[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
eric at webkit.org
eric at webkit.org
Wed Apr 7 23:30:13 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 5624b931d5c2e7e0c518da4a83ce3794903bd2a3
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Nov 11 02:15:19 2009 +0000
2009-11-10 Vitaly Repeshko <vitalyr at chromium.org>
Reviewed by Dimitri Glazkov.
[V8] Fix crash in V8CustomXPathNSResolver (http://crbug.com/26726).
https://bugs.webkit.org/show_bug.cgi?id=31301
* fast/xpath/xpath-detached-iframe-resolver-crash-expected.txt: Added.
* fast/xpath/xpath-detached-iframe-resolver-crash.html: Added.
2009-11-10 Vitaly Repeshko <vitalyr at chromium.org>
Reviewed by Dimitri Glazkov.
[V8] Fix crash in V8CustomXPathNSResolver (http://crbug.com/26726).
https://bugs.webkit.org/show_bug.cgi?id=31301
Tested by new fast/xpath/xpath-detached-iframe-resolver-crash.html.
Allowed passing V8Proxy for the calling JS context:
* bindings/v8/V8DOMWrapper.h:
(WebCore::V8DOMWrapper::getXPathNSResolver):
* bindings/v8/custom/V8CustomXPathNSResolver.cpp:
(WebCore::V8CustomXPathNSResolver::create):
(WebCore::V8CustomXPathNSResolver::V8CustomXPathNSResolver):
(WebCore::V8CustomXPathNSResolver::lookupNamespaceURI):
* bindings/v8/custom/V8CustomXPathNSResolver.h:
* bindings/v8/custom/V8DocumentCustom.cpp:
(WebCore::CALLBACK_FUNC_DECL):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50785 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 36c6693..48c4b72 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2009-11-10 Vitaly Repeshko <vitalyr at chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ [V8] Fix crash in V8CustomXPathNSResolver (http://crbug.com/26726).
+ https://bugs.webkit.org/show_bug.cgi?id=31301
+
+ * fast/xpath/xpath-detached-iframe-resolver-crash-expected.txt: Added.
+ * fast/xpath/xpath-detached-iframe-resolver-crash.html: Added.
+
2009-11-10 Yael Aharon <yael.aharon at nokia.com>
Reviewed by Timothy Hatcher.
diff --git a/LayoutTests/fast/xpath/xpath-detached-iframe-resolver-crash-expected.txt b/LayoutTests/fast/xpath/xpath-detached-iframe-resolver-crash-expected.txt
new file mode 100644
index 0000000..ca8b136
--- /dev/null
+++ b/LayoutTests/fast/xpath/xpath-detached-iframe-resolver-crash-expected.txt
@@ -0,0 +1,6 @@
+Ensure that using XPath namespace resolver with a detached iframe doesn't crash.
+
+PASS Did not crash.
+PASS dummyResolverCalled is true
+PASS foundNode.toString() is "[object HTMLDivElement]"
+
diff --git a/LayoutTests/fast/xpath/xpath-detached-iframe-resolver-crash.html b/LayoutTests/fast/xpath/xpath-detached-iframe-resolver-crash.html
new file mode 100644
index 0000000..c3e81a3
--- /dev/null
+++ b/LayoutTests/fast/xpath/xpath-detached-iframe-resolver-crash.html
@@ -0,0 +1,41 @@
+<html>
+<head>
+<link rel="stylesheet" href="../js/resources/js-test-style.css">
+<script src="../js/resources/js-test-pre.js"></script>
+<script>
+ if (window.layoutTestController) {
+ layoutTestController.waitUntilDone();
+ layoutTestController.dumpAsText();
+ }
+
+ var dummyResolverCalled = false;
+ var foundNode;
+ function dummyResolver() {
+ dummyResolverCalled = true;
+ return "http://www.w3.org/1999/xhtml";
+ }
+
+ function test() {
+ var iframe = document.createElement("iframe");
+ document.body.appendChild(iframe);
+ var doc = iframe.contentWindow.document;
+ doc.open();
+ doc.write("<html><body><div></div></body></html>");
+ doc.close();
+ document.body.removeChild(iframe);
+ foundNode = doc.evaluate("//dummyns:div", doc, dummyResolver, XPathResult.FIRST_ORDERED_NODE_TYPE, null).singleNodeValue;
+
+ testPassed("Did not crash.");
+ shouldBeTrue("dummyResolverCalled");
+ shouldBe("foundNode.toString()", "\"[object HTMLDivElement]\"");
+
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+ }
+</script>
+</head>
+<body onload="test()">
+<p>Ensure that using XPath namespace resolver with a detached iframe doesn't crash.</p>
+<div id="console"></div>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 9da85cd..82466be 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,23 @@
+2009-11-10 Vitaly Repeshko <vitalyr at chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ [V8] Fix crash in V8CustomXPathNSResolver (http://crbug.com/26726).
