[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

ager at chromium.org ager at chromium.org
Wed Dec 22 15:14:50 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit f31a106d16fa32e9704481bdacd03ee9c7555dab
Author: ager at chromium.org <ager at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Oct 29 11:50:59 2010 +0000

    2010-10-29  Mads Ager  <ager at chromium.org>
    
            Reviewed by Pavel Feldman.
    
            [V8] The DateExtension cannot handle overwritten Date
            https://bugs.webkit.org/show_bug.cgi?id=48621
    
            Check that the Date property is an object before attempting to get
            hidden properties from it.
    
            Test: fast/dom/Window/slow-unload-handler-overwritten-date.html
    
            * bindings/v8/DateExtension.cpp:
            (WebCore::DateExtension::setAllowSleep):
    2010-10-29  Mads Ager  <ager at chromium.org>
    
            Reviewed by Pavel Feldman.
    
            [V8] The DateExtension cannot handle overwritten Date
            https://bugs.webkit.org/show_bug.cgi?id=48621
    
            * fast/dom/Window/resources/slow-unload-handler-overwritten-date1.html: Added.
            * fast/dom/Window/slow-unload-handler-overwritten-date-expected.txt: Added.
            * fast/dom/Window/slow-unload-handler-overwritten-date.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@70862 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 5a86a78..4364f0f 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2010-10-29  Mads Ager  <ager at chromium.org>
+
+        Reviewed by Pavel Feldman.
+
+        [V8] The DateExtension cannot handle overwritten Date
+        https://bugs.webkit.org/show_bug.cgi?id=48621
+
+        * fast/dom/Window/resources/slow-unload-handler-overwritten-date1.html: Added.
+        * fast/dom/Window/slow-unload-handler-overwritten-date-expected.txt: Added.
+        * fast/dom/Window/slow-unload-handler-overwritten-date.html: Added.
+
 2010-10-29  Nikolas Zimmermann  <nzimmermann at rim.com>
 
         Not reviewed.
diff --git a/LayoutTests/fast/dom/Window/resources/slow-unload-handler-overwritten-date1.html b/LayoutTests/fast/dom/Window/resources/slow-unload-handler-overwritten-date1.html
new file mode 100644
index 0000000..52a088d
--- /dev/null
+++ b/LayoutTests/fast/dom/Window/resources/slow-unload-handler-overwritten-date1.html
@@ -0,0 +1,10 @@
+<html>
+<head>
+<script>
+Date = 42;
+function f() { }
+window.addEventListener('unload', f, false);
+</script>
+</head>
+<body></body>
+</html>
diff --git a/LayoutTests/fast/dom/Window/slow-unload-handler-overwritten-date-expected.txt b/LayoutTests/fast/dom/Window/slow-unload-handler-overwritten-date-expected.txt
new file mode 100644
index 0000000..e1241d7
--- /dev/null
+++ b/LayoutTests/fast/dom/Window/slow-unload-handler-overwritten-date-expected.txt
@@ -0,0 +1,4 @@
+frame "theiframe" - has 1 onunload handler(s)
+This is a test for bug 48621: The V8 date extension cannot handle if Date is overwritten with non-Object. Succeeds if it does not crash.
+
+PASS
diff --git a/LayoutTests/fast/dom/Window/slow-unload-handler-overwritten-date.html b/LayoutTests/fast/dom/Window/slow-unload-handler-overwritten-date.html
new file mode 100644
index 0000000..74a6a0c
--- /dev/null
+++ b/LayoutTests/fast/dom/Window/slow-unload-handler-overwritten-date.html
@@ -0,0 +1,34 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css">
+<script>
+
+if (layoutTestController) {
+    layoutTestController.waitUntilDone();
+    layoutTestController.dumpAsText();
+}
+
+function done()
+{
+    document.getElementById("results").appendChild(document.createTextNode("PASS"));
+    if (layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+function loaded() {
+    setTimeout("done()", 0);
+    document.getElementById("theiframe").outerHTML='';
+} 
+
+</script>
+</head>
+<body onload="setTimeout('loaded();', 0)">
+<p>
+    This is a test for <a href="https://bugs.webkit.org/show_bug.cgi?id=48621">bug 48621</a>:
+    <i>The V8 date extension cannot handle if Date is overwritten with non-Object.</i>
+    Succeeds if it does not crash.
+</p>
+<p id="results" class="pass"></p>
+<iframe id="theiframe" style="border: 0" src="resources/slow-unload-handler-overwritten-date1.html">
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index d90122d..13a3a01 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2010-10-29  Mads Ager  <ager at chromium.org>
+
+        Reviewed by Pavel Feldman.
+
+        [V8] The DateExtension cannot handle overwritten Date
+        https://bugs.webkit.org/show_bug.cgi?id=48621
+
+        Check that the Date property is an object before attempting to get
+        hidden properties from it.
+
+        Test: fast/dom/Window/slow-unload-handler-overwritten-date.html
+
+        * bindings/v8/DateExtension.cpp:
+        (WebCore::DateExtension::setAllowSleep):
+
 2010-10-27  Nikolas Zimmermann  <nzimmermann at rim.com>
 
         Reviewed by Dirk Schulze.
diff --git a/WebCore/bindings/v8/DateExtension.cpp b/WebCore/bindings/v8/DateExtension.cpp
index f2b6242..332828b 100644
--- a/WebCore/bindings/v8/DateExtension.cpp
+++ b/WebCore/bindings/v8/DateExtension.cpp
@@ -76,7 +76,7 @@ DateExtension* DateExtension::get()
 void DateExtension::setAllowSleep(bool allow)
 {
     v8::Local<v8::Value> result = V8Proxy::currentContext()->Global()->Get(v8::String::New("Date"));
-    if (result.IsEmpty())
+    if (result.IsEmpty() || !result->IsObject())
         return;
 
     v8::Handle<v8::Object> dateObject = v8::Handle<v8::Object>::Cast(result);

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list