Changeset 95667 in webkit

Timestamp:

Sep 21, 2011 1:13:57 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

[Chromium] Protect the Frame in V8HTMLDocument::openCallback
​https://bugs.webkit.org/show_bug.cgi?id=68555

Patch by Sergey Glazunov <​serg.glazunov@gmail.com> on 2011-09-21
Reviewed by Nate Chapin.

Source/WebCore:

Test: fast/dom/frame-deleted-in-document-open.html

• bindings/v8/custom/V8HTMLDocumentCustom.cpp:

(WebCore::V8HTMLDocument::openCallback):

LayoutTests:

• fast/dom/frame-deleted-in-document-open-expected.txt: Added.
• fast/dom/frame-deleted-in-document-open.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/frame-deleted-in-document-open-expected.txt (added)
• LayoutTests/fast/dom/frame-deleted-in-document-open.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-09-21  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        [Chromium] Protect the Frame in V8HTMLDocument::openCallback
+        https://bugs.webkit.org/show_bug.cgi?id=68555
+
+        Reviewed by Nate Chapin.
+
+        * fast/dom/frame-deleted-in-document-open-expected.txt: Added.
+        * fast/dom/frame-deleted-in-document-open.html: Added.
+
 2011-09-21  Adam Klein  <adamk@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-09-21  Sergey Glazunov  <serg.glazunov@gmail.com>
+
+        [Chromium] Protect the Frame in V8HTMLDocument::openCallback
+        https://bugs.webkit.org/show_bug.cgi?id=68555
+
+        Reviewed by Nate Chapin.
+
+        Test: fast/dom/frame-deleted-in-document-open.html
+
+        * bindings/v8/custom/V8HTMLDocumentCustom.cpp:
+        (WebCore::V8HTMLDocument::openCallback):
+
 2011-09-21  Adam Klein  <adamk@chromium.org>
 

trunk/Source/WebCore/bindings/v8/custom/V8HTMLDocumentCustom.cpp

@@ -133 +133 @@
 
     if (args.Length() > 2) {
-        if (Frame* frame = htmlDocument->frame()) {
+        if (RefPtr<Frame> frame = htmlDocument->frame()) {
             // Fetch the global object for the frame.
-            v8::Local<v8::Context> context = V8Proxy::context(frame);
+            v8::Local<v8::Context> context = V8Proxy::context(frame.get());
             // Bail out if we cannot get the context.
             if (context.IsEmpty())
@@ -152 +152 @@
                 params[i] = args[i];
 
-            V8Proxy* proxy = V8Proxy::retrieve(frame);
-            ASSERT(proxy);
+            V8Proxy* proxy = V8Proxy::retrieve(frame.get());
+            if (!proxy)
+                return v8::Undefined();
 
             v8::Local<v8::Value> result = proxy->callFunction(v8::Local<v8::Function>::Cast(function), global, args.Length(), params);