JavaScriptCore:
authormitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Jan 2008 17:39:03 +0000 (17:39 +0000)
committermitz@apple.com <mitz@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 10 Jan 2008 17:39:03 +0000 (17:39 +0000)
commit7d08831bcc2f6392ba14e7efb8de67ec11ddd2a0
tree854076566f9d159d3064737fc79f0f5757a9b2f9
parent615330c1cc50a2081e99c10737621677927c154e
JavaScriptCore:

        Reviewed by Darin Adler.

        - fix http://bugs.webkit.org/show_bug.cgi?id=16782
          <rdar://problem/5675331> REGRESSION(r29266): Reproducible crash in fast/replaced/image-map.html

        The crash resulted from a native object (DumpRenderTree's
        EventSender) causing its wrapper to be invalidated (by clicking a
        link that replaced the document in the window) and consequently
        deallocated. The fix is to use RefPtrs to protect the native object
        from deletion by self-invalidation.

        * bindings/runtime_method.cpp:
        (RuntimeMethod::callAsFunction):
        * bindings/runtime_object.cpp:
        (RuntimeObjectImp::fallbackObjectGetter):
        (RuntimeObjectImp::fieldGetter):
        (RuntimeObjectImp::methodGetter):
        (RuntimeObjectImp::put):
        (RuntimeObjectImp::defaultValue):
        (RuntimeObjectImp::callAsFunction):

LayoutTests:

        Reviewed by Darin Adler.

        - re-enable crashing test after fixing http://bugs.webkit.org/show_bug.cgi?id=16782
          <rdar://problem/5675331> REGRESSION(r29266): Reproducible crash in fast/replaced/image-map.html

        * fast/replaced/image-map-expected.txt: Updated results for the new
        behavior, which is to replace the document with the success message.
        * fast/replaced/image-map.html: Copied from LayoutTests/fast/replaced/image-map.html-disabled.
        * fast/replaced/image-map.html-disabled: Removed.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@29362 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JavaScriptCore/ChangeLog
JavaScriptCore/bindings/runtime_method.cpp
JavaScriptCore/bindings/runtime_object.cpp
LayoutTests/ChangeLog
LayoutTests/fast/replaced/image-map-expected.txt
LayoutTests/fast/replaced/image-map.html [moved from LayoutTests/fast/replaced/image-map.html-disabled with 100% similarity]