Changeset 24241 in webkit

Timestamp:

Jul 12, 2007 9:34:14 AM (17 years ago)

Author:

weinig

Message:

LayoutTests:

Reviewed by Maciej.

Test for <rdar://problem/5329841>
Calling window.closed on a closed window causes Safari to crash

• fast/dom/Window/window-closed-crash-expected.txt: Added.
• fast/dom/Window/window-closed-crash.html: Added.

WebCore:

Reviewed by Maciej.

Patch for <rdar://problem/5329841>
Calling window.closed on a closed window causes Safari to crash

• Replaces the Frame member variable in KJS::Window for more appropriate DOMWindow
• Adds additional new null checks as necessary
• Removes bogus toBoolean method
• Removes unused scheduleClose method

Test: fast/dom/Window/window-closed-crash.html

• bindings/js/JSCustomXPathNSResolver.cpp: (WebCore::JSCustomXPathNSResolver::create):
• bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::customGetOwnPropertySlot): (WebCore::JSDOMWindow::customPut):
• bindings/js/JSXMLHttpRequest.cpp: (KJS::JSXMLHttpRequestPrototypeFunction::callAsFunction):
• bindings/js/kjs_events.cpp: (WebCore::JSAbstractEventListener::handleEvent): (WebCore::JSLazyEventListener::parseCode):
• bindings/js/kjs_window.cpp: (KJS::Window::Window): (KJS::Window::impl): (KJS::Window::interpreter): (KJS::Window::location): (KJS::Window::find): (KJS::allowPopUp): (KJS::createWindow): (KJS::canShowModalDialog): (KJS::canShowModalDialogNow): (KJS::showModalDialog): (KJS::Window::getValueProperty): (KJS::Window::childFrameGetter): (KJS::Window::indexGetter): (KJS::Window::namedItemGetter): (KJS::Window::getOwnPropertySlot): (KJS::Window::put): (KJS::Window::isSafeScript): (KJS::Window::setListener): (KJS::Window::getListener): (KJS::Window::clear): (KJS::WindowFunc::callAsFunction): (KJS::Window::updateLayout): (KJS::ScheduledAction::execute): (KJS::Window::disconnectFrame): (KJS::Location::put): (KJS::LocationFunc::callAsFunction):
• bindings/js/kjs_window.h:
• page/mac/WebCoreFrameBridge.mm: (updateRenderingForBindings):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Window/window-closed-crash-expected.txt (added)
• LayoutTests/fast/dom/Window/window-closed-crash.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/JSCustomXPathNSResolver.cpp (modified) (2 diffs)
• WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (3 diffs)
• WebCore/bindings/js/JSXMLHttpRequest.cpp (modified) (2 diffs)
• WebCore/bindings/js/kjs_events.cpp (modified) (3 diffs)
• WebCore/bindings/js/kjs_window.cpp (modified) (39 diffs)
• WebCore/bindings/js/kjs_window.h (modified) (3 diffs)
• WebCore/page/mac/WebCoreFrameBridge.mm (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2007-07-11  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Maciej.
+
+        Test for <rdar://problem/5329841>
+        Calling window.closed on a closed window causes Safari to crash
+
+        * fast/dom/Window/window-closed-crash-expected.txt: Added.
+        * fast/dom/Window/window-closed-crash.html: Added.
+
 2007-07-12  Mitz Pettel  <mitz@webkit.org>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2007-07-11  Sam Weinig  <sam@webkit.org>
+
+        Reviewed by Maciej.
+
+        Patch for <rdar://problem/5329841>
+        Calling window.closed on a closed window causes Safari to crash
+
+        - Replaces the Frame member variable in KJS::Window for more appropriate DOMWindow
+        - Adds additional new null checks as necessary
+        - Removes bogus toBoolean method
+        - Removes unused scheduleClose method
+
+        Test: fast/dom/Window/window-closed-crash.html
+
+        * bindings/js/JSCustomXPathNSResolver.cpp:
+        (WebCore::JSCustomXPathNSResolver::create):
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::customGetOwnPropertySlot):
+        (WebCore::JSDOMWindow::customPut):
+        * bindings/js/JSXMLHttpRequest.cpp:
+        (KJS::JSXMLHttpRequestPrototypeFunction::callAsFunction):
+        * bindings/js/kjs_events.cpp:
+        (WebCore::JSAbstractEventListener::handleEvent):
+        (WebCore::JSLazyEventListener::parseCode):
+        * bindings/js/kjs_window.cpp:
+        (KJS::Window::Window):
+        (KJS::Window::impl):
+        (KJS::Window::interpreter):
+        (KJS::Window::location):
+        (KJS::Window::find):
+        (KJS::allowPopUp):
+        (KJS::createWindow):
+        (KJS::canShowModalDialog):
+        (KJS::canShowModalDialogNow):
+        (KJS::showModalDialog):
+        (KJS::Window::getValueProperty):
+        (KJS::Window::childFrameGetter):
+        (KJS::Window::indexGetter):
+        (KJS::Window::namedItemGetter):
+        (KJS::Window::getOwnPropertySlot):
+        (KJS::Window::put):
+        (KJS::Window::isSafeScript):
+        (KJS::Window::setListener):
+        (KJS::Window::getListener):
+        (KJS::Window::clear):
+        (KJS::WindowFunc::callAsFunction):
+        (KJS::Window::updateLayout):
+        (KJS::ScheduledAction::execute):
+        (KJS::Window::disconnectFrame):
+        (KJS::Location::put):
+        (KJS::LocationFunc::callAsFunction):
+        * bindings/js/kjs_window.h:
+        * page/mac/WebCoreFrameBridge.mm:
+        (updateRenderingForBindings):
+
 2007-07-12  Mark Rowe  <mrowe@apple.com>
 

