Changeset 19023 in webkit

Timestamp:

Jan 21, 2007 7:45:40 PM (17 years ago)

Author:

bdash

Message:

2007-01-21 Mark Rowe <​mrowe@apple.com>

Reviewed by Maciej.

​http://bugs.webkit.org/show_bug.cgi?id=12357
Bug 12357: Reproducible crash in WebCore::Settings::isJavaScriptEnabled in svg/custom/js-update-bounce.svg under guard-malloc

• page/Frame.cpp: (WebCore::Frame::~Frame): Access the global object directly rather than via Window::retrieveWindow to prevent our reference to a deleted settings object being used.

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• page/Frame.cpp (modified) (1 diff)

trunk/WebCore/ChangeLog

@@ +1 @@
+2007-01-21  Mark Rowe  <mrowe@apple.com>
+
+        Reviewed by Maciej.
+
+        http://bugs.webkit.org/show_bug.cgi?id=12357
+        Bug 12357: Reproducible crash in WebCore::Settings::isJavaScriptEnabled in svg/custom/js-update-bounce.svg under guard-malloc
+
+        * page/Frame.cpp:
+        (WebCore::Frame::~Frame): Access the global object directly rather than via Window::retrieveWindow to prevent our reference to
+        a deleted settings object being used.
+
 2007-01-21  Darin Adler  <darin@apple.com>
 

trunk/WebCore/page/Frame.cpp

@@ -201 +201 @@
 
     if (d->m_jscript && d->m_jscript->haveInterpreter())
-        if (Window* w = Window::retrieveWindow(this)) {
+        if (Window* w = static_cast<Window*>(d->m_jscript->interpreter()->globalObject()->getObject())) {
             w->disconnectFrame();
             // Must clear the window pointer, otherwise we will not