2009-10-27 Fumitoshi Ukai <ukai@chromium.org>
authoreric@webkit.org <eric@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Oct 2009 17:00:52 +0000 (17:00 +0000)
committereric@webkit.org <eric@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Oct 2009 17:00:52 +0000 (17:00 +0000)
commit620bb1142a74179704fb6d6862efaecfe01bcfbe
tree9c31cd42921d02a826a1b986b186e08301ea5589
parent86a3360bc3bbf299dcfedcef13509b445446446d
2009-10-27  Fumitoshi Ukai  <ukai@chromium.org>

        Reviewed by Dimitri Glazkov.

        Fix crash found in chromium test_shell.
        https://bugs.webkit.org/show_bug.cgi?id=30808

        When WebSocket is deleted without close, webkit would crash
        when it handles didClose.

        Check scriptExecutionContext before post task for event.
        Use WebSocketChannel::disconnect() instead of close() in WebSocket
        destructor, so that WebSocketChannel should not call deleted WebSocket
        back in didClose().
        To make sure WebSocketChannel alive while it is processing WebSocket
        protocol over SocketStreamHandle, ref() in connect() and deref() in
        didClose().

        * websockets/WebSocket.cpp:
        (WebCore::WebSocket::~WebSocket):
        (WebCore::WebSocket::didConnect):
        (WebCore::WebSocket::didReceiveMessage):
        (WebCore::WebSocket::didClose):
        * websockets/WebSocketChannel.cpp:
        (WebCore::WebSocketChannel::connect):
        (WebCore::WebSocketChannel::disconnect):
        (WebCore::WebSocketChannel::didClose):
        (WebCore::WebSocketChannel::didReceiveData):
        * websockets/WebSocketChannel.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@50155 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebCore/ChangeLog
WebCore/websockets/WebSocket.cpp
WebCore/websockets/WebSocketChannel.cpp
WebCore/websockets/WebSocketChannel.h