2009-05-29 Jian Li <jianli@chromium.org>
Reviewed by Dimitri Glazkov.
https://bugs.webkit.org/show_bug.cgi?id=26069
Fix a crash in custom V8 bindings code for XMLHttpRequest.
Test: fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html
* bindings/v8/custom/V8XMLHttpRequestCustom.cpp:
(WebCore::CALLBACK_FUNC_DECL):
LayoutTests:
2009-05-29 Jian Li <jianli@chromium.org>
Reviewed by Dimitri Glazkov.
https://bugs.webkit.org/show_bug.cgi?id=26069
Test for the above bug.
* fast/xmlhttprequest/resources/xmlhttprequest-open-after-iframe-onload-remove-self-child.html: Added.
* fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self-expected.txt: Added.
* fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@44275
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2009-05-29 Jian Li <jianli@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ https://bugs.webkit.org/show_bug.cgi?id=26069
+ Test for the above bug.
+
+ * fast/xmlhttprequest/resources/xmlhttprequest-open-after-iframe-onload-remove-self-child.html: Added.
+ * fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self-expected.txt: Added.
+ * fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html: Added.
+
2009-05-29 Oliver Hunt <oliver@apple.com>
Reviewed by NOBODY (Test fix).
--- /dev/null
+<html>
+<script> function client() { return new XMLHttpRequest(); } </script>
+</html>
--- /dev/null
+This tests that removing a child frame in XMLHttpRequest does not crash the renderer.
+
--- /dev/null
+<html>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+}
+
+function onFrameLoad(frame) {
+ var client = frame.contentWindow.client();
+ frame.parentNode.removeChild(frame);
+ client.open("GET", "DoesNotExist.txt");
+ if (window.layoutTestController)
+ layoutTestController.notifyDone();
+}
+</script>
+<body>
+This tests that removing a child frame in XMLHttpRequest does not crash the renderer.
+<br>
+<iframe src="resources/xmlhttprequest-open-after-iframe-onload-remove-self-child.html" onload="onFrameLoad(this)"></iframe>
+</body>
+</html>
+2009-05-29 Jian Li <jianli@chromium.org>
+
+ Reviewed by Dimitri Glazkov.
+
+ https://bugs.webkit.org/show_bug.cgi?id=26069
+ Fix a crash in custom V8 bindings code for XMLHttpRequest.
+
+ Test: fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html
+
+ * bindings/v8/custom/V8XMLHttpRequestCustom.cpp:
+ (WebCore::CALLBACK_FUNC_DECL):
+
2009-05-29 David Levin <levin@chromium.org>
Reviewed by Darin Adler.
String urlstring = toWebCoreString(args[1]);
ScriptExecutionContext* context = 0;
#if ENABLE(WORKERS)
- WorkerContextExecutionProxy* proxy = WorkerContextExecutionProxy::retrieve();
- if (proxy)
- context = proxy->workerContext();
- else
+ WorkerContextExecutionProxy* workerContextProxy = WorkerContextExecutionProxy::retrieve();
+ if (workerContextProxy) {
+ context = workerContextProxy->workerContext();
+ ASSERT(context);
+ }
#endif
- context = V8Proxy::retrieve()->frame()->document();
+
+ if (!context) {
+ V8Proxy* proxy = V8Proxy::retrieve();
+ if (!proxy)
+ return v8::Undefined();
+ context = proxy->frame()->document();
+ ASSERT(context);
+ }
+
KURL url = context->completeURL(urlstring);
bool async = (args.Length() < 3) ? true : args[2]->BooleanValue();
git://git.webkit.org / WebKit-https.git / commitdiff