Changeset 128513 in webkit


Ignore:
Timestamp:
Sep 13, 2012 3:19:43 PM (12 years ago)
Author:
abarth@webkit.org
Message:

REGRESSION(r125126): It made fast/events/keyevent-iframe-removed-crash.html assert
https://bugs.webkit.org/show_bug.cgi?id=93654

Reviewed by Eric Seidel.

Source/WebCore:

When wrapping a Document, we need to ensure that the global object for
the wrapper actually exists before trying to create the wrapper. In
other cases in the DOM, we always touch the global object before trying
to wrap a given DOM object. For Document, however,
HTMLFrameElement.contentDocument is a rare way to get at a DOM object
for a global object without first touching the Window object.

Rather than writing custom bindings for
HTMLFrameElement.contentDocument, this patch just makes toJS for
Document ensure that toJS for DOMWindow has been called first. The V8
bindings have some similar code.

Test: fast/dom/content-document-prototype.html

  • bindings/js/JSDocumentCustom.cpp:

(WebCore::toJS):

LayoutTests:

  • fast/dom/content-document-prototype-expected.txt: Added.
  • fast/dom/content-document-prototype.html: Added.
    • Check that HTMLFrameElement.contentDocument ends up with the right prototype chain. This is a tricky case because not only the prototype chain of the property different from the holder, we never actually touch the DOMWindow in this test case so the prototype chain leads to a global object that doesn't even exist yet!
  • fast/events/keyevent-iframe-removed-crash.html:
    • Add a call to gc() so that this test will ASSERT reliabily if we cause a similar problem in the future.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r128510 r128513  
     12012-09-13  Adam Barth  <abarth@webkit.org>
     2
     3        REGRESSION(r125126): It made fast/events/keyevent-iframe-removed-crash.html assert
     4        https://bugs.webkit.org/show_bug.cgi?id=93654
     5
     6        Reviewed by Eric Seidel.
     7
     8        * fast/dom/content-document-prototype-expected.txt: Added.
     9        * fast/dom/content-document-prototype.html: Added.
     10            - Check that HTMLFrameElement.contentDocument ends up with the
     11              right prototype chain. This is a tricky case because not only the
     12              prototype chain of the property different from the holder, we
     13              never actually touch the DOMWindow in this test case so the
     14              prototype chain leads to a global object that doesn't even exist
     15              yet!
     16        * fast/events/keyevent-iframe-removed-crash.html:
     17            - Add a call to gc() so that this test will ASSERT reliabily if we
     18              cause a similar problem in the future.
     19
    1202012-09-13  James Robinson  <jamesr@chromium.org>
    221

  • trunk/LayoutTests/fast/events/keyevent-iframe-removed-crash.html

    r120792 r128513  
    22<html>
    33<head>
     4<script src="../../resources/gc.js"></script>
    45<script>
    56    function go() {
     
    2425
    2526    function nuke() {
     27        gc();
    2628        eventSender.keyDown("x")
    2729        testRunner.notifyDone();

  • trunk/Source/WebCore/ChangeLog

    r128512 r128513  
     12012-09-13  Adam Barth  <abarth@webkit.org>
     2
     3        REGRESSION(r125126): It made fast/events/keyevent-iframe-removed-crash.html assert
     4        https://bugs.webkit.org/show_bug.cgi?id=93654
     5
     6        Reviewed by Eric Seidel.
     7
     8        When wrapping a Document, we need to ensure that the global object for
     9        the wrapper actually exists before trying to create the wrapper. In
     10        other cases in the DOM, we always touch the global object before trying
     11        to wrap a given DOM object. For Document, however,
     12        HTMLFrameElement.contentDocument is a rare way to get at a DOM object
     13        for a global object without first touching the Window object.
     14
     15        Rather than writing custom bindings for
     16        HTMLFrameElement.contentDocument, this patch just makes toJS for
     17        Document ensure that toJS for DOMWindow has been called first. The V8
     18        bindings have some similar code.
     19
     20        Test: fast/dom/content-document-prototype.html
     21
     22        * bindings/js/JSDocumentCustom.cpp:
     23        (WebCore::toJS):
     24
    1252012-09-13  Anders Carlsson  <andersca@apple.com>
    226

  • trunk/Source/WebCore/bindings/js/JSDocumentCustom.cpp

    r127191 r128513  
    8787        return wrapper;
    8888
     89    if (DOMWindow* domWindow = document->domWindow()) {
     90        globalObject = toJSDOMWindow(toJS(exec, domWindow));
     91        // Creating a wrapper for domWindow might have created a wrapper for document as well.
     92        wrapper = getCachedWrapper(currentWorld(exec), document);
     93        if (wrapper)
     94            return wrapper;
     95    }
     96
    8997    if (document->isHTMLDocument())
    9098        wrapper = CREATE_DOM_WRAPPER(exec, globalObject, HTMLDocument, document);
Note: See TracChangeset for help on using the changeset viewer.