Changeset 137964 in webkit

Timestamp:

Dec 17, 2012 5:43:21 PM (11 years ago)

Author:

commit-queue@webkit.org

Message:

Regression causing DOM objects to have unstable NPObject* references with v8 bindings
​https://bugs.webkit.org/show_bug.cgi?id=104921

Source/WebCore:

Patch by Matthew Dempsky <​mdempsky@google.com> on 2012-12-17
Reviewed by Kentaro Hara.

Fix regression introduced by changeset 135804 resulting in
unstable NPObject* references for v8 objects. In the iter !=
v8NPObjectMap->end() code path, objectVector was left unassigned
if the for loop terminated without returning.

Also, V8Object::GetIdentityHash() is documented as not being guaranteed
as unique. As such, don't ASSERT() that two objects with the same hash
must therefor be the same object.

Tests: plugins/npruntime/embed-property-iframe-equality.html

• bindings/v8/NPV8Object.cpp:

(WebCore::npCreateV8ScriptObject): Fix.

LayoutTests:

Patch by Mathew Dempsky <​mdempsky@google.com> on 2012-12-17
Reviewed by Kentaro Hara.

Add variant of embed-property-equality test to verify that the
test still passes when the object being tested for equality
has already been remembered by a plugin from a different
JavaScript context.

• plugins/npruntime/embed-property-iframe-equality.html: Added.
• plugins/npruntime/embed-property-iframe-equality-expected.txt: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/plugins/npruntime/embed-property-iframe-equality-expected.txt (added)
• LayoutTests/plugins/npruntime/embed-property-iframe-equality.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/v8/NPV8Object.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-12-17  Mathew Dempsky  <mdempsky@google.com>
+
+        Regression causing DOM objects to have unstable NPObject* references with v8 bindings
+        https://bugs.webkit.org/show_bug.cgi?id=104921
+
+        Reviewed by Kentaro Hara.
+
+        Add variant of embed-property-equality test to verify that the
+        test still passes when the object being tested for equality
+        has already been remembered by a plugin from a different
+        JavaScript context.
+
+        * plugins/npruntime/embed-property-iframe-equality.html: Added.
+        * plugins/npruntime/embed-property-iframe-equality-expected.txt: Added.
+
 2012-12-17  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-12-17  Matthew Dempsky  <mdempsky@google.com>
+
+        Regression causing DOM objects to have unstable NPObject* references with v8 bindings
+        https://bugs.webkit.org/show_bug.cgi?id=104921
+
+        Reviewed by Kentaro Hara.
+
+        Fix regression introduced by changeset 135804 resulting in
+        unstable NPObject* references for v8 objects.  In the iter !=
+        v8NPObjectMap->end() code path, objectVector was left unassigned
+        if the for loop terminated without returning.
+
+        Also, V8Object::GetIdentityHash() is documented as not being guaranteed
+        as unique.  As such, don't ASSERT() that two objects with the same hash
+        must therefor be the same object.
+
+        Tests: plugins/npruntime/embed-property-iframe-equality.html
+
+        * bindings/v8/NPV8Object.cpp:
+        (WebCore::npCreateV8ScriptObject): Fix.
+
 2012-12-17  Chris Fleizach  <cfleizach@apple.com>
 

trunk/Source/WebCore/bindings/v8/NPV8Object.cpp

@@ -156 +156 @@
             for (size_t index = 0; index < objects.size(); ++index) {
                 V8NPObject* v8npObject = objects.at(index);
-                if (v8npObject->rootObject == root) {
-                    ASSERT(v8npObject->v8Object == object);
+                if (v8npObject->v8Object == object && v8npObject->rootObject == root) {
                     _NPN_RetainObject(&v8npObject->object);
                     return reinterpret_cast<NPObject*>(v8npObject);
@@ -164 +163 @@
         } else {
             iter = v8NPObjectMap->set(v8ObjectHash, V8NPObjectVector()).iterator;
-            objectVector = &iter->value;
         }
+        objectVector = &iter->value;
     }
     V8NPObject* v8npObject = reinterpret_cast<V8NPObject*>(_NPN_CreateObject(npp, &V8NPObjectClass));