JavaScriptCore:
[WebKit-https.git] / JavaScriptCore / ChangeLog
index bf03a8ffa60724716a5cc46be7c9263a92a7f0e1..0c81aa62710685653420e345ce8e70d764521df5 100644 (file)
@@ -1,3 +1,26 @@
+2008-01-10  Dan Bernstein  <mitz@apple.com>
+
+        Reviewed by Darin Adler.
+
+        - fix http://bugs.webkit.org/show_bug.cgi?id=16782
+          <rdar://problem/5675331> REGRESSION(r29266): Reproducible crash in fast/replaced/image-map.html
+
+        The crash resulted from a native object (DumpRenderTree's
+        EventSender) causing its wrapper to be invalidated (by clicking a
+        link that replaced the document in the window) and consequently
+        deallocated. The fix is to use RefPtrs to protect the native object
+        from deletion by self-invalidation.
+
+        * bindings/runtime_method.cpp:
+        (RuntimeMethod::callAsFunction):
+        * bindings/runtime_object.cpp:
+        (RuntimeObjectImp::fallbackObjectGetter):
+        (RuntimeObjectImp::fieldGetter):
+        (RuntimeObjectImp::methodGetter):
+        (RuntimeObjectImp::put):
+        (RuntimeObjectImp::defaultValue):
+        (RuntimeObjectImp::callAsFunction):
+
 2008-01-07  Mark Rowe  <mrowe@apple.com>
 
         Reviewed by Maciej Stachowiak.