Skip to site navigation (Press enter)

[webkit-changes] [105351] branches/chromium/912

inferno Wed, 18 Jan 2012 16:39:27 -0800

Title: [105351] branches/chromium/912

Revision: 105351
Author: infe...@chromium.org
Date: 2012-01-18 16:39:17 -0800 (Wed, 18 Jan 2012)

Log Message

Merge 103979 - v8 binding: npCreateV8ScriptObject() should not returned an existing V8NPObject if the rootObject doesn't match
BUG=107616
Review URL: https://chromiumcodereview.appspot.com/9260002


Modified Paths

branches/chromium/912/Source/WebCore/bindings/v8/NPV8Object.cpp


Added Paths

branches/chromium/912/LayoutTests/http/tests/plugins/create-v8-script-objects-expected.txt
branches/chromium/912/LayoutTests/http/tests/plugins/create-v8-script-objects.html
branches/chromium/912/LayoutTests/http/tests/plugins/resources/create-v8-script-objects-iframe.html

Diff

Copied: branches/chromium/912/LayoutTests/http/tests/plugins/create-v8-script-objects-expected.txt (from rev 103979, trunk/LayoutTests/http/tests/plugins/create-v8-script-objects-expected.txt) (0 => 105351)


--- branches/chromium/912/LayoutTests/http/tests/plugins/create-v8-script-objects-expected.txt	                        (rev 0)
+++ branches/chromium/912/LayoutTests/http/tests/plugins/create-v8-script-objects-expected.txt	2012-01-19 00:39:17 UTC (rev 105351)
@@ -0,0 +1,5 @@
+Test for bug 74515: npCreateV8ScriptObject() should not return an existing V8NPObject if the rootObject doesn't match.
+The subframe causes an entry corresponding to window.top to be added to staticV8NPObjectMap with the subframe as rootObject. When the plugin in the main frame executes script "outputResult()", the existing entry in staticV8NPObjectMap should not be used. Otherwise the wrong outputResult(), which is in the subframe, will be called.
+
+
+SUCCESS

Copied: branches/chromium/912/LayoutTests/http/tests/plugins/create-v8-script-objects.html (from rev 103979, trunk/LayoutTests/http/tests/plugins/create-v8-script-objects.html) (0 => 105351)


--- branches/chromium/912/LayoutTests/http/tests/plugins/create-v8-script-objects.html	                        (rev 0)
+++ branches/chromium/912/LayoutTests/http/tests/plugins/create-v8-script-objects.html	2012-01-19 00:39:17 UTC (rev 105351)
@@ -0,0 +1,31 @@
+<html>
+<head>
+<script type="text/_javascript_">
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function onSubframeLoaded() {
+    document.getElementById('pluginContainer').innerHTML =
+        '<embed name="plugin" type="application/x-webkit-test-netscape"></embed>';
+    document.plugin.testEvaluate('outputResult()');
+
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+function outputResult() {
+    document.getElementById('result').innerHTML = 'SUCCESS';
+}
+</script>
+</head>
+<body>
+<div>Test for <a href="" 74515</a>: npCreateV8ScriptObject() should not return an existing V8NPObject if the rootObject doesn't match.</div>
+<div>The subframe causes an entry corresponding to window.top to be added to staticV8NPObjectMap with the subframe as rootObject. When the plugin in the main frame executes script "outputResult()", the existing entry in staticV8NPObjectMap should not be used. Otherwise the wrong outputResult(), which is in the subframe, will be called.
+</div>
+<iframe name="childFrame" src=""
+<div id="pluginContainer"></div>
+<div id="result">Running...</div>
+</body>
+</html>

Copied: branches/chromium/912/LayoutTests/http/tests/plugins/resources/create-v8-script-objects-iframe.html (from rev 103979, trunk/LayoutTests/http/tests/plugins/resources/create-v8-script-objects-iframe.html) (0 => 105351)


