[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
inferno at chromium.org
inferno at chromium.org
Sun Feb 20 23:51:37 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit 49aa540cf72cfdd5c40e4d2141276a4ad0d5f83c
Author: inferno at chromium.org <inferno at chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Jan 26 00:10:34 2011 +0000
2011-01-25 Cris Neckar <cdn at chromium.org>
Reviewed by Adam Barth.
Test for crash when a window's location changes before creating an object URL.
https://bugs.webkit.org/show_bug.cgi?id=53038
* fast/dom/window-domurl-crash-expected.txt: Added.
* fast/dom/window-domurl-crash.html: Added.
2011-01-25 Cris Neckar <cdn at chromium.org>
Reviewed by Adam Barth.
Add a hashset of DOMURLs to ScriptExecutionContext to track back references.
https://bugs.webkit.org/show_bug.cgi?id=53038
Test: fast/dom/window-domurl-crash.html
* dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::~ScriptExecutionContext):
(WebCore::ScriptExecutionContext::createdDomUrl):
(WebCore::ScriptExecutionContext::destroyedDomUrl):
* dom/ScriptExecutionContext.h:
(WebCore::ScriptExecutionContext::domUrls):
* html/DOMURL.cpp:
(WebCore::DOMURL::DOMURL):
(WebCore::DOMURL::~DOMURL):
(WebCore::DOMURL::contextDestroyed):
* html/DOMURL.h:
(WebCore::DOMURL::scriptExecutionContext):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76652 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index c8cfe18..7c23672 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2011-01-25 Cris Neckar <cdn at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Test for crash when a window's location changes before creating an object URL.
+ https://bugs.webkit.org/show_bug.cgi?id=53038
+
+ * fast/dom/window-domurl-crash-expected.txt: Added.
+ * fast/dom/window-domurl-crash.html: Added.
+
2011-01-25 James Simonsen <simonjam at chromium.org>
Reviewed by Tony Chang.
diff --git a/LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt b/LayoutTests/fast/dom/window-domurl-crash-expected.txt
similarity index 100%
copy from LayoutTests/compositing/overflow/get-transform-from-non-box-container-expected.txt
copy to LayoutTests/fast/dom/window-domurl-crash-expected.txt
diff --git a/LayoutTests/fast/dom/window-domurl-crash.html b/LayoutTests/fast/dom/window-domurl-crash.html
new file mode 100644
index 0000000..6348632
--- /dev/null
+++ b/LayoutTests/fast/dom/window-domurl-crash.html
@@ -0,0 +1,60 @@
+<html>
+<head>
+<script>
+var blob = (new BlobBuilder).getBlob();
+var url = null;
+var count = 0;
+
+if (!window.gc)
+{
+ window.gc = function()
+ {
+ if (window.GCController)
+ return GCController.collect();
+ for (var i = 0; i < 10000; i++)
+ var s = new String("abc");
+ }
+}
+
+function load()
+{
+ if (window.layoutTestController)
+ {
+ layoutTestController.dumpAsText();
+ layoutTestController.setCanOpenWindows();
+ layoutTestController.setCloseRemainingWindowsWhenComplete(true);
+ layoutTestController.waitUntilDone();
+ }
+ win = window.open();
+ if (win.webkitURL)
+ {
+ url = win.webkitURL;
+ win.location = "nothing";
+ setTimeout(crash, 0);
+ return;
+ }
+ document.body.innerHTML = "PASS";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+
+function crash()
+{
+ gc();
+ url.createObjectURL(blob);
+ if (count++ < 5)
+ {
+ setTimeout(crash, 0);
+ return;
+ }
+ document.body.innerHTML = "PASS";
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body onload="load()">
+RUNNING...
+</body>
+</html>
+
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index f3c1248..a73534e 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,25 @@
+2011-01-25 Cris Neckar <cdn at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Add a hashset of DOMURLs to ScriptExecutionContext to track back references.
+ https://bugs.webkit.org/show_bug.cgi?id=53038
+
+ Test: fast/dom/window-domurl-crash.html
+
+ * dom/ScriptExecutionContext.cpp:
+ (WebCore::ScriptExecutionContext::~ScriptExecutionContext):
+ (WebCore::ScriptExecutionContext::createdDomUrl):
+ (WebCore::ScriptExecutionContext::destroyedDomUrl):
+ * dom/ScriptExecutionContext.h:
+ (WebCore::ScriptExecutionContext::domUrls):
+ * html/DOMURL.cpp:
+ (WebCore::DOMURL::DOMURL):
+ (WebCore::DOMURL::~DOMURL):
+ (WebCore::DOMURL::contextDestroyed):
+ * html/DOMURL.h:
+ (WebCore::DOMURL::scriptExecutionContext):
+
2011-01-23 Antti Koivisto <antti at apple.com>
Reviewed by Darin Adler.
