Changeset 35321 in webkit


Ignore:
Timestamp:
Jul 24, 2008 12:45:28 AM (16 years ago)
Author:
jchaffraix@webkit.org
Message:

WebCore:

2008-07-23 Julien Chaffraix <jchaffraix@webkit.org>

Reviewed by Eric.

Bug 19588: CRASH doing open() on destroyed window
https://bugs.webkit.org/show_bug.cgi?id=19588

Add frame's page null check as it could have been
detached from the page.

Test: fast/frames/crash-removed-iframe.html

  • bindings/js/JSDOMWindowBase.cpp: (WebCore::windowProtoFuncOpen):
  • page/FrameTree.cpp: (WebCore::FrameTree::find):

LayoutTest:

2008-07-23 Julien Chaffraix <jchaffraix@webkit.org>

Reviewed by Eric.

Test for bug 19588: CRASH doing open() on destroyed window
https://bugs.webkit.org/show_bug.cgi?id=19588

Test case from Eric Roman.

  • fast/frames/crash-removed-iframe-expected.txt: Added.
  • fast/frames/crash-removed-iframe.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r35320 r35321  
     12008-07-23  Julien Chaffraix  <jchaffraix@webkit.org>
     2
     3        Reviewed by Eric.
     4
     5        Test for bug 19588: CRASH doing open() on destroyed window
     6        https://bugs.webkit.org/show_bug.cgi?id=19588
     7
     8        Test case from Eric Roman.
     9
     10        * fast/frames/crash-removed-iframe-expected.txt: Added.
     11        * fast/frames/crash-removed-iframe.html: Added.
     12
    1132008-07-23  Dan Bernstein  <mitz@apple.com>
    214
  • trunk/WebCore/ChangeLog

    r35320 r35321  
     12008-07-23  Julien Chaffraix  <jchaffraix@webkit.org>
     2
     3        Reviewed by Eric.
     4
     5        Bug 19588: CRASH doing open() on destroyed window
     6        https://bugs.webkit.org/show_bug.cgi?id=19588
     7
     8        Add frame's page null check as it could have been
     9        detached from the page.
     10
     11        Test: fast/frames/crash-removed-iframe.html
     12
     13        * bindings/js/JSDOMWindowBase.cpp:
     14        (WebCore::windowProtoFuncOpen):
     15        * page/FrameTree.cpp:
     16        (WebCore::FrameTree::find):
     17
    1182008-07-23  Dan Bernstein  <mitz@apple.com>
    219
  • trunk/WebCore/bindings/js/JSDOMWindowBase.cpp

    r35291 r35321  
    10251025    WindowFeatures windowFeatures(valueToStringWithUndefinedOrNullCheck(exec, args.at(exec, 2)));
    10261026    FloatRect windowRect(windowFeatures.x, windowFeatures.y, windowFeatures.width, windowFeatures.height);
    1027     DOMWindow::adjustWindowRect(screenAvailableRect(page->mainFrame()->view()), windowRect, windowRect);
     1027    DOMWindow::adjustWindowRect(screenAvailableRect(page ? page->mainFrame()->view() : 0), windowRect, windowRect);
    10281028
    10291029    windowFeatures.x = windowRect.x();
  • trunk/WebCore/page/FrameTree.cpp

    r30840 r35321  
    164164   
    165165    if (name == "_top")
    166         return m_thisFrame->page()->mainFrame();
     166        return top();
    167167   
    168168    if (name == "_parent")
     
    180180    // Search the entire tree for this page next.
    181181    Page* page = m_thisFrame->page();
     182
     183    // The frame could have been detached from the page, so check it.
     184    if (!page)
     185        return 0;
     186
    182187    for (Frame* frame = page->mainFrame(); frame; frame = frame->tree()->traverseNext())
    183188        if (frame->tree()->name() == name)
Note: See TracChangeset for help on using the changeset viewer.