--- branches/chromium/912/LayoutTests/http/tests/plugins/resources/create-v8-script-objects-iframe.html	                        (rev 0)
+++ branches/chromium/912/LayoutTests/http/tests/plugins/resources/create-v8-script-objects-iframe.html	2012-01-19 00:39:17 UTC (rev 105351)
@@ -0,0 +1,17 @@
+<html>
+<head>
+<script type="text/_javascript_">
+function runTest() {
+    document.plugin.remember(window.top);
+    window.top.onSubframeLoaded();
+}
+
+function outputResult() {
+    window.top.document.getElementById('result').innerHTML = 'FAILURE';
+}
+</script>
+</head>
+<body _onload_="runTest();">
+<embed name="plugin" type="application/x-webkit-test-netscape"></embed>
+</body>
+</html>

Modified: branches/chromium/912/Source/WebCore/bindings/v8/NPV8Object.cpp (105350 => 105351)


--- branches/chromium/912/Source/WebCore/bindings/v8/NPV8Object.cpp	2012-01-19 00:34:44 UTC (rev 105350)
+++ branches/chromium/912/Source/WebCore/bindings/v8/NPV8Object.cpp	2012-01-19 00:39:17 UTC (rev 105351)
@@ -57,7 +57,8 @@
     return &typeInfo;
 }
 
-typedef HashMap<int, V8NPObject*> V8NPObjectMap;
+typedef Vector<V8NPObject*> V8NPObjectVector;
+typedef HashMap<int, V8NPObjectVector> V8NPObjectMap;
 
 static V8NPObjectMap* staticV8NPObjectMap()
 {
@@ -75,8 +76,19 @@
 {
     V8NPObject* v8NpObject = reinterpret_cast<V8NPObject*>(npObject);
     if (int v8ObjectHash = v8NpObject->v8Object->GetIdentityHash()) {
-        ASSERT(staticV8NPObjectMap()->contains(v8ObjectHash));
-        staticV8NPObjectMap()->remove(v8ObjectHash);
+        V8NPObjectMap::iterator iter = staticV8NPObjectMap()->find(v8ObjectHash);
+        if (iter != staticV8NPObjectMap()->end()) {
+            V8NPObjectVector& objects = iter->second;
+            for (size_t index = 0; index < objects.size(); ++index) {
+                if (objects.at(index) == v8NpObject) {
+                    objects.remove(index);
+                    break;
+                }
+            }
+            if (objects.isEmpty())
+                staticV8NPObjectMap()->remove(v8ObjectHash);
+        } else
+            ASSERT_NOT_REACHED();
     } else {
         ASSERT(!v8::Context::InContext());
         staticV8NPObjectMap()->clear();
@@ -139,11 +151,19 @@
 
     int v8ObjectHash = object->GetIdentityHash();
     ASSERT(v8ObjectHash);
-    if (staticV8NPObjectMap()->contains(v8ObjectHash)) {
-        V8NPObject* v8npObject = staticV8NPObjectMap()->get(v8ObjectHash);
-        ASSERT(v8npObject->v8Object == object);
-        _NPN_RetainObject(&v8npObject->object);
-        return reinterpret_cast<NPObject*>(v8npObject);
+    V8NPObjectMap::iterator iter = staticV8NPObjectMap()->find(v8ObjectHash);
+    if (iter != staticV8NPObjectMap()->end()) {
+        V8NPObjectVector& objects = iter->second;
+        for (size_t index = 0; index < objects.size(); ++index) {
+            V8NPObject* v8npObject = objects.at(index);
+            if (v8npObject->rootObject == root) {
+                ASSERT(v8npObject->v8Object == object);
+                _NPN_RetainObject(&v8npObject->object);
+                return reinterpret_cast<NPObject*>(v8npObject);
+            }
+        }
+    } else {
+        iter = staticV8NPObjectMap()->set(v8ObjectHash, V8NPObjectVector()).first; 
     }
 
     V8NPObject* v8npObject = reinterpret_cast<V8NPObject*>(_NPN_CreateObject(npp, &V8NPObjectClass));
@@ -153,7 +173,7 @@
 #endif
     v8npObject->rootObject = root;
 
-    staticV8NPObjectMap()->set(v8ObjectHash, v8npObject);
+    iter->second.append(v8npObject);
 
     return reinterpret_cast<NPObject*>(v8npObject);
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes