[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

inferno at chromium.org inferno at chromium.org
Sun Feb 20 23:51:37 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit 49aa540cf72cfdd5c40e4d2141276a4ad0d5f83c
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Jan 26 00:10:34 2011 +0000

    2011-01-25  Cris Neckar  <cdn at chromium.org>
    
            Reviewed by Adam Barth.
    
            Test for crash when a window's location changes before creating an object URL.
            https://bugs.webkit.org/show_bug.cgi?id=53038
    
            * fast/dom/window-domurl-crash-expected.txt: Added.
            * fast/dom/window-domurl-crash.html: Added.
    2011-01-25  Cris Neckar  <cdn at chromium.org>
    
            Reviewed by Adam Barth.
    
            Add a hashset of DOMURLs to ScriptExecutionContext to track back references.
            https://bugs.webkit.org/show_bug.cgi?id=53038
    
            Test: fast/dom/window-domurl-crash.html
    
            * dom/ScriptExecutionContext.cpp:
            (WebCore::ScriptExecutionContext::~ScriptExecutionContext):
            (WebCore::ScriptExecutionContext::createdDomUrl):
            (WebCore::ScriptExecutionContext::destroyedDomUrl):
            * dom/ScriptExecutionContext.h:
            (WebCore::ScriptExecutionContext::domUrls):
            * html/DOMURL.cpp:
            (WebCore::DOMURL::DOMURL):
            (WebCore::DOMURL::~DOMURL):
            (WebCore::DOMURL::contextDestroyed):
            * html/DOMURL.h:
            (WebCore::DOMURL::scriptExecutionContext):
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76652 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c8cfe18..7c23672 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2011-01-25  Cris Neckar  <cdn at chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Test for crash when a window's location changes before creating an object URL.
+        https://bugs.webkit.org/show_bug.cgi?id=53038
+
+        * fast/dom/window-domurl-crash-expected.txt: Added.
+        * fast/dom/window-domurl-crash.html: Added.
+
 2011-01-25  James Simonsen  <simonjam at chromium.org>
 
         Reviewed by Tony Chang.
diff --git a/LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt b/LayoutTests/fast/dom/window-domurl-crash-expected.txt
similarity index 100%
copy from LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt
copy to LayoutTests/fast/dom/window-domurl-crash-expected.txt
diff --git a/LayoutTests/fast/dom/window-domurl-crash.html b/LayoutTests/fast/dom/window-domurl-crash.html
new file mode 100644
index 0000000..6348632
--- /dev/null
+++ b/LayoutTests/fast/dom/window-domurl-crash.html
@@ -0,0 +1,60 @@
+<html>
+<head>
+<script>
+var blob = (new BlobBuilder).getBlob();
+var url = null;
+var count = 0;
+
+if (!window.gc)
+{
+    window.gc = function()
+    {
+        if (window.GCController)
+            return GCController.collect();
+        for (var i = 0; i < 10000; i++)
+            var s = new String("abc");
+    }
+}
+
+function load()
+{
+    if (window.layoutTestController)
+    {
+        layoutTestController.dumpAsText();
+        layoutTestController.setCanOpenWindows();
+        layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+        layoutTestController.waitUntilDone();
+    }
+    win = window.open();
+    if (win.webkitURL)
+    {
+        url = win.webkitURL;
+        win.location = "nothing";
+        setTimeout(crash, 0);
+        return;
+    }
+    document.body.innerHTML = "PASS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+
+function crash()
+{
+    gc();
+    url.createObjectURL(blob);
+    if (count++ < 5)
+    {
+        setTimeout(crash, 0);
+        return;
+    }
+    document.body.innerHTML = "PASS";
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body onload="load()">
+RUNNING...
+</body>
+</html>
+
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index f3c1248..a73534e 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2011-01-25  Cris Neckar  <cdn at chromium.org>
+
+        Reviewed by Adam Barth.
+
+        Add a hashset of DOMURLs to ScriptExecutionContext to track back references.
+        https://bugs.webkit.org/show_bug.cgi?id=53038
+
+        Test: fast/dom/window-domurl-crash.html
+
+        * dom/ScriptExecutionContext.cpp:
+        (WebCore::ScriptExecutionContext::~ScriptExecutionContext):
+        (WebCore::ScriptExecutionContext::createdDomUrl):
+        (WebCore::ScriptExecutionContext::destroyedDomUrl):
+        * dom/ScriptExecutionContext.h:
+        (WebCore::ScriptExecutionContext::domUrls):
+        * html/DOMURL.cpp:
+        (WebCore::DOMURL::DOMURL):
+        (WebCore::DOMURL::~DOMURL):
+        (WebCore::DOMURL::contextDestroyed):
+        * html/DOMURL.h:
+        (WebCore::DOMURL::scriptExecutionContext):
+
 2011-01-23  Antti Koivisto  <antti at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/Source/WebCore/dom/ScriptExecutionContext.cpp b/Source/WebCore/dom/ScriptExecutionContext.cpp
index 8f4ca07..f1ba95c 100644
--- a/Source/WebCore/dom/ScriptExecutionContext.cpp
+++ b/Source/WebCore/dom/ScriptExecutionContext.cpp
@@ -30,6 +30,7 @@
 #include "ActiveDOMObject.h"
 #include "Blob.h"
 #include "BlobURL.h"
+#include "DOMURL.h"
 #include "Database.h"
 #include "DatabaseTask.h"
 #include "DatabaseThread.h"
@@ -120,6 +121,12 @@ ScriptExecutionContext::~ScriptExecutionContext()
     HashSet<String>::iterator publicBlobURLsEnd = m_publicBlobURLs.end();
     for (HashSet<String>::iterator iter = m_publicBlobURLs.begin(); iter != publicBlobURLsEnd; ++iter)
         ThreadableBlobRegistry::unregisterBlobURL(KURL(ParsedURLString, *iter));
+
+    HashSet<DOMURL*>::iterator domUrlsEnd = m_domUrls.end();
+    for (HashSet<DOMURL*>::iterator iter = m_domUrls.begin(); iter != domUrlsEnd; ++iter) {
+        ASSERT((*iter)->scriptExecutionContext() == this);
+        (*iter)->contextDestroyed();
+    }
 #endif
 }
 
