Title: [124626] trunk
- Revision
- 124626
- Author
- [email protected]
- Date
- 2012-08-03 10:32:35 -0700 (Fri, 03 Aug 2012)
Log Message
Crash in Notification when setting a non-object as an event listener (91881)
https://bugs.webkit.org/show_bug.cgi?id=91881
<rdar://problem/11923341>
Reviewed by Oliver Hunt.
Source/WebCore:
Check to make sure that the value being retrieved is an object. This is similar
to the isObject() check done in the bindings code.
Test: fast/notifications/notifications-event-listener-crash.html
* bindings/js/Dictionary.h:
(WebCore::Dictionary::getEventListener):
LayoutTests:
* fast/notifications/notifications-event-listener-crash-expected.txt: Added.
* fast/notifications/notifications-event-listener-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (124625 => 124626)
--- trunk/LayoutTests/ChangeLog 2012-08-03 17:21:17 UTC (rev 124625)
+++ trunk/LayoutTests/ChangeLog 2012-08-03 17:32:35 UTC (rev 124626)
@@ -1,3 +1,14 @@
+2012-07-20 Jon Lee <[email protected]>
+
+ Crash in Notification when setting a non-object as an event listener (91881)
+ https://bugs.webkit.org/show_bug.cgi?id=91881
+ <rdar://problem/11923341>
+
+ Reviewed by Oliver Hunt.
+
+ * fast/notifications/notifications-event-listener-crash-expected.txt: Added.
+ * fast/notifications/notifications-event-listener-crash.html: Added.
+
2012-08-03 Keishi Hattori <[email protected]>
Add keyboard support for color suggestion popup
Added: trunk/LayoutTests/fast/notifications/notifications-event-listener-crash-expected.txt (0 => 124626)
--- trunk/LayoutTests/fast/notifications/notifications-event-listener-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/notifications/notifications-event-listener-crash-expected.txt 2012-08-03 17:32:35 UTC (rev 124626)
@@ -0,0 +1,5 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS No crash.
+
Added: trunk/LayoutTests/fast/notifications/notifications-event-listener-crash.html (0 => 124626)
--- trunk/LayoutTests/fast/notifications/notifications-event-listener-crash.html (rev 0)
+++ trunk/LayoutTests/fast/notifications/notifications-event-listener-crash.html 2012-08-03 17:32:35 UTC (rev 124626)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.waitUntilDone();
+ setTimeout(function() {
+ testPassed('No crash.');
+ layoutTestController.notifyDone();
+ }, 0);
+}
+
+new Notification("title", { onclick: null });
+successfullyParsed = true;
+</script>
+<script src=""
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (124625 => 124626)
--- trunk/Source/WebCore/ChangeLog 2012-08-03 17:21:17 UTC (rev 124625)
+++ trunk/Source/WebCore/ChangeLog 2012-08-03 17:32:35 UTC (rev 124626)
@@ -1,3 +1,19 @@
+2012-07-20 Jon Lee <[email protected]>
+
+ Crash in Notification when setting a non-object as an event listener (91881)
+ https://bugs.webkit.org/show_bug.cgi?id=91881
+ <rdar://problem/11923341>
+
+ Reviewed by Oliver Hunt.
+
+ Check to make sure that the value being retrieved is an object. This is similar
+ to the isObject() check done in the bindings code.
+
+ Test: fast/notifications/notifications-event-listener-crash.html
+
+ * bindings/js/Dictionary.h:
+ (WebCore::Dictionary::getEventListener):
+
2012-08-03 Kentaro Hara <[email protected]>
[V8] Remove v8StringToAtomicWebCoreString()
Modified: trunk/Source/WebCore/bindings/js/Dictionary.h (124625 => 124626)
--- trunk/Source/WebCore/bindings/js/Dictionary.h 2012-08-03 17:21:17 UTC (rev 124625)
+++ trunk/Source/WebCore/bindings/js/Dictionary.h 2012-08-03 17:32:35 UTC (rev 124626)
@@ -96,7 +96,9 @@
return 0;
if (eventListener.hasNoValue())
return 0;
-
+ if (!eventListener.isObject())
+ return 0;
+
return JSEventListener::create(asObject(eventListener.jsValue()), asJSObject(target), true, currentWorld(m_dictionary.execState()));
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
