From: jianli@chromium.org <jianli@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri, 29 May 2009 21:58:50 +0000 (+0000)
Subject: WebCore:
X-Git-Url: http://git.webkit.org/?p=WebKit-https.git;a=commitdiff_plain;h=b6ad09a01138b3a55182c3adbda684c09fcfeb98

WebCore:

2009-05-29  Jian Li  <jianli@chromium.org>

        Reviewed by Dimitri Glazkov.

        https://bugs.webkit.org/show_bug.cgi?id=26069
        Fix a crash in custom V8 bindings code for XMLHttpRequest.

        Test: fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html

        * bindings/v8/custom/V8XMLHttpRequestCustom.cpp:
        (WebCore::CALLBACK_FUNC_DECL):

LayoutTests:

2009-05-29  Jian Li  <jianli@chromium.org>

        Reviewed by Dimitri Glazkov.

        https://bugs.webkit.org/show_bug.cgi?id=26069
        Test for the above bug.

        * fast/xmlhttprequest/resources/xmlhttprequest-open-after-iframe-onload-remove-self-child.html: Added.
        * fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self-expected.txt: Added.
        * fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@44275 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 8ae146f..ea9bdbc 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2009-05-29  Jian Li  <jianli@chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        https://bugs.webkit.org/show_bug.cgi?id=26069
+        Test for the above bug.
+
+        * fast/xmlhttprequest/resources/xmlhttprequest-open-after-iframe-onload-remove-self-child.html: Added.
+        * fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self-expected.txt: Added.
+        * fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html: Added.
+
 2009-05-29  Oliver Hunt  <oliver@apple.com>
 
         Reviewed by NOBODY (Test fix).
diff --git a/LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-open-after-iframe-onload-remove-self-child.html b/LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-open-after-iframe-onload-remove-self-child.html
new file mode 100644
index 0000000..c896e63
--- /dev/null
+++ b/LayoutTests/fast/xmlhttprequest/resources/xmlhttprequest-open-after-iframe-onload-remove-self-child.html
@@ -0,0 +1,3 @@
+<html>
+<script> function client() { return new XMLHttpRequest(); } </script>
+</html>
diff --git a/LayoutTests/fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self-expected.txt b/LayoutTests/fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self-expected.txt
new file mode 100644
index 0000000..806fdc5
--- /dev/null
+++ b/LayoutTests/fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self-expected.txt
@@ -0,0 +1,2 @@
+This tests that removing a child frame in XMLHttpRequest does not crash the renderer. 
+
diff --git a/LayoutTests/fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html b/LayoutTests/fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html
new file mode 100644
index 0000000..a1a51cc
--- /dev/null
+++ b/LayoutTests/fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html
@@ -0,0 +1,21 @@
+<html>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.waitUntilDone();
+}
+  
+function onFrameLoad(frame) {
+  var client = frame.contentWindow.client();
+  frame.parentNode.removeChild(frame);
+  client.open("GET", "DoesNotExist.txt");
+  if (window.layoutTestController)
+    layoutTestController.notifyDone();
+}
+</script>
+<body>
+This tests that removing a child frame in XMLHttpRequest does not crash the renderer.
+<br>
+<iframe src="resources/xmlhttprequest-open-after-iframe-onload-remove-self-child.html" onload="onFrameLoad(this)"></iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index d52f77b..8f78cbb 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2009-05-29  Jian Li  <jianli@chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        https://bugs.webkit.org/show_bug.cgi?id=26069
+        Fix a crash in custom V8 bindings code for XMLHttpRequest.
+
+        Test: fast/xmlhttprequest/xmlhttprequest-open-after-iframe-onload-remove-self.html
+
+        * bindings/v8/custom/V8XMLHttpRequestCustom.cpp:
+        (WebCore::CALLBACK_FUNC_DECL):
+
 2009-05-29  David Levin  <levin@chromium.org>
 
         Reviewed by Darin Adler.
diff --git a/WebCore/bindings/v8/custom/V8XMLHttpRequestCustom.cpp b/WebCore/bindings/v8/custom/V8XMLHttpRequestCustom.cpp
index 878d5d3..cb80a4f 100644
--- a/WebCore/bindings/v8/custom/V8XMLHttpRequestCustom.cpp
+++ b/WebCore/bindings/v8/custom/V8XMLHttpRequestCustom.cpp
@@ -323,12 +323,21 @@ CALLBACK_FUNC_DECL(XMLHttpRequestOpen)
     String urlstring = toWebCoreString(args[1]);
     ScriptExecutionContext* context = 0;
 #if ENABLE(WORKERS)
-    WorkerContextExecutionProxy* proxy = WorkerContextExecutionProxy::retrieve();
-    if (proxy)
-        context = proxy->workerContext();
-    else
+    WorkerContextExecutionProxy* workerContextProxy = WorkerContextExecutionProxy::retrieve();
+    if (workerContextProxy) {
+        context = workerContextProxy->workerContext();
+        ASSERT(context);
+    }
 #endif
-        context = V8Proxy::retrieve()->frame()->document();
+
+    if (!context) {
+        V8Proxy* proxy = V8Proxy::retrieve();
+        if (!proxy)
+            return v8::Undefined();
+        context = proxy->frame()->document();
+        ASSERT(context);
+    }
+
     KURL url = context->completeURL(urlstring);
 
     bool async = (args.Length() < 3) ? true : args[2]->BooleanValue();