Title: [95976] branches/chromium/835
- Revision
- 95976
- Author
- infe...@chromium.org
- Date
- 2011-09-26 12:48:17 -0700 (Mon, 26 Sep 2011)
Log Message
Merge 95667 - [Chromium] Protect the Frame in V8HTMLDocument::openCallback
BUG=97451
Review URL: http://codereview.chromium.org/8028034
Modified Paths
Added Paths
Diff
Copied: branches/chromium/835/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt (from rev 95667, trunk/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt) (0 => 95976)
--- branches/chromium/835/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt (rev 0)
+++ branches/chromium/835/LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt 2011-09-26 19:48:17 UTC (rev 95976)
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
Copied: branches/chromium/835/LayoutTests/fast/dom/frame-deleted-in-document-open.html (from rev 95667, trunk/LayoutTests/fast/dom/frame-deleted-in-document-open.html) (0 => 95976)
--- branches/chromium/835/LayoutTests/fast/dom/frame-deleted-in-document-open.html (rev 0)
+++ branches/chromium/835/LayoutTests/fast/dom/frame-deleted-in-document-open.html 2011-09-26 19:48:17 UTC (rev 95976)
@@ -0,0 +1,23 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+window._onload_ = function()
+{
+ frame = document.body.appendChild(document.createElement("iframe"));
+
+ frame.contentWindow.open = null;
+ frame.contentWindow.__defineGetter__("open", function() {
+ document.body.removeChild(frame);
+ return function() { };
+ });
+ frame.contentDocument.open(1, 1, 1, 1, 1);
+}
+</script>
+</head>
+<body>
+This test passes if it doesn't crash.
+</body>
+</html>
Modified: branches/chromium/835/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp (95975 => 95976)
--- branches/chromium/835/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp 2011-09-26 19:46:09 UTC (rev 95975)
+++ branches/chromium/835/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp 2011-09-26 19:48:17 UTC (rev 95976)
@@ -132,9 +132,9 @@
HTMLDocument* htmlDocument = V8HTMLDocument::toNative(args.Holder());
if (args.Length() > 2) {
- if (Frame* frame = htmlDocument->frame()) {
+ if (RefPtr<Frame> frame = htmlDocument->frame()) {
// Fetch the global object for the frame.
- v8::Local<v8::Context> context = V8Proxy::context(frame);
+ v8::Local<v8::Context> context = V8Proxy::context(frame.get());
// Bail out if we cannot get the context.
if (context.IsEmpty())
return v8::Undefined();
@@ -151,8 +151,9 @@
for (int i = 0; i < args.Length(); i++)
params[i] = args[i];
- V8Proxy* proxy = V8Proxy::retrieve(frame);
- ASSERT(proxy);
+ V8Proxy* proxy = V8Proxy::retrieve(frame.get());
+ if (!proxy)
+ return v8::Undefined();
v8::Local<v8::Value> result = proxy->callFunction(v8::Local<v8::Function>::Cast(function), global, args.Length(), params);
delete[] params;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