trunk/WebCore/bindings/js/JSCustomXPathNSResolver.cpp

@@ -30 +30 @@
 
 #include "CString.h"
+#include "DOMWindow.h"
 #include "Document.h"
 #include "ExceptionCode.h"
@@ -54 +55 @@
     }
     
-    return new JSCustomXPathNSResolver(resolverObject, KJS::Window::retrieveActive(exec)->frame());
+    return new JSCustomXPathNSResolver(resolverObject, KJS::Window::retrieveActive(exec)->impl()->frame());
 }
 

trunk/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -22 +22 @@
 
 #include "kjs_window.h"
+#include "DOMWindow.h"
 
 namespace WebCore {
@@ -28 +29 @@
 {
     // we don't want any properties other than "closed" on a closed window
-    if (!frame()) {
+    if (!impl()->frame()) {
         if (propertyName == "closed") {
             const KJS::HashEntry* entry = KJS::Lookup::findEntry(classInfo()->propHashTable, propertyName);
@@ -92 +93 @@
 bool JSDOMWindow::customPut(KJS::ExecState* exec, const KJS::Identifier& propertyName, KJS::JSValue* value, int attr)
 {
-    if (!frame())
+    if (!impl()->frame())
         return true;
 

trunk/WebCore/bindings/js/JSXMLHttpRequest.cpp

@@ -22 +22 @@
 #include "JSXMLHttpRequest.h"
 
+#include "DOMWindow.h"
 #include "Event.h"
 #include "Frame.h"
@@ -219 +220 @@
 
             String method = args[0]->toString(exec);
-            KURL url = Window::retrieveActive(exec)->frame()->loader()->completeURL(DeprecatedString(args[1]->toString(exec)));
+            Frame* frame = Window::retrieveActive(exec)->impl()->frame();
+            if (!frame)
+                return jsUndefined();
+            KURL url = frame->loader()->completeURL(DeprecatedString(args[1]->toString(exec)));
 
             bool async = true;

trunk/WebCore/bindings/js/kjs_events.cpp

@@ -26 +26 @@
 #include "Clipboard.h"
 #include "ClipboardEvent.h"
+#include "DOMWindow.h"
 #include "Document.h"
 #include "Event.h"
@@ -71 +72 @@
     if (!window)
         return;
-    Frame *frame = window->frame();
+    Frame *frame = window->impl()->frame();
     if (!frame)
         return;
@@ -291 +292 @@
     m_parsed = true;
 