+ https://bugs.webkit.org/show_bug.cgi?id=31301
+
+ Tested by new fast/xpath/xpath-detached-iframe-resolver-crash.html.
+
+ Allowed passing V8Proxy for the calling JS context:
+ * bindings/v8/V8DOMWrapper.h:
+ (WebCore::V8DOMWrapper::getXPathNSResolver):
+ * bindings/v8/custom/V8CustomXPathNSResolver.cpp:
+ (WebCore::V8CustomXPathNSResolver::create):
+ (WebCore::V8CustomXPathNSResolver::V8CustomXPathNSResolver):
+ (WebCore::V8CustomXPathNSResolver::lookupNamespaceURI):
+ * bindings/v8/custom/V8CustomXPathNSResolver.h:
+ * bindings/v8/custom/V8DocumentCustom.cpp:
+ (WebCore::CALLBACK_FUNC_DECL):
+
2009-11-10 Yael Aharon <yael.aharon at nokia.com>
Reviewed by Timothy Hatcher.
diff --git a/WebCore/bindings/v8/V8DOMWrapper.h b/WebCore/bindings/v8/V8DOMWrapper.h
index 1bffc11..9ba888f 100644
--- a/WebCore/bindings/v8/V8DOMWrapper.h
+++ b/WebCore/bindings/v8/V8DOMWrapper.h
@@ -253,13 +253,13 @@ namespace WebCore {
// XPath-related utilities
- static RefPtr<XPathNSResolver> getXPathNSResolver(v8::Handle<v8::Value> value)
+ static RefPtr<XPathNSResolver> getXPathNSResolver(v8::Handle<v8::Value> value, V8Proxy* proxy = 0)
{
RefPtr<XPathNSResolver> resolver;
if (V8XPathNSResolver::HasInstance(value))
resolver = convertToNativeObject<XPathNSResolver>(V8ClassIndex::XPATHNSRESOLVER, v8::Handle<v8::Object>::Cast(value));
else if (value->IsObject())
- resolver = V8CustomXPathNSResolver::create(value->ToObject());
+ resolver = V8CustomXPathNSResolver::create(proxy, value->ToObject());
return resolver;
}
diff --git a/WebCore/bindings/v8/custom/V8CustomXPathNSResolver.cpp b/WebCore/bindings/v8/custom/V8CustomXPathNSResolver.cpp
index 3341924..e45cba0 100644
--- a/WebCore/bindings/v8/custom/V8CustomXPathNSResolver.cpp
+++ b/WebCore/bindings/v8/custom/V8CustomXPathNSResolver.cpp
@@ -38,13 +38,14 @@
namespace WebCore {
-PassRefPtr<V8CustomXPathNSResolver> V8CustomXPathNSResolver::create(v8::Handle<v8::Object> resolver)
+PassRefPtr<V8CustomXPathNSResolver> V8CustomXPathNSResolver::create(V8Proxy* proxy, v8::Handle<v8::Object> resolver)
{
- return adoptRef(new V8CustomXPathNSResolver(resolver));
+ return adoptRef(new V8CustomXPathNSResolver(proxy, resolver));
}
-V8CustomXPathNSResolver::V8CustomXPathNSResolver(v8::Handle<v8::Object> resolver)
- : m_resolver(resolver)
+V8CustomXPathNSResolver::V8CustomXPathNSResolver(V8Proxy* proxy, v8::Handle<v8::Object> resolver)
+ : m_proxy(proxy)
+ , m_resolver(resolver)
{
}
@@ -54,6 +55,14 @@ V8CustomXPathNSResolver::~V8CustomXPathNSResolver()
String V8CustomXPathNSResolver::lookupNamespaceURI(const String& prefix)
{
+ V8Proxy* proxy = m_proxy;
+
+ if (!proxy) {
+ proxy = V8Proxy::retrieve();
+ if (!proxy)
+ return String();
+ }
+
v8::Handle<v8::Function> lookupNamespaceURIFunc;
v8::Handle<v8::String> lookupNamespaceURIName = v8::String::New("lookupNamespaceURI");