diff --git a/Source/WebCore/dom/ScriptExecutionContext.cpp b/Source/WebCore/dom/ScriptExecutionContext.cpp
index 8f4ca07..f1ba95c 100644
--- a/Source/WebCore/dom/ScriptExecutionContext.cpp
+++ b/Source/WebCore/dom/ScriptExecutionContext.cpp
@@ -30,6 +30,7 @@
#include "ActiveDOMObject.h"
#include "Blob.h"
#include "BlobURL.h"
+#include "DOMURL.h"
#include "Database.h"
#include "DatabaseTask.h"
#include "DatabaseThread.h"
@@ -120,6 +121,12 @@ ScriptExecutionContext::~ScriptExecutionContext()
HashSet<String>::iterator publicBlobURLsEnd = m_publicBlobURLs.end();
for (HashSet<String>::iterator iter = m_publicBlobURLs.begin(); iter != publicBlobURLsEnd; ++iter)
ThreadableBlobRegistry::unregisterBlobURL(KURL(ParsedURLString, *iter));
+
+ HashSet<DOMURL*>::iterator domUrlsEnd = m_domUrls.end();
+ for (HashSet<DOMURL*>::iterator iter = m_domUrls.begin(); iter != domUrlsEnd; ++iter) {
+ ASSERT((*iter)->scriptExecutionContext() == this);
+ (*iter)->contextDestroyed();
+ }
#endif
}
@@ -194,6 +201,20 @@ void ScriptExecutionContext::destroyedMessagePort(MessagePort* port)
m_messagePorts.remove(port);
}
+#if ENABLE(BLOB)
+void ScriptExecutionContext::createdDomUrl(DOMURL* url)
+{
+ ASSERT(url);
+ m_domUrls.add(url);
+}
+
+void ScriptExecutionContext::destroyedDomUrl(DOMURL* url)
+{
+ ASSERT(url);
+ m_domUrls.remove(url);
+}
+#endif
+
bool ScriptExecutionContext::canSuspendActiveDOMObjects()
{
// No protection against m_activeDOMObjects changing during iteration: canSuspend() shouldn't execute arbitrary JS.
diff --git a/Source/WebCore/dom/ScriptExecutionContext.h b/Source/WebCore/dom/ScriptExecutionContext.h
index b57b75a..103561a 100644
--- a/Source/WebCore/dom/ScriptExecutionContext.h
+++ b/Source/WebCore/dom/ScriptExecutionContext.h
@@ -60,6 +60,7 @@ namespace WebCore {
class FileThread;
#endif
class MessagePort;
+ class DOMURL;
class SecurityOrigin;
class ScriptCallStack;
@@ -112,6 +113,11 @@ namespace WebCore {
void destroyedMessagePort(MessagePort*);
const HashSet<MessagePort*>& messagePorts() const { return m_messagePorts; }
+#if ENABLE(BLOB)
+ void createdDomUrl(DOMURL*);
+ void destroyedDomUrl(DOMURL*);
+ const HashSet<DOMURL*>& domUrls() const { return m_domUrls; }
+#endif
void ref() { refScriptExecutionContext(); }
void deref() { derefScriptExecutionContext(); }
@@ -171,6 +177,7 @@ namespace WebCore {
#if ENABLE(BLOB)
HashSet<String> m_publicBlobURLs;
+ HashSet<DOMURL*> m_domUrls;
#endif
virtual void refScriptExecutionContext() = 0;
diff --git a/Source/WebCore/html/DOMURL.cpp b/Source/WebCore/html/DOMURL.cpp
index 87f9f45..c734f61 100644
--- a/Source/WebCore/html/DOMURL.cpp
+++ b/Source/WebCore/html/DOMURL.cpp
@@ -37,6 +37,19 @@ namespace WebCore {
DOMURL::DOMURL(ScriptExecutionContext* scriptExecutionContext)
: m_scriptExecutionContext(scriptExecutionContext)
{
+ m_scriptExecutionContext->createdDomUrl(this);
+}
+
+DOMURL::~DOMURL()
+{
+ if (m_scriptExecutionContext)
+ m_scriptExecutionContext->destroyedDomUrl(this);
+}
+
+void DOMURL::contextDestroyed()
+{
+ ASSERT(m_scriptExecutionContext);
+ m_scriptExecutionContext = 0;
}
String DOMURL::createObjectURL(Blob* blob)
diff --git a/Source/WebCore/html/DOMURL.h b/Source/WebCore/html/DOMURL.h
index 57f3000..dff4dd8 100644
--- a/Source/WebCore/html/DOMURL.h
+++ b/Source/WebCore/html/DOMURL.h
@@ -40,10 +40,14 @@ class ScriptExecutionContext;
class DOMURL : public RefCounted<DOMURL> {
public:
static PassRefPtr<DOMURL> create(ScriptExecutionContext* scriptExecutionContext) { return adoptRef(new DOMURL(scriptExecutionContext)); }
+ ~DOMURL();
String createObjectURL(Blob*);
void revokeObjectURL(const String&);
-
+
+ void contextDestroyed();
+ ScriptExecutionContext* scriptExecutionContext() const { return m_scriptExecutionContext; }
+
private:
explicit DOMURL(ScriptExecutionContext*);
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list