-    Frame* frame = windowObj()->frame();
+    Frame* frame = windowObj()->impl()->frame();
     KJSProxy* proxy = 0;
     if (frame)

trunk/WebCore/bindings/js/kjs_window.cpp

@@ -223 +223 @@
 
 Window::Window(DOMWindow* window)
-  : m_frame(window->frame())
+  : m_impl(window)
   , d(new WindowPrivate)
 {
@@ -255 +255 @@
 DOMWindow* Window::impl() const
 {
-     return m_frame->domWindow();
-}
-
-ScriptInterpreter *Window::interpreter() const
-{
-    return m_frame->scriptProxy()->interpreter();
+     return m_impl.get();
+}
+
+ScriptInterpreter* Window::interpreter() const
+{
+    Frame* frame = impl()->frame();
+    if (!frame)
+        return 0;
+
+    return frame->scriptProxy()->interpreter();
 }
 
@@ -290 +294 @@
 {
   if (!d->loc)
-    d->loc = new Location(m_frame);
+    d->loc = new Location(impl()->frame());
   return d->loc;
 }
@@ -297 +301 @@
 {
     // FIXME (13016): Support wholeWord, searchInFrames and showDialog
-    return m_frame->findString(string, !backwards, caseSensitive, wrap, false);
+    Frame* frame = impl()->frame();
+    if (!frame)
+        return false;
+
+    return frame->findString(string, !backwards, caseSensitive, wrap, false);
 }
 
@@ -310 +318 @@
 static bool allowPopUp(ExecState *exec, Window *window)
 {
-    if (!window->frame())
+    Frame* frame = window->impl()->frame();
+    if (!frame)
         return false;
     if (static_cast<ScriptInterpreter*>(exec->dynamicInterpreter())->wasRunByUserGesture())
         return true;
-    Settings* settings = window->frame()->settings();
+    Settings* settings = frame->settings();
     return settings && settings->JavaScriptCanOpenWindowsAutomatically();
 }
@@ -379 +388 @@
     const String& frameName, const WindowFeatures& windowFeatures, JSValue* dialogArgs)
 {
-    Frame* activeFrame = Window::retrieveActive(exec)->frame();
+    Frame* activeFrame = Window::retrieveActive(exec)->impl()->frame();
     
     ResourceRequest request;
@@ -425 +434 @@
 static bool canShowModalDialog(const Window *window)
 {
-    if (Frame* frame = window->frame())
-        return frame->page()->chrome()->canRunModal();
-    return false;
+    Frame* frame = window->impl()->frame();
+    if (!frame)
+        return false;
+
+    return frame->page()->chrome()->canRunModal();
 }
 
 static bool canShowModalDialogNow(const Window *window)
 {
-    if (Frame* frame = window->frame())
-        return frame->page()->chrome()->canRunModalNow();
-    return false;
+    Frame* frame = window->impl()->frame();
+    if (!frame)
+        return false;
+
+    return frame->page()->chrome()->canRunModalNow();
 }
 
@@ -455 +468 @@
     // - help: boolFeature(features, "help", true), makes help icon appear in dialog (what does it do on Windows?)
     // - unadorned: trusted && boolFeature(features, "unadorned");
-
-    FloatRect screenRect = screenAvailableRect(openerWindow->frame()->view());
+    Frame* frame = openerWindow->impl()->frame();
+    if (!frame)
+        return jsUndefined();
+
+    FloatRect screenRect = screenAvailableRect(frame->view());
 
     wargs.width = floatFeature(features, "dialogwidth", 100, screenRect.width(), 620); // default here came from frame size of dialog in MacIE
@@ -488 +504 @@
     wargs.fullscreen = false;
     
-    Frame* dialogFrame = createWindow(exec, openerWindow->frame(), valueToStringWithUndefinedOrNullCheck(exec, args[0]), "", wargs, args[1]);
+    Frame* dialogFrame = createWindow(exec, frame, valueToStringWithUndefinedOrNullCheck(exec, args[0]), "", wargs, args[1]);
     if (!dialogFrame)
         return jsUndefined();
@@ -512 +528 @@
 JSValue *Window::getValueProperty(ExecState *exec, int token) const
 {
-   ASSERT(m_frame);
+   ASSERT(impl()->frame());
 