@@ -194,6 +201,20 @@ void ScriptExecutionContext::destroyedMessagePort(MessagePort* port)
     m_messagePorts.remove(port);
 }
 
+#if ENABLE(BLOB)
+void ScriptExecutionContext::createdDomUrl(DOMURL* url)
+{
+    ASSERT(url);
+    m_domUrls.add(url);
+}
+
+void ScriptExecutionContext::destroyedDomUrl(DOMURL* url)
+{
+    ASSERT(url);
+    m_domUrls.remove(url);
+}
+#endif
+
 bool ScriptExecutionContext::canSuspendActiveDOMObjects()
 {
     // No protection against m_activeDOMObjects changing during iteration: canSuspend() shouldn't execute arbitrary JS.
diff --git a/Source/WebCore/dom/ScriptExecutionContext.h b/Source/WebCore/dom/ScriptExecutionContext.h
index b57b75a..103561a 100644
--- a/Source/WebCore/dom/ScriptExecutionContext.h
+++ b/Source/WebCore/dom/ScriptExecutionContext.h
@@ -60,6 +60,7 @@ namespace WebCore {
     class FileThread;
 #endif
     class MessagePort;
+    class DOMURL;
     class SecurityOrigin;
     class ScriptCallStack;
 
@@ -112,6 +113,11 @@ namespace WebCore {
         void destroyedMessagePort(MessagePort*);
         const HashSet<MessagePort*>& messagePorts() const { return m_messagePorts; }
 
+#if ENABLE(BLOB)
+        void createdDomUrl(DOMURL*);
+        void destroyedDomUrl(DOMURL*);
+        const HashSet<DOMURL*>& domUrls() const { return m_domUrls; }
+#endif
         void ref() { refScriptExecutionContext(); }
         void deref() { derefScriptExecutionContext(); }
 
@@ -171,6 +177,7 @@ namespace WebCore {
 
 #if ENABLE(BLOB)
         HashSet<String> m_publicBlobURLs;
+        HashSet<DOMURL*> m_domUrls;
 #endif
 
         virtual void refScriptExecutionContext() = 0;
diff --git a/Source/WebCore/html/DOMURL.cpp b/Source/WebCore/html/DOMURL.cpp
index 87f9f45..c734f61 100644
--- a/Source/WebCore/html/DOMURL.cpp
+++ b/Source/WebCore/html/DOMURL.cpp
@@ -37,6 +37,19 @@ namespace WebCore {
 DOMURL::DOMURL(ScriptExecutionContext* scriptExecutionContext)
     : m_scriptExecutionContext(scriptExecutionContext)
 {
+    m_scriptExecutionContext->createdDomUrl(this);
+}
+
+DOMURL::~DOMURL()
+{
+    if (m_scriptExecutionContext)
+        m_scriptExecutionContext->destroyedDomUrl(this);
+}
+
+void DOMURL::contextDestroyed()
+{
+    ASSERT(m_scriptExecutionContext);
+    m_scriptExecutionContext = 0;
 }
 
 String DOMURL::createObjectURL(Blob* blob)
diff --git a/Source/WebCore/html/DOMURL.h b/Source/WebCore/html/DOMURL.h
index 57f3000..dff4dd8 100644
--- a/Source/WebCore/html/DOMURL.h
+++ b/Source/WebCore/html/DOMURL.h
@@ -40,10 +40,14 @@ class ScriptExecutionContext;
 class DOMURL : public RefCounted<DOMURL> {
 public:
     static PassRefPtr<DOMURL> create(ScriptExecutionContext* scriptExecutionContext) { return adoptRef(new DOMURL(scriptExecutionContext)); }
+    ~DOMURL();
 
     String createObjectURL(Blob*);
     void revokeObjectURL(const String&);
-    
+
+    void contextDestroyed();
+    ScriptExecutionContext* scriptExecutionContext() const { return m_scriptExecutionContext; }
+
 private:
     explicit DOMURL(ScriptExecutionContext*);
 

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list