[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
beidson at apple.com
beidson at apple.com
Thu Apr 8 00:24:25 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 085e6a67765293415ddf6f24e9f5c6fd2ad98ad4
Author: beidson at apple.com <beidson at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Dec 7 22:27:49 2009 +0000
<rdar://problem/7443417> - Closing a window opened with "New windows open with: Same Page" results in crash in ::~HistoryItem
Reviewed by Sam Weinig.
The HistoryItem copy constructor has one very specific use case - to support the feature of a WebView copying another WebView's
BackForwardList. That constructor wasn't initializing its m_document pointer, leading to this crash in the destructor.
* history/HistoryItem.cpp:
(WebCore::HistoryItem::~HistoryItem): Change the setDocument(0) to an ASSERT that the document is already 0. A HistoryItem cannot
outlive its Document and Documents will always clear the back-pointer in their ::detach() method.
(WebCore::HistoryItem::HistoryItem): Missed the m_document initializer in the copy constructor. Also remove an invalid assertion
about the original items m_cachedPage object (which is irrelevant to the copy).
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51796 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 5eda5a2..b5cb2c9 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2009-12-07 Brady Eidson <beidson at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ <rdar://problem/7443417> - Closing a window opened with "New windows open with: Same Page" results in crash in ::~HistoryItem
+
+ The HistoryItem copy constructor has one very specific use case - to support the feature of a WebView copying another WebView's
+ BackForwardList. That constructor wasn't initializing its m_document pointer, leading to this crash in the destructor.
+
+ * history/HistoryItem.cpp:
+ (WebCore::HistoryItem::~HistoryItem): Change the setDocument(0) to an ASSERT that the document is already 0. A HistoryItem cannot
+ outlive its Document and Documents will always clear the back-pointer in their ::detach() method.
+ (WebCore::HistoryItem::HistoryItem): Missed the m_document initializer in the copy constructor. Also remove an invalid assertion
+ about the original items m_cachedPage object (which is irrelevant to the copy).
+
2009-12-07 Dmitry Titov <dimich at chromium.org>
Reviewed by Darin Adler.
diff --git a/WebCore/history/HistoryItem.cpp b/WebCore/history/HistoryItem.cpp
index 47637d3..88e4c7b 100644
--- a/WebCore/history/HistoryItem.cpp
+++ b/WebCore/history/HistoryItem.cpp
@@ -100,8 +100,8 @@ HistoryItem::HistoryItem(const KURL& url, const String& target, const String& pa
HistoryItem::~HistoryItem()
{
ASSERT(!m_cachedPage);
+ ASSERT(!m_document);
iconDatabase()->releaseIconForPageURL(m_urlString);
- setDocument(0);
}
inline HistoryItem::HistoryItem(const HistoryItem& item)
@@ -121,10 +121,9 @@ inline HistoryItem::HistoryItem(const HistoryItem& item)
, m_visitCount(item.m_visitCount)
, m_dailyVisitCounts(item.m_dailyVisitCounts)
, m_weeklyVisitCounts(item.m_weeklyVisitCounts)
+ , m_document(0)
, m_formContentType(item.m_formContentType)
{
- ASSERT(!item.m_cachedPage);
-
if (item.m_formData)
m_formData = item.m_formData->copy();
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list