    switch (token) {
@@ -524 +540 @@
       return getDOMExceptionConstructor(exec);
     case Frames:
-      return retrieve(m_frame);
+      return retrieve(impl()->frame());
     case Event_:
       if (!isSafeScript(exec))
@@ -538 +554 @@
         return jsUndefined();
       // Store the navigator in the object so we get the same one each time.
-      Navigator *n = new Navigator(exec, m_frame);
+      Navigator *n = new Navigator(exec, impl()->frame());
       // FIXME: this will make the "navigator" object accessible from windows that fail
       // the security check the first time, but not subsequent times, seems weird.
@@ -546 +562 @@
     }
     case Opener:
-      if (m_frame->loader()->opener())
-        return retrieve(m_frame->loader()->opener());
+      if (impl()->frame()->loader()->opener())
+        return retrieve(impl()->frame()->loader()->opener());
       return jsNull();
     case Parent:
-      return retrieve(m_frame->tree()->parent() ? m_frame->tree()->parent() : m_frame);
+      return retrieve(impl()->frame()->tree()->parent() ? impl()->frame()->tree()->parent() : impl()->frame());
     case Self:
     case Window_:
-      return retrieve(m_frame);
+      return retrieve(impl()->frame());
     case Top:
-      return retrieve(m_frame->page()->mainFrame());
+      return retrieve(impl()->frame()->page()->mainFrame());
     case Image:
       if (!isSafeScript(exec))
@@ -561 +577 @@
       // FIXME: this property (and the few below) probably shouldn't create a new object every
       // time
-      return new ImageConstructorImp(exec, m_frame->document());
+      return new ImageConstructorImp(exec, impl()->frame()->document());
     case Option:
       if (!isSafeScript(exec))
         return jsUndefined();
-      return new JSHTMLOptionElementConstructor(exec, m_frame->document());
+      return new JSHTMLOptionElementConstructor(exec, impl()->frame()->document());
     case XMLHttpRequest:
       if (!isSafeScript(exec))
         return jsUndefined();
-      return new JSXMLHttpRequestConstructorImp(exec, m_frame->document());
+      return new JSXMLHttpRequestConstructorImp(exec, impl()->frame()->document());
 #if ENABLE(XSLT)
     case XSLTProcessor_:
@@ -582 +598 @@
       if (!isSafeScript(exec))
         return jsUndefined();
-      if (Document* doc = m_frame->document())
+      if (Document* doc = impl()->frame()->document())
         if (Element* fe = doc->ownerElement())
           if (checkNodeSecurity(exec, fe))
@@ -650 +666 @@
 JSValue* Window::childFrameGetter(ExecState*, JSObject*, const Identifier& propertyName, const PropertySlot& slot)
 {
-    return retrieve(static_cast<Window*>(slot.slotBase())->m_frame->tree()->child(AtomicString(propertyName)));
+    return retrieve(static_cast<Window*>(slot.slotBase())->impl()->frame()->tree()->child(AtomicString(propertyName)));
 }
 
 JSValue* Window::indexGetter(ExecState*, JSObject*, const Identifier&, const PropertySlot& slot)
 {
-    return retrieve(static_cast<Window*>(slot.slotBase())->m_frame->tree()->child(slot.index()));
+    return retrieve(static_cast<Window*>(slot.slotBase())->impl()->frame()->tree()->child(slot.index()));
 }
 
@@ -661 +677 @@
 {
   Window *thisObj = static_cast<Window *>(slot.slotBase());
-  Document *doc = thisObj->m_frame->document();
+  Document *doc = thisObj->impl()->frame()->document();
   ASSERT(thisObj->isSafeScript(exec) && doc && doc->isHTMLDocument());
 
@@ -678 +694 @@
   // are in Moz but not IE. Since we have some of these, we have to do
   // it the Moz way.
-  if (frame()->tree()->child(propertyName)) {
+  if (impl()->frame()->tree()->child(propertyName)) {
     slot.setCustom(this, childFrameGetter);
     return true;
@@ -708 +724 @@
   bool ok;
   unsigned i = propertyName.toArrayIndex(&ok);
-  if (ok && i < m_frame->tree()->childCount()) {
+  if (ok && i < impl()->frame()->tree()->childCount()) {
     slot.setCustomIndex(this, i, indexGetter);
     return true;
@@ -714 +730 @@
 
