[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.17-1283-gcf603cf

eric at webkit.org eric at webkit.org
Tue Jan 5 23:43:44 UTC 2010 

The following commit has been merged in the webkit-1.1 branch:
commit b9e715021cddb928b5fbdceb54be8c8f7c2b18e1
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Dec 7 19:36:34 2009 +0000

    2009-12-07  Kenneth Russell  <kbr at google.com>
    
            Reviewed by Dimitri Glazkov.
    
            [v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer
            https://bugs.webkit.org/show_bug.cgi?id=31889
    
            Fixed bug in handling of zero-argument constructor call.
    
            Test: fast/canvas/webgl/bug-31889.html
    
            * fast/canvas/webgl/bug-31889-expected.txt: Added.
            * fast/canvas/webgl/bug-31889.html: Added.
    2009-12-07  Kenneth Russell  <kbr at google.com>
    
            Reviewed by Dimitri Glazkov.
    
            [v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer
            https://bugs.webkit.org/show_bug.cgi?id=31889
    
            Fixed bug in handling of zero-argument constructor call.
    
            Test: fast/canvas/webgl/bug-31889.html
    
            * bindings/v8/custom/V8WebGLArrayBufferCustom.cpp:
            (WebCore::CALLBACK_FUNC_DECL):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51785 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 1af1740..5ebc1fd 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2009-12-07  Kenneth Russell  <kbr at google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        [v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer
+        https://bugs.webkit.org/show_bug.cgi?id=31889
+
+        Fixed bug in handling of zero-argument constructor call.
+
+        Test: fast/canvas/webgl/bug-31889.html
+
+        * fast/canvas/webgl/bug-31889-expected.txt: Added.
+        * fast/canvas/webgl/bug-31889.html: Added.
+
 2009-12-07  Gustavo Noronha Silva  <gustavo.noronha at collabora.co.uk>
 
         Unreviewed. Landing files I forgot to add to my working copy
diff --git a/LayoutTests/fast/canvas/webgl/bug-31889-expected.txt b/LayoutTests/fast/canvas/webgl/bug-31889-expected.txt
new file mode 100644
index 0000000..2255193
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/bug-31889-expected.txt
@@ -0,0 +1,9 @@
+Regression test for https://bugs.webkit.org/show_bug.cgi?id=31889 : [v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS new WebGLArrayBuffer().byteLength did not crash
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/canvas/webgl/bug-31889.html b/LayoutTests/fast/canvas/webgl/bug-31889.html
new file mode 100644
index 0000000..eba1de7
--- /dev/null
+++ b/LayoutTests/fast/canvas/webgl/bug-31889.html
@@ -0,0 +1,28 @@
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css"/>
+<script src="../../js/resources/js-test-pre.js"></script>
+<script src="resources/webgl-test.js"></script>
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+
+<script>
+
+description('Regression test for <a href="https://bugs.webkit.org/show_bug.cgi?id=31889">https://bugs.webkit.org/show_bug.cgi?id=31889</a> : <code>[v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer</code>');
+
+<!-- The following used to cause a crash in Chrome -->
+new WebGLArrayBuffer().byteLength;
+
+testPassed("new WebGLArrayBuffer().byteLength did not crash");
+successfullyParsed = true;
+
+</script>
+<script src="../../js/resources/js-test-post.js"></script>
+
+<script>
+</script>
+
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index f2cd7a1..f4178cf 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,17 @@
+2009-12-07  Kenneth Russell  <kbr at google.com>
+
+        Reviewed by Dimitri Glazkov.
+
+        [v8] WebCore::WebGLArrayBufferInternal::byteLengthAttrGetter NULL pointer
+        https://bugs.webkit.org/show_bug.cgi?id=31889
+
+        Fixed bug in handling of zero-argument constructor call.
+
+        Test: fast/canvas/webgl/bug-31889.html
+
+        * bindings/v8/custom/V8WebGLArrayBufferCustom.cpp:
+        (WebCore::CALLBACK_FUNC_DECL):
+
 2009-12-07  Gyuyoung Kim  <gyuyoung at gmail.com>
 
         Reviewed by Eric Seidel.
diff --git a/WebCore/bindings/v8/custom/V8WebGLArrayBufferCustom.cpp b/WebCore/bindings/v8/custom/V8WebGLArrayBufferCustom.cpp
index 699667e..16a1f51 100644
--- a/WebCore/bindings/v8/custom/V8WebGLArrayBufferCustom.cpp
+++ b/WebCore/bindings/v8/custom/V8WebGLArrayBufferCustom.cpp
@@ -48,28 +48,31 @@ CALLBACK_FUNC_DECL(WebGLArrayBufferConstructor)
     if (!args.IsConstructCall())
         return throwError("DOM object constructor cannot be called as a function.");
 
-    int argLen = args.Length();
-    if (argLen == 0) {
-        // This happens when we return a previously constructed
-        // WebGLArrayBuffer, e.g. from the call to WebGLArray.buffer.
-        // The V8DOMWrapper will set the internal pointer in the
-        // created object. Unfortunately it doesn't look like it's
-        // possible to distinguish between this case and that where
-        // the user calls "new WebGLArrayBuffer()" from JavaScript.
-        return args.Holder();
-    }
+    // If we return a previously constructed WebGLArrayBuffer,
+    // e.g. from the call to WebGLArray.buffer, this code is called
+    // with a zero-length argument list. The V8DOMWrapper will then
+    // set the internal pointer in the newly-created object.
+    // Unfortunately it doesn't look like it's possible to distinguish
+    // between this case and that where the user calls "new
+    // WebGLArrayBuffer()" from JavaScript. To guard against problems,
+    // we always create at least a zero-length WebGLArrayBuffer, even
+    // if it is immediately overwritten by the V8DOMWrapper.
 
     // Supported constructors:
     // WebGLArrayBuffer(n) where n is an integer:
     //   -- create an empty buffer of n bytes
 
-    if (argLen != 1)
+    int argLen = args.Length();
+    if (argLen > 1)
         return throwError("Wrong number of arguments specified to constructor (requires 1)");
 
     int len = 0;
-    if (!args[0]->IsInt32())
-        return throwError("Argument to WebGLArrayBuffer constructor was not an integer");
-    len = toInt32(args[0]);
+    if (argLen > 0) {
+        if (!args[0]->IsInt32())
+            return throwError("Argument to WebGLArrayBuffer constructor was not an integer");
+        len = toInt32(args[0]);
+    }
+
     RefPtr<WebGLArrayBuffer> buffer = WebGLArrayBuffer::create(len);
     // Transform the holder into a wrapper object for the array.
     V8DOMWrapper::setDOMWrapper(args.Holder(), V8ClassIndex::ToInt(V8ClassIndex::WEBGLARRAYBUFFER), buffer.get());

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list