[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.16-1409-g5afdf4d
eric at webkit.org
eric at webkit.org
Thu Dec 3 13:42:39 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit 4fc5bb704a13adda5196a311307827f50b732d30
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Nov 23 12:58:30 2009 +0000
2009-11-23 Simon Hausmann <simon.hausmann at nokia.com>
Reviewed by Kenneth Rohde Christiansen.
[Qt] Wrong runtime instance objects of wrapped QObjects may be used if
the wrapped object died before the gc removed the instance.
https://bugs.webkit.org/show_bug.cgi?id=31681
Before using a cached instance, verify that its wrapped QObject is
still alive.
* bridge/qt/qt_instance.cpp:
(JSC::Bindings::QtInstance::getQtInstance):
* bridge/qt/qt_instance.h:
(JSC::Bindings::QtInstance::hashKey):
2009-11-23 Simon Hausmann <simon.hausmann at nokia.com>
Reviewed by Kenneth Rohde Christiansen.
[Qt] Wrong runtime instance objects of wrapped QObjects may be used if
the wrapped object died before the gc removed the instance.
https://bugs.webkit.org/show_bug.cgi?id=31681
Added a unit-test to verify that wrapping a QObject with the
same identity as a previously but now dead object works.
* tests/qwebframe/tst_qwebframe.cpp:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51306 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 9acaadf..456078c 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,20 @@
+2009-11-23 Simon Hausmann <simon.hausmann at nokia.com>
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ [Qt] Wrong runtime instance objects of wrapped QObjects may be used if
+ the wrapped object died before the gc removed the instance.
+
+ https://bugs.webkit.org/show_bug.cgi?id=31681
+
+ Before using a cached instance, verify that its wrapped QObject is
+ still alive.
+
+ * bridge/qt/qt_instance.cpp:
+ (JSC::Bindings::QtInstance::getQtInstance):
+ * bridge/qt/qt_instance.h:
+ (JSC::Bindings::QtInstance::hashKey):
+
2009-11-22 Chris Fleizach <cfleizach at apple.com>
Reviewed by Oliver Hunt.
diff --git a/WebCore/bridge/qt/qt_instance.cpp b/WebCore/bridge/qt/qt_instance.cpp
index 26fd701..c6185e9 100644
--- a/WebCore/bridge/qt/qt_instance.cpp
+++ b/WebCore/bridge/qt/qt_instance.cpp
@@ -119,10 +119,17 @@ PassRefPtr<QtInstance> QtInstance::getQtInstance(QObject* o, PassRefPtr<RootObje
{
JSLock lock(SilenceAssertionsOnly);
- foreach(QtInstance* instance, cachedInstances.values(o)) {
- if (instance->rootObject() == rootObject)
- return instance;
- }
+ foreach(QtInstance* instance, cachedInstances.values(o))
+ if (instance->rootObject() == rootObject) {
+ // The garbage collector removes instances, but it may happen that the wrapped
+ // QObject dies before the gc kicks in. To handle that case we have to do an additional
+ // check if to see if the instance's wrapped object is still alive. If it isn't, then
+ // we have to create a new wrapper.
+ if (!instance->getObject())
+ cachedInstances.remove(instance->hashKey());
+ else
+ return instance;
+ }
RefPtr<QtInstance> ret = QtInstance::create(o, rootObject, ownership);
cachedInstances.insert(o, ret.get());
diff --git a/WebCore/bridge/qt/qt_instance.h b/WebCore/bridge/qt/qt_instance.h
index 00aaa5b..0afc6c7 100644
--- a/WebCore/bridge/qt/qt_instance.h
+++ b/WebCore/bridge/qt/qt_instance.h
@@ -59,6 +59,7 @@ public:
JSValue booleanValue() const;
QObject* getObject() const { return m_object; }
+ QObject* hashKey() const { return m_hashkey; }
static PassRefPtr<QtInstance> getQtInstance(QObject*, PassRefPtr<RootObject>, QScriptEngine::ValueOwnership ownership);
diff --git a/WebKit/qt/ChangeLog b/WebKit/qt/ChangeLog
index 7ed361b..d28e9f9 100644
--- a/WebKit/qt/ChangeLog
+++ b/WebKit/qt/ChangeLog
@@ -1,3 +1,17 @@
+2009-11-23 Simon Hausmann <simon.hausmann at nokia.com>
+
+ Reviewed by Kenneth Rohde Christiansen.
+
+ [Qt] Wrong runtime instance objects of wrapped QObjects may be used if
+ the wrapped object died before the gc removed the instance.
+
+ https://bugs.webkit.org/show_bug.cgi?id=31681
+
+ Added a unit-test to verify that wrapping a QObject with the
+ same identity as a previously but now dead object works.
+
+ * tests/qwebframe/tst_qwebframe.cpp:
+
2009-11-19 Jocelyn Turcotte <jocelyn.turcotte at nokia.com>
Reviewed by Kenneth Rohde Christiansen.
diff --git a/WebKit/qt/tests/qwebframe/tst_qwebframe.cpp b/WebKit/qt/tests/qwebframe/tst_qwebframe.cpp
index f6f2302..cb35bc1 100644
--- a/WebKit/qt/tests/qwebframe/tst_qwebframe.cpp
+++ b/WebKit/qt/tests/qwebframe/tst_qwebframe.cpp
@@ -604,6 +604,7 @@ private slots:
void render();
void scrollPosition();
void evaluateWillCauseRepaint();
+ void qObjectWrapperWithSameIdentity();
private:
QString evalJS(const QString&s) {
@@ -2758,6 +2759,43 @@ void tst_QWebFrame::evaluateWillCauseRepaint()
QTest::qWait(2000);
}
+class TestFactory : public QObject
+{
+ Q_OBJECT
+public:
+ TestFactory()
+ : obj(0), counter(0)
+ {}
+
+ Q_INVOKABLE QObject* getNewObject()
+ {
+ delete obj;
+ obj = new QObject(this);
+ obj->setObjectName(QLatin1String("test") + QString::number(++counter));
+ return obj;
+
+ }
+
+ QObject* obj;
+ int counter;
+};
+
+void tst_QWebFrame::qObjectWrapperWithSameIdentity()
+{
+ m_view->setHtml("<script>function triggerBug() { document.getElementById('span1').innerText = test.getNewObject().objectName; }</script>"
+ "<body><span id='span1'>test</span></body>");
+
+ QWebFrame* mainFrame = m_view->page()->mainFrame();
+ QCOMPARE(mainFrame->toPlainText(), QString("test"));
+
+ mainFrame->addToJavaScriptWindowObject("test", new TestFactory, QScriptEngine::ScriptOwnership);
+
+ mainFrame->evaluateJavaScript("triggerBug();");
+ QCOMPARE(mainFrame->toPlainText(), QString("test1"));
+
+ mainFrame->evaluateJavaScript("triggerBug();");
+ QCOMPARE(mainFrame->toPlainText(), QString("test2"));
+}
QTEST_MAIN(tst_QWebFrame)
#include "tst_qwebframe.moc"
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list