   // allow shortcuts like 'Image1' instead of document.images.Image1
-  Document *doc = m_frame->document();
+  Document *doc = impl()->frame()->document();
   if (isSafeScript(exec) && doc && doc->isHTMLDocument()) {
     AtomicString atomicPropertyName = propertyName;
@@ -741 +757 @@
     switch (entry->value) {
     case Location_: {
-      Frame* p = Window::retrieveActive(exec)->m_frame;
+      Frame* p = Window::retrieveActive(exec)->impl()->frame();
       if (p) {
         DeprecatedString dstUrl = p->loader()->completeURL(DeprecatedString(value->toString(exec))).url();
@@ -747 +763 @@
           bool userGesture = static_cast<ScriptInterpreter *>(exec->dynamicInterpreter())->wasRunByUserGesture();
           // We want a new history item if this JS was called via a user gesture
-          m_frame->loader()->scheduleLocationChange(dstUrl, p->loader()->outgoingReferrer(), !userGesture, userGesture);
+          impl()->frame()->loader()->scheduleLocationChange(dstUrl, p->loader()->outgoingReferrer(), !userGesture, userGesture);
         }
       }
@@ -858 +874 @@
   if (isSafeScript(exec))
     JSObject::put(exec, propertyName, value, attr);
-}
-
-bool Window::toBoolean(ExecState *) const
-{
-  return m_frame;
-}
-
-void Window::scheduleClose()
-{
-  m_frame->scheduleClose();
 }
 
@@ -932 +938 @@
 bool Window::isSafeScript(ExecState *exec) const
 {
-  if (!m_frame) // frame deleted ? can't grant access
+  Frame* frame = impl()->frame();
+  if (!frame) // frame deleted ? can't grant access
     return false;
   Frame* activeFrame = static_cast<ScriptInterpreter*>(exec->dynamicInterpreter())->frame();
   if (!activeFrame)
     return false;
-  if (activeFrame == m_frame) // Not calling from another frame, no problem.
+  if (activeFrame == frame) // Not calling from another frame, no problem.
     return true;
 
@@ -943 +950 @@
   // even if the document hasn't been constructed yet.  If the document doesn't
   // exist yet allow JS to access the window object.
-  if (!m_frame->document())
+  if (!frame->document())
       return true;
 
-  WebCore::Document* thisDocument = m_frame->document();
+  WebCore::Document* thisDocument = frame->document();
   WebCore::Document* actDocument = activeFrame->document();
 
@@ -966 +973 @@
   // or opener, allow access from any document in the same domain as
   // the parent or opener.
-  if (shouldLoadAsEmptyDocument(m_frame->loader()->url())) {
-    Frame* ancestorFrame = m_frame->loader()->opener()
-        ? m_frame->loader()->opener() : m_frame->tree()->parent();
+  if (shouldLoadAsEmptyDocument(frame->loader()->url())) {
+    Frame* ancestorFrame = impl()->frame()->loader()->opener()
+        ? frame->loader()->opener() : frame->tree()->parent();
     while (ancestorFrame && shouldLoadAsEmptyDocument(ancestorFrame->loader()->url()))
       ancestorFrame = ancestorFrame->tree()->parent();
@@ -985 +992 @@
   String message = String::format("Unsafe JavaScript attempt to access frame with URL %s from frame with URL %s. Domains must match.\n", 
                   thisDocument->URL().latin1(), actDocument->URL().latin1());
-  if (Page* page = m_frame->page())
+  if (Page* page = frame->page())
       page->chrome()->addMessageToConsole(JSMessageSource, ErrorMessageLevel, message, 1, String());
   
@@ -995 +1002 @@
   if (!isSafeScript(exec))
     return;
-  WebCore::Document *doc = m_frame->document();
+  Frame* frame = impl()->frame();
+  if (!frame)
+    return;
+  Document* doc = frame->document();
   if (!doc)
     return;
@@ -1006 +1016 @@
   if (!isSafeScript(exec))
     return jsUndefined();
-  WebCore::Document *doc = m_frame->document();
+  Frame* frame = impl()->frame();
+  if (!frame)
+    return jsUndefined();
+  Document* doc = frame->document();
   if (!doc)
     return jsUndefined();
@@ -1083 +1096 @@
   // Now recreate a working global object for the next URL that will use us; but only if we haven't been
   // disconnected yet
-  if (m_frame)
-    interpreter()->initGlobalObject();
+  if (Frame* frame = impl()->frame())
+    frame->scriptProxy()->interpreter()->initGlobalObject();
 
