Diff
Copied: branches/chromium/1364/LayoutTests/fast/history/replacestate-nocrash-expected.txt (from rev 140748, trunk/LayoutTests/fast/history/replacestate-nocrash-expected.txt) (0 => 141138)
--- branches/chromium/1364/LayoutTests/fast/history/replacestate-nocrash-expected.txt (rev 0)
+++ branches/chromium/1364/LayoutTests/fast/history/replacestate-nocrash-expected.txt 2013-01-29 20:10:04 UTC (rev 141138)
@@ -0,0 +1 @@
+Test passes if it does not crash.
Copied: branches/chromium/1364/LayoutTests/fast/history/replacestate-nocrash.html (from rev 140748, trunk/LayoutTests/fast/history/replacestate-nocrash.html) (0 => 141138)
--- branches/chromium/1364/LayoutTests/fast/history/replacestate-nocrash.html (rev 0)
+++ branches/chromium/1364/LayoutTests/fast/history/replacestate-nocrash.html 2013-01-29 20:10:04 UTC (rev 141138)
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+Object.prototype.__defineSetter__("foo",function(){history.replaceState("")});
+history.replaceState({foo:1,zzz:Array(1<<22).join("a")});
+history.state.length;
+</script>
+</html>
Modified: branches/chromium/1364/Source/WebCore/bindings/v8/custom/V8HistoryCustom.cpp (141137 => 141138)
--- branches/chromium/1364/Source/WebCore/bindings/v8/custom/V8HistoryCustom.cpp 2013-01-29 20:07:46 UTC (rev 141137)
+++ branches/chromium/1364/Source/WebCore/bindings/v8/custom/V8HistoryCustom.cpp 2013-01-29 20:10:04 UTC (rev 141138)
@@ -51,7 +51,7 @@
if (!value.IsEmpty() && !history->stateChanged())
return value;
- SerializedScriptValue* serialized = history->state();
+ RefPtr<SerializedScriptValue> serialized = history->state();
value = serialized ? serialized->deserialize(0, info.GetIsolate()) : v8::Handle<v8::Value>(v8Null(info.GetIsolate()));
info.Holder()->SetHiddenValue(V8HiddenPropertyName::state(), value);
Modified: branches/chromium/1364/Source/WebCore/history/HistoryItem.h (141137 => 141138)
--- branches/chromium/1364/Source/WebCore/history/HistoryItem.h 2013-01-29 20:07:46 UTC (rev 141137)
+++ branches/chromium/1364/Source/WebCore/history/HistoryItem.h 2013-01-29 20:10:04 UTC (rev 141138)
@@ -28,6 +28,7 @@
#define HistoryItem_h
#include "IntPoint.h"
+#include "SerializedScriptValue.h"
#include <wtf/HashMap.h>
#include <wtf/OwnPtr.h>
#include <wtf/PassOwnPtr.h>
@@ -58,7 +59,6 @@
class Image;
class KURL;
class ResourceRequest;
-class SerializedScriptValue;
typedef Vector<RefPtr<HistoryItem> > HistoryItemVector;
@@ -145,7 +145,7 @@
void setIsTargetItem(bool);
void setStateObject(PassRefPtr<SerializedScriptValue> object);
- SerializedScriptValue* stateObject() const { return m_stateObject.get(); }
+ PassRefPtr<SerializedScriptValue> stateObject() const { return m_stateObject; }
void setItemSequenceNumber(long long number) { m_itemSequenceNumber = number; }
long long itemSequenceNumber() const { return m_itemSequenceNumber; }
Modified: branches/chromium/1364/Source/WebCore/loader/FrameLoader.cpp (141137 => 141138)
--- branches/chromium/1364/Source/WebCore/loader/FrameLoader.cpp 2013-01-29 20:07:46 UTC (rev 141137)
+++ branches/chromium/1364/Source/WebCore/loader/FrameLoader.cpp 2013-01-29 20:10:04 UTC (rev 141138)
@@ -1001,7 +1001,7 @@
// This does the same kind of work that didOpenURL does, except it relies on the fact
// that a higher level already checked that the URLs match and the scrolling is the right thing to do.
-void FrameLoader::loadInSameDocument(const KURL& url, SerializedScriptValue* stateObject, bool isNewNavigation)
+void FrameLoader::loadInSameDocument(const KURL& url, PassRefPtr<SerializedScriptValue> stateObject, bool isNewNavigation)
{
// If we have a state object, we cannot also be a new navigation.
ASSERT(!stateObject || (stateObject && !isNewNavigation));
Modified: branches/chromium/1364/Source/WebCore/loader/FrameLoader.h (141137 => 141138)
--- branches/chromium/1364/Source/WebCore/loader/FrameLoader.h 2013-01-29 20:07:46 UTC (rev 141137)
+++ branches/chromium/1364/Source/WebCore/loader/FrameLoader.h 2013-01-29 20:10:04 UTC (rev 141138)
@@ -352,7 +352,7 @@
void detachChildren();
void closeAndRemoveChild(Frame*);
- void loadInSameDocument(const KURL&, SerializedScriptValue* stateObject, bool isNewNavigation);
+ void loadInSameDocument(const KURL&, PassRefPtr<SerializedScriptValue> stateObject, bool isNewNavigation);
void prepareForLoadStart();
void provisionalLoadStarted();
Modified: branches/chromium/1364/Source/WebCore/page/History.cpp (141137 => 141138)
--- branches/chromium/1364/Source/WebCore/page/History.cpp 2013-01-29 20:07:46 UTC (rev 141137)
+++ branches/chromium/1364/Source/WebCore/page/History.cpp 2013-01-29 20:10:04 UTC (rev 141138)
@@ -55,13 +55,13 @@
return m_frame->page()->backForward()->count();
}
-SerializedScriptValue* History::state()
+PassRefPtr<SerializedScriptValue> History::state()
{
m_lastStateObjectRequested = stateInternal();
return m_lastStateObjectRequested;
}
-SerializedScriptValue* History::stateInternal() const
+PassRefPtr<SerializedScriptValue> History::stateInternal() const
{
if (!m_frame)
return 0;
Modified: branches/chromium/1364/Source/WebCore/page/History.h (141137 => 141138)
--- branches/chromium/1364/Source/WebCore/page/History.h 2013-01-29 20:07:46 UTC (rev 141137)
+++ branches/chromium/1364/Source/WebCore/page/History.h 2013-01-29 20:10:04 UTC (rev 141138)
@@ -45,7 +45,7 @@
static PassRefPtr<History> create(Frame* frame) { return adoptRef(new History(frame)); }
unsigned length() const;
- SerializedScriptValue* state();
+ PassRefPtr<SerializedScriptValue> state();
void back();
void forward();
void go(int distance);
@@ -68,9 +68,9 @@
KURL urlForState(const String& url);
- SerializedScriptValue* stateInternal() const;
+ PassRefPtr<SerializedScriptValue> stateInternal() const;
- SerializedScriptValue* m_lastStateObjectRequested;
+ RefPtr<SerializedScriptValue> m_lastStateObjectRequested;
};
} // namespace WebCore
