Title: [133353] branches/safari-536.28-branch
- Revision
- 133353
- Author
- [email protected]
- Date
- 2012-11-02 14:45:04 -0700 (Fri, 02 Nov 2012)
Log Message
Merged r124626. <rdar://problem/12536373>
Modified Paths
Added Paths
Diff
Modified: branches/safari-536.28-branch/LayoutTests/ChangeLog (133352 => 133353)
--- branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-02 21:38:10 UTC (rev 133352)
+++ branches/safari-536.28-branch/LayoutTests/ChangeLog 2012-11-02 21:45:04 UTC (rev 133353)
@@ -1,5 +1,20 @@
2012-11-02 Lucas Forschler <[email protected]>
+ Merge r124626
+
+ 2012-07-20 Jon Lee <[email protected]>
+
+ Crash in Notification when setting a non-object as an event listener (91881)
+ https://bugs.webkit.org/show_bug.cgi?id=91881
+ <rdar://problem/11923341>
+
+ Reviewed by Oliver Hunt.
+
+ * fast/notifications/notifications-event-listener-crash-expected.txt: Added.
+ * fast/notifications/notifications-event-listener-crash.html: Added.
+
+2012-11-02 Lucas Forschler <[email protected]>
+
Merge r124564
2012-08-02 Abhishek Arya <[email protected]>
@@ -10757,3 +10772,4 @@
.
.
.
+.
Copied: branches/safari-536.28-branch/LayoutTests/fast/notifications/notifications-event-listener-crash-expected.txt (from rev 124626, trunk/LayoutTests/fast/notifications/notifications-event-listener-crash-expected.txt) (0 => 133353)
--- branches/safari-536.28-branch/LayoutTests/fast/notifications/notifications-event-listener-crash-expected.txt (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/notifications/notifications-event-listener-crash-expected.txt 2012-11-02 21:45:04 UTC (rev 133353)
@@ -0,0 +1,5 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+PASS No crash.
+
Copied: branches/safari-536.28-branch/LayoutTests/fast/notifications/notifications-event-listener-crash.html (from rev 124626, trunk/LayoutTests/fast/notifications/notifications-event-listener-crash.html) (0 => 133353)
--- branches/safari-536.28-branch/LayoutTests/fast/notifications/notifications-event-listener-crash.html (rev 0)
+++ branches/safari-536.28-branch/LayoutTests/fast/notifications/notifications-event-listener-crash.html 2012-11-02 21:45:04 UTC (rev 133353)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.waitUntilDone();
+ setTimeout(function() {
+ testPassed('No crash.');
+ layoutTestController.notifyDone();
+ }, 0);
+}
+
+new Notification("title", { onclick: null });
+successfullyParsed = true;
+</script>
+<script src=""
+</body>
+</html>
\ No newline at end of file
Modified: branches/safari-536.28-branch/Source/WebCore/ChangeLog (133352 => 133353)
--- branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-02 21:38:10 UTC (rev 133352)
+++ branches/safari-536.28-branch/Source/WebCore/ChangeLog 2012-11-02 21:45:04 UTC (rev 133353)
@@ -1,5 +1,25 @@
2012-11-02 Lucas Forschler <[email protected]>
+ Merge r124626
+
+ 2012-07-20 Jon Lee <[email protected]>
+
+ Crash in Notification when setting a non-object as an event listener (91881)
+ https://bugs.webkit.org/show_bug.cgi?id=91881
+ <rdar://problem/11923341>
+
+ Reviewed by Oliver Hunt.
+
+ Check to make sure that the value being retrieved is an object. This is similar
+ to the isObject() check done in the bindings code.
+
+ Test: fast/notifications/notifications-event-listener-crash.html
+
+ * bindings/js/Dictionary.h:
+ (WebCore::Dictionary::getEventListener):
+
+2012-11-02 Lucas Forschler <[email protected]>
+
Merge r124588
2012-08-03 Adam Barth <[email protected]>
@@ -206085,3 +206105,4 @@
.
.
.
+.
Modified: branches/safari-536.28-branch/Source/WebCore/bindings/js/Dictionary.h (133352 => 133353)
--- branches/safari-536.28-branch/Source/WebCore/bindings/js/Dictionary.h 2012-11-02 21:38:10 UTC (rev 133352)
+++ branches/safari-536.28-branch/Source/WebCore/bindings/js/Dictionary.h 2012-11-02 21:45:04 UTC (rev 133353)
@@ -93,7 +93,9 @@
return 0;
if (eventListener.hasNoValue())
return 0;
-
+ if (!eventListener.isObject())
+ return 0;
+
return JSEventListener::create(asObject(eventListener.jsValue()), asJSObject(target), true, currentWorld(m_dictionary.execState()));
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
