[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.21-584-g1e41756

Fri Feb 26 22:24:40 UTC 2010

The following commit has been merged in the webkit-1.1 branch:
commit 941edb931db21a4f4cea49e557bcb477d3e17d9d
Author: japhet at chromium.org <japhet at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Thu Feb 18 17:04:37 2010 +0000

    2010-02-18  Nate Chapin  <japhet at chromium.org>
    
            Reviewed by Eric Seidel.
    
            [V8] Correctly handle the case where the event field on the
            global object is a v8::Object, but not a DOM wrapper.
    
            https://bugs.webkit.org/show_bug.cgi?id=34899
    
            Test: fast/dom/Window/window-event-override-no-crash.html
    
            * bindings/v8/ScriptController.cpp:
            (WebCore::ScriptController::processingUserGesture):
            * bindings/v8/V8DOMWrapper.cpp:
            (WebCore::V8DOMWrapper::isValidDOMObject):
            (WebCore::V8DOMWrapper::isWrapperOfType):
            * bindings/v8/V8DOMWrapper.h:
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@54964 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index a763979..62c466d 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,12 @@
+2010-02-18  Nate Chapin  <japhet at chromium.org>
+
+        Reviewed by Eric Seidel.
+
+        Test for https://bugs.webkit.org/show_bug.cgi?id=34899
+
+        * fast/dom/Window/window-event-override-no-crash-expected.txt: Added.
+        * fast/dom/Window/window-event-override-no-crash.html: Added.
+
 2010-02-18  Andras Becsi  <abecsi at webkit.org>
 
         Rubber-stamped by Kenneth Rohde Christiansen.
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 5d68ff1..b28a255 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2010-02-18  Nate Chapin  <japhet at chromium.org>
+
+        Reviewed by Eric Seidel.
+
+        [V8] Correctly handle the case where the event field on the
+        global object is a v8::Object, but not a DOM wrapper.
+
+        https://bugs.webkit.org/show_bug.cgi?id=34899
+
+        Test: fast/dom/Window/window-event-override-no-crash.html
+
+        * bindings/v8/ScriptController.cpp:
+        (WebCore::ScriptController::processingUserGesture):
+        * bindings/v8/V8DOMWrapper.cpp:
+        (WebCore::V8DOMWrapper::isValidDOMObject):
+        (WebCore::V8DOMWrapper::isWrapperOfType):
+        * bindings/v8/V8DOMWrapper.h:
+
 2010-02-18  Pavel Feldman  <pfeldman at chromium.org>
 
         Not reviewed, Qt build fix.
diff --git a/WebCore/bindings/v8/ScriptController.cpp b/WebCore/bindings/v8/ScriptController.cpp
index e2b886d..838668a 100644
--- a/WebCore/bindings/v8/ScriptController.cpp
+++ b/WebCore/bindings/v8/ScriptController.cpp
@@ -171,7 +171,7 @@ bool ScriptController::processingUserGesture(DOMWrapperWorld*) const
 
     v8::Handle<v8::Object> global = v8Context->Global();
     v8::Handle<v8::Value> jsEvent = global->Get(v8::String::NewSymbol("event"));
-    Event* event = (!jsEvent.IsEmpty() && jsEvent->IsObject()) ? V8Event::toNative(v8::Handle<v8::Object>::Cast(jsEvent)) : 0;
+    Event* event = V8DOMWrapper::isValidDOMObject(jsEvent) ? V8Event::toNative(v8::Handle<v8::Object>::Cast(jsEvent)) : 0;
 
     // Based on code from kjs_bindings.cpp.
     // Note: This is more liberal than Firefox's implementation.
diff --git a/WebCore/bindings/v8/V8DOMWrapper.cpp b/WebCore/bindings/v8/V8DOMWrapper.cpp
index 1605417..30775fa 100644
--- a/WebCore/bindings/v8/V8DOMWrapper.cpp
+++ b/WebCore/bindings/v8/V8DOMWrapper.cpp
@@ -327,15 +327,19 @@ bool V8DOMWrapper::maybeDOMWrapper(v8::Handle<v8::Value> value)
 }
 #endif
 
-bool V8DOMWrapper::isWrapperOfType(v8::Handle<v8::Value> value, V8ClassIndex::V8WrapperType classType)
+bool V8DOMWrapper::isValidDOMObject(v8::Handle<v8::Value> value)
 {
     if (value.IsEmpty() || !value->IsObject())
         return false;
+    return v8::Handle<v8::Object>::Cast(value)->InternalFieldCount();
+}
 
-    v8::Handle<v8::Object> object = v8::Handle<v8::Object>::Cast(value);
-    if (!object->InternalFieldCount())
+bool V8DOMWrapper::isWrapperOfType(v8::Handle<v8::Value> value, V8ClassIndex::V8WrapperType classType)
+{
+    if (!isValidDOMObject(value))
         return false;
 
+    v8::Handle<v8::Object> object = v8::Handle<v8::Object>::Cast(value);
     ASSERT(object->InternalFieldCount() >= v8DefaultWrapperInternalFieldCount);
 
     v8::Handle<v8::Value> wrapper = object->GetInternalField(v8DOMWrapperObjectIndex);
diff --git a/WebCore/bindings/v8/V8DOMWrapper.h b/WebCore/bindings/v8/V8DOMWrapper.h
index 78e9ae2..d900466 100644
--- a/WebCore/bindings/v8/V8DOMWrapper.h
+++ b/WebCore/bindings/v8/V8DOMWrapper.h
@@ -179,6 +179,8 @@ namespace WebCore {
         static void setJSWrapperForActiveDOMObject(void*, v8::Persistent<v8::Object>);
         static void setJSWrapperForDOMNode(Node*, v8::Persistent<v8::Object>);
 
+        static bool isValidDOMObject(v8::Handle<v8::Value>);
+
         // Check whether a V8 value is a wrapper of type |classType|.
         static bool isWrapperOfType(v8::Handle<v8::Value>, V8ClassIndex::V8WrapperType);
 

-- 
WebKit Debian packaging

