Title: [137964] trunk
- Revision
- 137964
- Author
- [email protected]
- Date
- 2012-12-17 17:43:21 -0800 (Mon, 17 Dec 2012)
Log Message
Regression causing DOM objects to have unstable NPObject* references with v8 bindings
https://bugs.webkit.org/show_bug.cgi?id=104921
Source/WebCore:
Patch by Matthew Dempsky <[email protected]> on 2012-12-17
Reviewed by Kentaro Hara.
Fix regression introduced by changeset 135804 resulting in
unstable NPObject* references for v8 objects. In the iter !=
v8NPObjectMap->end() code path, objectVector was left unassigned
if the for loop terminated without returning.
Also, V8Object::GetIdentityHash() is documented as not being guaranteed
as unique. As such, don't ASSERT() that two objects with the same hash
must therefor be the same object.
Tests: plugins/npruntime/embed-property-iframe-equality.html
* bindings/v8/NPV8Object.cpp:
(WebCore::npCreateV8ScriptObject): Fix.
LayoutTests:
Patch by Mathew Dempsky <[email protected]> on 2012-12-17
Reviewed by Kentaro Hara.
Add variant of embed-property-equality test to verify that the
test still passes when the object being tested for equality
has already been remembered by a plugin from a different
_javascript_ context.
* plugins/npruntime/embed-property-iframe-equality.html: Added.
* plugins/npruntime/embed-property-iframe-equality-expected.txt: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (137963 => 137964)
--- trunk/LayoutTests/ChangeLog 2012-12-18 01:35:13 UTC (rev 137963)
+++ trunk/LayoutTests/ChangeLog 2012-12-18 01:43:21 UTC (rev 137964)
@@ -1,3 +1,18 @@
+2012-12-17 Mathew Dempsky <[email protected]>
+
+ Regression causing DOM objects to have unstable NPObject* references with v8 bindings
+ https://bugs.webkit.org/show_bug.cgi?id=104921
+
+ Reviewed by Kentaro Hara.
+
+ Add variant of embed-property-equality test to verify that the
+ test still passes when the object being tested for equality
+ has already been remembered by a plugin from a different
+ _javascript_ context.
+
+ * plugins/npruntime/embed-property-iframe-equality.html: Added.
+ * plugins/npruntime/embed-property-iframe-equality-expected.txt: Added.
+
2012-12-17 Filip Pizlo <[email protected]>
DFG is too aggressive with eliding overflow checks in loops
Added: trunk/LayoutTests/plugins/npruntime/embed-property-iframe-equality-expected.txt (0 => 137964)
--- trunk/LayoutTests/plugins/npruntime/embed-property-iframe-equality-expected.txt (rev 0)
+++ trunk/LayoutTests/plugins/npruntime/embed-property-iframe-equality-expected.txt 2012-12-18 01:43:21 UTC (rev 137964)
@@ -0,0 +1,5 @@
+Test equality of plugin object properties.
+
+
+
+Send two references of a _javascript_ object to the plugin for identity comparison in C++ PASS
Added: trunk/LayoutTests/plugins/npruntime/embed-property-iframe-equality.html (0 => 137964)
--- trunk/LayoutTests/plugins/npruntime/embed-property-iframe-equality.html (rev 0)
+++ trunk/LayoutTests/plugins/npruntime/embed-property-iframe-equality.html 2012-12-18 01:43:21 UTC (rev 137964)
@@ -0,0 +1,17 @@
+<body>
+<p>Test equality of plugin object properties.</p>
+<embed id="plugin" type="application/x-webkit-test-netscape"><br>
+<iframe srcdoc="<script>parent.plugin.remember(parent.document)</script>"></iframe>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+window._onload_ = function() {
+ var plugin = document.getElementById('plugin');
+ var div = document.createElement('div');
+ div.textContent = "Send two references of a _javascript_ object to the plugin for identity comparison in C++ "
+ + (plugin.objectsAreSame(document, document) ? "PASS" : "FAIL");
+ document.body.appendChild(div);
+}
+</script>
+</body>
Modified: trunk/Source/WebCore/ChangeLog (137963 => 137964)
--- trunk/Source/WebCore/ChangeLog 2012-12-18 01:35:13 UTC (rev 137963)
+++ trunk/Source/WebCore/ChangeLog 2012-12-18 01:43:21 UTC (rev 137964)
@@ -1,3 +1,24 @@
+2012-12-17 Matthew Dempsky <[email protected]>
+
+ Regression causing DOM objects to have unstable NPObject* references with v8 bindings
+ https://bugs.webkit.org/show_bug.cgi?id=104921
+
+ Reviewed by Kentaro Hara.
+
+ Fix regression introduced by changeset 135804 resulting in
+ unstable NPObject* references for v8 objects. In the iter !=
+ v8NPObjectMap->end() code path, objectVector was left unassigned
+ if the for loop terminated without returning.
+
+ Also, V8Object::GetIdentityHash() is documented as not being guaranteed
+ as unique. As such, don't ASSERT() that two objects with the same hash
+ must therefor be the same object.
+
+ Tests: plugins/npruntime/embed-property-iframe-equality.html
+
+ * bindings/v8/NPV8Object.cpp:
+ (WebCore::npCreateV8ScriptObject): Fix.
+
2012-12-17 Chris Fleizach <[email protected]>
Seamless iframe should not announce a new browsing context
Modified: trunk/Source/WebCore/bindings/v8/NPV8Object.cpp (137963 => 137964)
--- trunk/Source/WebCore/bindings/v8/NPV8Object.cpp 2012-12-18 01:35:13 UTC (rev 137963)
+++ trunk/Source/WebCore/bindings/v8/NPV8Object.cpp 2012-12-18 01:43:21 UTC (rev 137964)
@@ -155,16 +155,15 @@
V8NPObjectVector& objects = iter->value;
for (size_t index = 0; index < objects.size(); ++index) {
V8NPObject* v8npObject = objects.at(index);
- if (v8npObject->rootObject == root) {
- ASSERT(v8npObject->v8Object == object);
+ if (v8npObject->v8Object == object && v8npObject->rootObject == root) {
_NPN_RetainObject(&v8npObject->object);
return reinterpret_cast<NPObject*>(v8npObject);
}
}
} else {
iter = v8NPObjectMap->set(v8ObjectHash, V8NPObjectVector()).iterator;
- objectVector = &iter->value;
}
+ objectVector = &iter->value;
}
V8NPObject* v8npObject = reinterpret_cast<V8NPObject*>(_NPN_CreateObject(npp, &V8NPObjectClass));
v8npObject->v8Object = v8::Persistent<v8::Object>::New(object);
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
