Changeset 29362 in webkit
- Timestamp:
- Jan 10, 2008 9:39:03 AM (16 years ago)
- Location:
- trunk
- Files:
-
- 5 edited
- 1 moved
-
JavaScriptCore/ChangeLog (modified) (1 diff)
-
JavaScriptCore/bindings/runtime_method.cpp (modified) (1 diff)
-
JavaScriptCore/bindings/runtime_object.cpp (modified) (6 diffs)
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/replaced/image-map-expected.txt (modified) (1 diff)
-
LayoutTests/fast/replaced/image-map.html (moved) (moved from trunk/LayoutTests/fast/replaced/image-map.html-disabled)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JavaScriptCore/ChangeLog
r29293 r29362 1 2008-01-10 Dan Bernstein <mitz@apple.com> 2 3 Reviewed by Darin Adler. 4 5 - fix http://bugs.webkit.org/show_bug.cgi?id=16782 6 <rdar://problem/5675331> REGRESSION(r29266): Reproducible crash in fast/replaced/image-map.html 7 8 The crash resulted from a native object (DumpRenderTree's 9 EventSender) causing its wrapper to be invalidated (by clicking a 10 link that replaced the document in the window) and consequently 11 deallocated. The fix is to use RefPtrs to protect the native object 12 from deletion by self-invalidation. 13 14 * bindings/runtime_method.cpp: 15 (RuntimeMethod::callAsFunction): 16 * bindings/runtime_object.cpp: 17 (RuntimeObjectImp::fallbackObjectGetter): 18 (RuntimeObjectImp::fieldGetter): 19 (RuntimeObjectImp::methodGetter): 20 (RuntimeObjectImp::put): 21 (RuntimeObjectImp::defaultValue): 22 (RuntimeObjectImp::callAsFunction): 23 1 24 2008-01-07 Mark Rowe <mrowe@apple.com> 2 25 -
trunk/JavaScriptCore/bindings/runtime_method.cpp
r28907 r29362 84 84 return throwError(exec, TypeError); 85 85 86 Instance *instance = imp->getInternalInstance();86 RefPtr<Instance> instance = imp->getInternalInstance(); 87 87 if (!instance) 88 88 return RuntimeObjectImp::throwInvalidAccessError(exec); -
trunk/JavaScriptCore/bindings/runtime_object.cpp
r27413 r29362 58 58 { 59 59 RuntimeObjectImp *thisObj = static_cast<RuntimeObjectImp *>(slot.slotBase()); 60 Bindings::Instance *instance = thisObj->instance.get();61 62 if (!instance) 63 return throwInvalidAccessError(exec); 64 65 instance->begin(); 66 67 Class *aClass = instance->getClass(); 68 JSValue *result = aClass->fallbackObject(exec, instance, propertyName);60 RefPtr<Bindings::Instance> instance = thisObj->instance; 61 62 if (!instance) 63 return throwInvalidAccessError(exec); 64 65 instance->begin(); 66 67 Class *aClass = instance->getClass(); 68 JSValue* result = aClass->fallbackObject(exec, instance.get(), propertyName); 69 69 70 70 instance->end(); … … 76 76 { 77 77 RuntimeObjectImp *thisObj = static_cast<RuntimeObjectImp *>(slot.slotBase()); 78 Bindings::Instance *instance = thisObj->instance.get();79 80 if (!instance) 81 return throwInvalidAccessError(exec); 82 83 instance->begin(); 84 85 Class *aClass = instance->getClass(); 86 Field *aField = aClass->fieldNamed(propertyName, instance);78 RefPtr<Bindings::Instance> instance = thisObj->instance; 79 80 if (!instance) 81 return throwInvalidAccessError(exec); 82 83 instance->begin(); 84 85 Class *aClass = instance->getClass(); 86 Field* aField = aClass->fieldNamed(propertyName, instance.get()); 87 87 JSValue *result = instance->getValueOfField(exec, aField); 88 88 … … 95 95 { 96 96 RuntimeObjectImp *thisObj = static_cast<RuntimeObjectImp *>(slot.slotBase()); 97 Bindings::Instance *instance = thisObj->instance.get();98 99 if (!instance) 100 return throwInvalidAccessError(exec); 101 102 instance->begin(); 103 104 Class *aClass = instance->getClass(); 105 MethodList methodList = aClass->methodsNamed(propertyName, instance );97 RefPtr<Bindings::Instance> instance = thisObj->instance; 98 99 if (!instance) 100 return throwInvalidAccessError(exec); 101 102 instance->begin(); 103 104 Class *aClass = instance->getClass(); 105 MethodList methodList = aClass->methodsNamed(propertyName, instance.get()); 106 106 JSValue *result = new RuntimeMethod(exec, propertyName, methodList); 107 107 … … 162 162 } 163 163 164 RefPtr<Bindings::Instance> protector(instance); 164 165 instance->begin(); 165 166 … … 203 204 JSValue *result; 204 205 206 RefPtr<Bindings::Instance> protector(instance); 205 207 instance->begin(); 206 208 … … 225 227 return throwInvalidAccessError(exec); 226 228 229 RefPtr<Bindings::Instance> protector(instance); 227 230 instance->begin(); 228 231 -
trunk/LayoutTests/ChangeLog
r29351 r29362 1 2008-01-10 Dan Bernstein <mitz@apple.com> 2 3 Reviewed by Darin Adler. 4 5 - re-enable crashing test after fixing http://bugs.webkit.org/show_bug.cgi?id=16782 6 <rdar://problem/5675331> REGRESSION(r29266): Reproducible crash in fast/replaced/image-map.html 7 8 * fast/replaced/image-map-expected.txt: Updated results for the new 9 behavior, which is to replace the document with the success message. 10 * fast/replaced/image-map.html: Copied from LayoutTests/fast/replaced/image-map.html-disabled. 11 * fast/replaced/image-map.html-disabled: Removed. 12 1 13 2008-01-10 Dan Bernstein <mitz@apple.com> 2 14 -
trunk/LayoutTests/fast/replaced/image-map-expected.txt
r21687 r29362 1 2 1 area clicked
Note: See TracChangeset
for help on using the changeset viewer.