@@ -65,7 +74,7 @@ String V8CustomXPathNSResolver::lookupNamespaceURI(const String& prefix)
}
if (lookupNamespaceURIFunc.IsEmpty() && !m_resolver->IsFunction()) {
- Frame* frame = V8Proxy::retrieveFrameForEnteredContext();
+ Frame* frame = proxy->frame();
logInfo(frame, "XPathNSResolver does not have a lookupNamespaceURI method.", String());
return String();
}
@@ -78,7 +87,6 @@ String V8CustomXPathNSResolver::lookupNamespaceURI(const String& prefix)
v8::Handle<v8::Value> argv[argc] = { v8String(prefix) };
v8::Handle<v8::Function> function = lookupNamespaceURIFunc.IsEmpty() ? v8::Handle<v8::Function>::Cast(m_resolver) : lookupNamespaceURIFunc;
- V8Proxy* proxy = V8Proxy::retrieve();
v8::Handle<v8::Value> retval = proxy->callFunction(function, m_resolver, argc, argv);
// Eat exceptions from namespace resolver and return an empty string. This will most likely cause NAMESPACE_ERR.
diff --git a/WebCore/bindings/v8/custom/V8CustomXPathNSResolver.h b/WebCore/bindings/v8/custom/V8CustomXPathNSResolver.h
index f1dc65c..15ac27d 100644
--- a/WebCore/bindings/v8/custom/V8CustomXPathNSResolver.h
+++ b/WebCore/bindings/v8/custom/V8CustomXPathNSResolver.h
@@ -42,17 +42,22 @@
namespace WebCore {
class String;
+class V8Proxy;
+// V8CustomXPathNSResolver does not create a persistent handle to the
+// given resolver object. So the lifetime of V8CustomXPathNSResolver
+// must not exceed the lifetime of the passed handle.
class V8CustomXPathNSResolver : public XPathNSResolver {
public:
- static PassRefPtr<V8CustomXPathNSResolver> create(v8::Handle<v8::Object> resolver);
+ static PassRefPtr<V8CustomXPathNSResolver> create(V8Proxy* proxy, v8::Handle<v8::Object> resolver);
virtual ~V8CustomXPathNSResolver();
virtual String lookupNamespaceURI(const String& prefix);
private:
- V8CustomXPathNSResolver(v8::Handle<v8::Object> resolver);
+ V8CustomXPathNSResolver(V8Proxy* proxy, v8::Handle<v8::Object> resolver);
+ V8Proxy* m_proxy;
v8::Handle<v8::Object> m_resolver; // Handle to resolver object.
};
diff --git a/WebCore/bindings/v8/custom/V8DocumentCustom.cpp b/WebCore/bindings/v8/custom/V8DocumentCustom.cpp
index 2330778..b43dfe2 100644
--- a/WebCore/bindings/v8/custom/V8DocumentCustom.cpp
+++ b/WebCore/bindings/v8/custom/V8DocumentCustom.cpp
@@ -61,7 +61,7 @@ CALLBACK_FUNC_DECL(DocumentEvaluate)
if (V8Node::HasInstance(args[1]))
contextNode = V8DOMWrapper::convertDOMWrapperToNode<Node>(v8::Handle<v8::Object>::Cast(args[1]));
- RefPtr<XPathNSResolver> resolver = V8DOMWrapper::getXPathNSResolver(args[2]);
+ RefPtr<XPathNSResolver> resolver = V8DOMWrapper::getXPathNSResolver(args[2], V8Proxy::retrieve(V8Proxy::retrieveFrameForCallingContext()));
if (!resolver && !args[2]->IsNull() && !args[2]->IsUndefined())
return throwError(TYPE_MISMATCH_ERR);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list