[V8] Fix issue with trying to access a constructor in a frame that has been removed
authorarv@chromium.org <arv@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 24 Apr 2012 03:21:48 +0000 (03:21 +0000)
committerarv@chromium.org <arv@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 24 Apr 2012 03:21:48 +0000 (03:21 +0000)
https://bugs.webkit.org/show_bug.cgi?id=84640

Reviewed by Kentaro Hara.

Source/WebCore:

This regressed in r113250. Now we do what we did before and return undefined if the frame
does not have a context.

Test: fast/dom/constructor-in-removed-frame.html

* bindings/v8/V8DOMWrapper.cpp:
(WebCore::V8DOMWrapper::constructorForType):

LayoutTests:

* fast/dom/constructor-in-removed-frame-expected.txt: Added.
* fast/dom/constructor-in-removed-frame.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@114989 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/dom/constructor-in-removed-frame-expected.txt [new file with mode: 0644]
LayoutTests/fast/dom/constructor-in-removed-frame.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/bindings/v8/V8DOMWrapper.cpp

index 62047d4..370d53f 100644 (file)
@@ -1,3 +1,13 @@
+2012-04-23  Erik Arvidsson  <arv@chromium.org>
+
+        [V8] Fix issue with trying to access a constructor in a frame that has been removed
+        https://bugs.webkit.org/show_bug.cgi?id=84640
+
+        Reviewed by Kentaro Hara.
+
+        * fast/dom/constructor-in-removed-frame-expected.txt: Added.
+        * fast/dom/constructor-in-removed-frame.html: Added.
+
 2012-04-23  Sheriff Bot  <webkit.review.bot@gmail.com>
 
         Unreviewed, rolling out r114965.
diff --git a/LayoutTests/fast/dom/constructor-in-removed-frame-expected.txt b/LayoutTests/fast/dom/constructor-in-removed-frame-expected.txt
new file mode 100644 (file)
index 0000000..7ef22e9
--- /dev/null
@@ -0,0 +1 @@
+PASS
diff --git a/LayoutTests/fast/dom/constructor-in-removed-frame.html b/LayoutTests/fast/dom/constructor-in-removed-frame.html
new file mode 100644 (file)
index 0000000..ab67714
--- /dev/null
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<p>FAIL</p>
+<iframe src="data:text/html,FAIL"></iframe>
+<script>
+
+window.onload = function() {
+    if (window.layoutTestController) {
+        layoutTestController.waitUntilDone();
+        layoutTestController.dumpAsText();
+
+        var iframeElement = document.querySelector('iframe');
+        iframeElement.onload = function() {
+            var frame = window.frames[0];
+            iframeElement.parentNode.removeChild(iframeElement);
+
+            // The V8 bindings does not keep the frame constructor alive but at least it should not crash!
+            frame.Window;
+
+            document.body.textContent = 'PASS';
+            layoutTestController.notifyDone();
+        };
+        iframeElement.src = 'data:text/html,PASS';
+    }
+};
+
+</script>
+</body>
+</html>
index 4324bd7..a61d264 100644 (file)
@@ -1,3 +1,18 @@
+2012-04-23  Erik Arvidsson  <arv@chromium.org>
+
+        [V8] Fix issue with trying to access a constructor in a frame that has been removed
+        https://bugs.webkit.org/show_bug.cgi?id=84640
+
+        Reviewed by Kentaro Hara.
+
+        This regressed in r113250. Now we do what we did before and return undefined if the frame
+        does not have a context.
+
+        Test: fast/dom/constructor-in-removed-frame.html
+
+        * bindings/v8/V8DOMWrapper.cpp:
+        (WebCore::V8DOMWrapper::constructorForType):
+
 2012-04-23  Chris Rogers  <crogers@google.com>
 
         Oscillator::setWaveTable() should not reset oscillator phase
index 842a0b4..237ac1c 100644 (file)
@@ -87,7 +87,11 @@ v8::Local<v8::Function> V8DOMWrapper::constructorForType(WrapperTypeInfo* type,
     Frame* frame = window->frame();
     if (!frame)
         return v8::Local<v8::Function>();
-    return V8Proxy::retrievePerContextData(frame)->constructorForType(type);
+
+    if (V8BindingPerContextData* contextData = V8Proxy::retrievePerContextData(frame))
+        return contextData->constructorForType(type);
+
+    return v8::Local<v8::Function>();
 }
 
 #if ENABLE(WORKERS)