Skip to site navigation (Press enter)

[webkit-changes] [128513] trunk

abarth Thu, 13 Sep 2012 15:18:46 -0700

Title: [128513] trunk

Revision: 128513
Author: [email protected]
Date: 2012-09-13 15:19:43 -0700 (Thu, 13 Sep 2012)

Log Message

REGRESSION(r125126): It made fast/events/keyevent-iframe-removed-crash.html assert
https://bugs.webkit.org/show_bug.cgi?id=93654


Reviewed by Eric Seidel.

Source/WebCore:

When wrapping a Document, we need to ensure that the global object for
the wrapper actually exists before trying to create the wrapper. In
other cases in the DOM, we always touch the global object before trying
to wrap a given DOM object. For Document, however,
HTMLFrameElement.contentDocument is a rare way to get at a DOM object
for a global object without first touching the Window object.

Rather than writing custom bindings for
HTMLFrameElement.contentDocument, this patch just makes toJS for
Document ensure that toJS for DOMWindow has been called first. The V8
bindings have some similar code.

Test: fast/dom/content-document-prototype.html

* bindings/js/JSDocumentCustom.cpp:
(WebCore::toJS):

LayoutTests:

* fast/dom/content-document-prototype-expected.txt: Added.
* fast/dom/content-document-prototype.html: Added.
    - Check that HTMLFrameElement.contentDocument ends up with the
      right prototype chain. This is a tricky case because not only the
      prototype chain of the property different from the holder, we
      never actually touch the DOMWindow in this test case so the
      prototype chain leads to a global object that doesn't even exist
      yet!
* fast/events/keyevent-iframe-removed-crash.html:
    - Add a call to gc() so that this test will ASSERT reliabily if we
      cause a similar problem in the future.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/fast/events/keyevent-iframe-removed-crash.html
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/js/JSDocumentCustom.cpp

Added Paths

trunk/LayoutTests/fast/dom/content-document-prototype-expected.txt
trunk/LayoutTests/fast/dom/content-document-prototype.html

Diff

Modified: trunk/LayoutTests/ChangeLog (128512 => 128513)


--- trunk/LayoutTests/ChangeLog	2012-09-13 22:13:07 UTC (rev 128512)
+++ trunk/LayoutTests/ChangeLog	2012-09-13 22:19:43 UTC (rev 128513)
@@ -1,3 +1,22 @@
+2012-09-13  Adam Barth  <[email protected]>
+
+        REGRESSION(r125126): It made fast/events/keyevent-iframe-removed-crash.html assert
+        https://bugs.webkit.org/show_bug.cgi?id=93654
+
+        Reviewed by Eric Seidel.
+
+        * fast/dom/content-document-prototype-expected.txt: Added.
+        * fast/dom/content-document-prototype.html: Added.
+            - Check that HTMLFrameElement.contentDocument ends up with the
+              right prototype chain. This is a tricky case because not only the
+              prototype chain of the property different from the holder, we
+              never actually touch the DOMWindow in this test case so the
+              prototype chain leads to a global object that doesn't even exist
+              yet!
+        * fast/events/keyevent-iframe-removed-crash.html:
+            - Add a call to gc() so that this test will ASSERT reliabily if we
+              cause a similar problem in the future.
+
 2012-09-13  James Robinson  <[email protected]>
 
         Unreviewed gardening - upstream some skia_test_expectations.txt entries.

Added: trunk/LayoutTests/fast/dom/content-document-prototype-expected.txt (0 => 128513)


--- trunk/LayoutTests/fast/dom/content-document-prototype-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/content-document-prototype-expected.txt	2012-09-13 22:19:43 UTC (rev 128513)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/dom/content-document-prototype.html (0 => 128513)


--- trunk/LayoutTests/fast/dom/content-document-prototype.html	                        (rev 0)
+++ trunk/LayoutTests/fast/dom/content-document-prototype.html	2012-09-13 22:19:43 UTC (rev 128513)
@@ -0,0 +1,16 @@
+<body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var ifm = document.createElement('iframe');
+document.body.appendChild(ifm);
+
+var parentDocumentPrototype = document.__proto__;
+var childDocumentPrototype = ifm.contentDocument.__proto__;
+
+if (parentDocumentPrototype === childDocumentPrototype)
+    document.write("FAIL! The parent and child documents have the same prototype.");
+else
+    document.write("PASS");
+</script>

Modified: trunk/LayoutTests/fast/events/keyevent-iframe-removed-crash.html (128512 => 128513)


--- trunk/LayoutTests/fast/events/keyevent-iframe-removed-crash.html	2012-09-13 22:13:07 UTC (rev 128512)
+++ trunk/LayoutTests/fast/events/keyevent-iframe-removed-crash.html	2012-09-13 22:19:43 UTC (rev 128513)
@@ -1,6 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
+<script src=""
 <script>
     function go() {
         var fr = document.createElement('iframe');
@@ -23,6 +24,7 @@
     }
 
     function nuke() {
+        gc();
         eventSender.keyDown("x")
         testRunner.notifyDone();
     }

Modified: trunk/Source/WebCore/ChangeLog (128512 => 128513)


--- trunk/Source/WebCore/ChangeLog	2012-09-13 22:13:07 UTC (rev 128512)
+++ trunk/Source/WebCore/ChangeLog	2012-09-13 22:19:43 UTC (rev 128513)
@@ -1,3 +1,27 @@
+2012-09-13  Adam Barth  <[email protected]>
+
+        REGRESSION(r125126): It made fast/events/keyevent-iframe-removed-crash.html assert
+        https://bugs.webkit.org/show_bug.cgi?id=93654
+
+        Reviewed by Eric Seidel.
+
+        When wrapping a Document, we need to ensure that the global object for
+        the wrapper actually exists before trying to create the wrapper. In
+        other cases in the DOM, we always touch the global object before trying
+        to wrap a given DOM object. For Document, however,
+        HTMLFrameElement.contentDocument is a rare way to get at a DOM object
+        for a global object without first touching the Window object.
+
+        Rather than writing custom bindings for
+        HTMLFrameElement.contentDocument, this patch just makes toJS for
+        Document ensure that toJS for DOMWindow has been called first. The V8
+        bindings have some similar code.
+
+        Test: fast/dom/content-document-prototype.html
+
+        * bindings/js/JSDocumentCustom.cpp:
+        (WebCore::toJS):
+
 2012-09-13  Anders Carlsson  <[email protected]>
 
         Fix build.

Modified: trunk/Source/WebCore/bindings/js/JSDocumentCustom.cpp (128512 => 128513)


--- trunk/Source/WebCore/bindings/js/JSDocumentCustom.cpp	2012-09-13 22:13:07 UTC (rev 128512)
+++ trunk/Source/WebCore/bindings/js/JSDocumentCustom.cpp	2012-09-13 22:19:43 UTC (rev 128513)
@@ -86,6 +86,14 @@
     if (wrapper)
         return wrapper;
 
+    if (DOMWindow* domWindow = document->domWindow()) {
+        globalObject = toJSDOMWindow(toJS(exec, domWindow));
+        // Creating a wrapper for domWindow might have created a wrapper for document as well.
+        wrapper = getCachedWrapper(currentWorld(exec), document);
+        if (wrapper)
+            return wrapper;
+    }
+
     if (document->isHTMLDocument())
         wrapper = CREATE_DOM_WRAPPER(exec, globalObject, HTMLDocument, document);
 #if ENABLE(SVG)

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes