Changeset 50785 in webkit


Ignore:
Timestamp:
Nov 10, 2009 6:15:19 PM (14 years ago)
Author:
eric@webkit.org
Message:

2009-11-10 Vitaly Repeshko <vitalyr@chromium.org>

Reviewed by Dimitri Glazkov.

[V8] Fix crash in V8CustomXPathNSResolver (http://crbug.com/26726).
https://bugs.webkit.org/show_bug.cgi?id=31301

  • fast/xpath/xpath-detached-iframe-resolver-crash-expected.txt: Added.
  • fast/xpath/xpath-detached-iframe-resolver-crash.html: Added.

2009-11-10 Vitaly Repeshko <vitalyr@chromium.org>

Reviewed by Dimitri Glazkov.

[V8] Fix crash in V8CustomXPathNSResolver (http://crbug.com/26726).
https://bugs.webkit.org/show_bug.cgi?id=31301

Tested by new fast/xpath/xpath-detached-iframe-resolver-crash.html.

Allowed passing V8Proxy for the calling JS context:

  • bindings/v8/V8DOMWrapper.h: (WebCore::V8DOMWrapper::getXPathNSResolver):
  • bindings/v8/custom/V8CustomXPathNSResolver.cpp: (WebCore::V8CustomXPathNSResolver::create): (WebCore::V8CustomXPathNSResolver::V8CustomXPathNSResolver): (WebCore::V8CustomXPathNSResolver::lookupNamespaceURI):
  • bindings/v8/custom/V8CustomXPathNSResolver.h:
  • bindings/v8/custom/V8DocumentCustom.cpp: (WebCore::CALLBACK_FUNC_DECL):
Location:
trunk
Files:
2 added
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r50784 r50785  
     12009-11-10  Vitaly Repeshko  <vitalyr@chromium.org>
     2
     3        Reviewed by Dimitri Glazkov.
     4
     5        [V8] Fix crash in V8CustomXPathNSResolver (http://crbug.com/26726).
     6        https://bugs.webkit.org/show_bug.cgi?id=31301
     7
     8        * fast/xpath/xpath-detached-iframe-resolver-crash-expected.txt: Added.
     9        * fast/xpath/xpath-detached-iframe-resolver-crash.html: Added.
     10
    1112009-11-10  Yael Aharon  <yael.aharon@nokia.com>
    212
  • trunk/WebCore/ChangeLog

    r50784 r50785  
     12009-11-10  Vitaly Repeshko  <vitalyr@chromium.org>
     2
     3        Reviewed by Dimitri Glazkov.
     4
     5        [V8] Fix crash in V8CustomXPathNSResolver (http://crbug.com/26726).
     6        https://bugs.webkit.org/show_bug.cgi?id=31301
     7
     8        Tested by new fast/xpath/xpath-detached-iframe-resolver-crash.html.
     9
     10        Allowed passing V8Proxy for the calling JS context:
     11        * bindings/v8/V8DOMWrapper.h:
     12        (WebCore::V8DOMWrapper::getXPathNSResolver):
     13        * bindings/v8/custom/V8CustomXPathNSResolver.cpp:
     14        (WebCore::V8CustomXPathNSResolver::create):
     15        (WebCore::V8CustomXPathNSResolver::V8CustomXPathNSResolver):
     16        (WebCore::V8CustomXPathNSResolver::lookupNamespaceURI):
     17        * bindings/v8/custom/V8CustomXPathNSResolver.h:
     18        * bindings/v8/custom/V8DocumentCustom.cpp:
     19        (WebCore::CALLBACK_FUNC_DECL):
     20
    1212009-11-10  Yael Aharon  <yael.aharon@nokia.com>
    222
  • trunk/WebCore/bindings/v8/V8DOMWrapper.h

    r50578 r50785  
    254254
    255255        // XPath-related utilities
    256         static RefPtr<XPathNSResolver> getXPathNSResolver(v8::Handle<v8::Value> value)
     256        static RefPtr<XPathNSResolver> getXPathNSResolver(v8::Handle<v8::Value> value, V8Proxy* proxy = 0)
    257257        {
    258258            RefPtr<XPathNSResolver> resolver;
     
    260260                resolver = convertToNativeObject<XPathNSResolver>(V8ClassIndex::XPATHNSRESOLVER, v8::Handle<v8::Object>::Cast(value));
    261261            else if (value->IsObject())
    262                 resolver = V8CustomXPathNSResolver::create(value->ToObject());
     262                resolver = V8CustomXPathNSResolver::create(proxy, value->ToObject());
    263263            return resolver;
    264264        }
  • trunk/WebCore/bindings/v8/custom/V8CustomXPathNSResolver.cpp

    r46383 r50785  
    3939namespace WebCore {
    4040
    41 PassRefPtr<V8CustomXPathNSResolver> V8CustomXPathNSResolver::create(v8::Handle<v8::Object> resolver)
     41PassRefPtr<V8CustomXPathNSResolver> V8CustomXPathNSResolver::create(V8Proxy* proxy, v8::Handle<v8::Object> resolver)
    4242{
    43     return adoptRef(new V8CustomXPathNSResolver(resolver));
     43    return adoptRef(new V8CustomXPathNSResolver(proxy, resolver));
    4444}
    4545
    46 V8CustomXPathNSResolver::V8CustomXPathNSResolver(v8::Handle<v8::Object> resolver)
    47     : m_resolver(resolver)
     46V8CustomXPathNSResolver::V8CustomXPathNSResolver(V8Proxy* proxy, v8::Handle<v8::Object> resolver)
     47        : m_proxy(proxy)
     48        , m_resolver(resolver)
    4849{
    4950}
     
    5556String V8CustomXPathNSResolver::lookupNamespaceURI(const String& prefix)
    5657{
     58    V8Proxy* proxy = m_proxy;
     59
     60    if (!proxy) {
     61        proxy = V8Proxy::retrieve();
     62        if (!proxy)
     63            return String();
     64    }
     65
    5766    v8::Handle<v8::Function> lookupNamespaceURIFunc;
    5867    v8::Handle<v8::String> lookupNamespaceURIName = v8::String::New("lookupNamespaceURI");
     
    6675
    6776    if (lookupNamespaceURIFunc.IsEmpty() && !m_resolver->IsFunction()) {
    68         Frame* frame = V8Proxy::retrieveFrameForEnteredContext();
     77        Frame* frame = proxy->frame();
    6978        logInfo(frame, "XPathNSResolver does not have a lookupNamespaceURI method.", String());
    7079        return String();
     
    7988    v8::Handle<v8::Function> function = lookupNamespaceURIFunc.IsEmpty() ? v8::Handle<v8::Function>::Cast(m_resolver) : lookupNamespaceURIFunc;
    8089
    81     V8Proxy* proxy = V8Proxy::retrieve();
    8290    v8::Handle<v8::Value> retval = proxy->callFunction(function, m_resolver, argc, argv);
    8391
  • trunk/WebCore/bindings/v8/custom/V8CustomXPathNSResolver.h

    r46383 r50785  
    4343
    4444class String;
     45class V8Proxy;
    4546
     47// V8CustomXPathNSResolver does not create a persistent handle to the
     48// given resolver object.  So the lifetime of V8CustomXPathNSResolver
     49// must not exceed the lifetime of the passed handle.
    4650class V8CustomXPathNSResolver : public XPathNSResolver {
    4751public:
    48     static PassRefPtr<V8CustomXPathNSResolver> create(v8::Handle<v8::Object> resolver);
     52    static PassRefPtr<V8CustomXPathNSResolver> create(V8Proxy* proxy, v8::Handle<v8::Object> resolver);
    4953
    5054    virtual ~V8CustomXPathNSResolver();
     
    5256
    5357private:
    54     V8CustomXPathNSResolver(v8::Handle<v8::Object> resolver);
     58    V8CustomXPathNSResolver(V8Proxy* proxy, v8::Handle<v8::Object> resolver);
    5559
     60    V8Proxy* m_proxy;
    5661    v8::Handle<v8::Object> m_resolver;  // Handle to resolver object.
    5762};
  • trunk/WebCore/bindings/v8/custom/V8DocumentCustom.cpp

    r50733 r50785  
    6262        contextNode = V8DOMWrapper::convertDOMWrapperToNode<Node>(v8::Handle<v8::Object>::Cast(args[1]));
    6363
    64     RefPtr<XPathNSResolver> resolver = V8DOMWrapper::getXPathNSResolver(args[2]);
     64    RefPtr<XPathNSResolver> resolver = V8DOMWrapper::getXPathNSResolver(args[2], V8Proxy::retrieve(V8Proxy::retrieveFrameForCallingContext()));
    6565    if (!resolver && !args[2]->IsNull() && !args[2]->IsUndefined())
    6666        return throwError(TYPE_MISMATCH_ERR);
Note: See TracChangeset for help on using the changeset viewer.