   // there's likely to be lots of garbage now
@@ -1250 +1263 @@
     return throwError(exec, TypeError);
   Window *window = static_cast<Window *>(thisObj);
-  Frame *frame = window->m_frame;
+  Frame *frame = window->impl()->frame();
   if (!frame)
     return jsUndefined();
@@ -1331 +1344 @@
       if (frameName == "_top" || frameName == "_parent") {
           String completedURL;
-          Frame* activeFrame = Window::retrieveActive(exec)->m_frame;
+          Frame* activeFrame = Window::retrieveActive(exec)->impl()->frame();
           if (!urlString.isEmpty() && activeFrame)
               completedURL = activeFrame->document()->completeURL(urlString);
@@ -1504 +1517 @@
 void Window::updateLayout() const
 {
-  WebCore::Document* docimpl = m_frame->document();
+  Frame* frame = impl()->frame();
+  if (!frame)
+    return;
+  WebCore::Document* docimpl = frame->document();
   if (docimpl)
     docimpl->updateLayoutIgnorePendingStylesheets();
@@ -1518 +1534 @@
 void ScheduledAction::execute(Window* window)
 {
-    RefPtr<Frame> frame = window->m_frame;
+    RefPtr<Frame> frame = window->impl()->frame();
     if (!frame)
         return;
@@ -1681 +1697 @@
 {
     clearAllTimeouts();
-    m_frame = 0;
     if (d->loc)
         d->loc->m_frame = 0;
@@ -1793 +1808 @@
     switch (entry->value) {
     case Href: {
-      Frame* p = Window::retrieveActive(exec)->frame();
+      Frame* p = Window::retrieveActive(exec)->impl()->frame();
       if ( p )
         url = p->loader()->completeURL(str).url();
@@ -1843 +1858 @@
 
   const Window* window = Window::retrieveWindow(m_frame);
-  Frame* activeFrame = Window::retrieveActive(exec)->frame();
+  Frame* activeFrame = Window::retrieveActive(exec)->impl()->frame();
   if (!url.url().startsWith("javascript:", false) || (window && window->isSafeScript(exec))) {
     bool userGesture = static_cast<ScriptInterpreter *>(exec->dynamicInterpreter())->wasRunByUserGesture();
@@ -1867 +1882 @@
     {
       DeprecatedString str = args[0]->toString(exec);
-      Frame* p = Window::retrieveActive(exec)->frame();
+      Frame* p = Window::retrieveActive(exec)->impl()->frame();
       if ( p ) {
         const Window* window = Window::retrieveWindow(frame);
@@ -1888 +1903 @@
     case Location::Assign:
     {
-        Frame *p = Window::retrieveActive(exec)->frame();
+        Frame *p = Window::retrieveActive(exec)->impl()->frame();
         if (p) {
             const Window *window = Window::retrieveWindow(frame);

trunk/WebCore/bindings/js/kjs_window.h

@@ -91 +91 @@
      */
     static Window* retrieveActive(ExecState*);
-    WebCore::Frame* frame() const { return m_frame; }
     virtual void mark();
     virtual bool getOwnPropertySlot(ExecState*, const Identifier&, PropertySlot&);
     JSValue *getValueProperty(ExecState *exec, int token) const;
     virtual void put(ExecState *exec, const Identifier &propertyName, JSValue *value, int attr = None);
-    virtual bool toBoolean(ExecState*) const;
 
     int installTimeout(const UString& handler, int t, bool singleShot);
@@ -107 +105 @@
     
     KJS::ScriptInterpreter *interpreter() const;
-
-    void scheduleClose();
         
     bool isSafeScript(ExecState*) const;
@@ -191 +187 @@
     int installTimeout(ScheduledAction*, int interval, bool singleShot);
 
-    WebCore::Frame* m_frame;
+    RefPtr<WebCore::DOMWindow> m_impl;
     OwnPtr<WindowPrivate> d;
   };

trunk/WebCore/page/mac/WebCoreFrameBridge.mm

@@ -34 +34 @@
 #import "DOMImplementation.h"
 #import "DOMInternal.h"
+#import "DOMWindow.h"
 #import "TextResourceDecoder.h"
 #import "DeleteSelectionCommand.h"
@@ -143 +144 @@
     if (!window)
         return;
-        
-    if (Document* doc = window->frame()->document())
-        doc->updateRendering();
+
+    if (Frame* frame = window->impl()->frame())
+        if (Document* doc = frame->document())
+            doc->updateRendering();
 }