- trunk/Source/WebCore/ChangeLog 2012-05-04 23:42:33 UTC (rev 116190)
+++ trunk/Source/WebCore/ChangeLog 2012-05-04 23:42:56 UTC (rev 116191)
@@ -1,3 +1,15 @@
+2012-05-04 Jeffrey Pfau <[email protected]>
+
+ Prevent early EventListener deletion
+ https://bugs.webkit.org/show_bug.cgi?id=73970
+
+ Reviewed by Oliver Hunt.
+
+ Test: fast/events/attribute-listener-deletion-crash.html
+
+ * bindings/js/JSEventListener.h:
+ (WebCore::JSEventListener::jsFunction):
+
2012-05-04 Yongjun Zhang <[email protected]>
Add "combining short stroke overlay character (u0335)" to lookalike characters blacklist.
Modified: trunk/Source/WebCore/bindings/js/JSEventListener.h (116190 => 116191)
--- trunk/Source/WebCore/bindings/js/JSEventListener.h 2012-05-04 23:42:33 UTC (rev 116190)
+++ trunk/Source/WebCore/bindings/js/JSEventListener.h 2012-05-04 23:42:56 UTC (rev 116191)
@@ -74,6 +74,11 @@
inline JSC::JSObject* JSEventListener::jsFunction(ScriptExecutionContext* scriptExecutionContext) const
{
+ // initializeJSFunction can trigger code that deletes this event listener
+ // before we're done. It should always return 0 in this case.
+ RefPtr<JSEventListener> protect(const_cast<JSEventListener*>(this));
+ JSC::Strong<JSC::JSObject> wrapper(*m_isolatedWorld->globalData(), m_wrapper.get());
+
if (!m_jsFunction) {
JSC::JSObject* function = initializeJSFunction(scriptExecutionContext);
m_jsFunction.setMayBeNull(*scriptExecutionContext->globalData(), m_wrapper.get(), function);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
