Reviewed by Darin.
<rdar://problem/
5289718>
http://bugs.webkit.org/show_bug.cgi?id=14437
CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)
Add test from Alexey Proskuryakov.
* plugins/plugin-remove-subframe-expected.txt: Added.
* plugins/plugin-remove-subframe.html: Added.
WebCore:
Reviewed by Darin.
<rdar://problem/
5289718>
http://bugs.webkit.org/show_bug.cgi?id=14437
CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)
Based on a patch from Maxime Britto.
* page/mac/WebCoreFrameBridge.mm:
(-[WebCoreFrameBridge stringByEvaluatingJavaScriptFromString:forceUserGesture:]):
If the script caused the frame to go away, return nil. This can only happen if a plugin in a subframe destroys
its frame.
(-[WebCoreFrameBridge aeDescByEvaluatingJavaScriptFromString:]):
ASSERT that this is only called on the main frame.
WebKit:
Reviewed by Darin.
* WebView/WebView.mm:
(-[WebView stringByEvaluatingJavaScriptFromString:]):
ASSERT that the value returned isn't nil. It can't be nil when invoked on the main frame.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@23950
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2007-07-03 Anders Carlsson <andersca@apple.com>
+
+ Reviewed by Darin.
+
+ <rdar://problem/5289718>
+ http://bugs.webkit.org/show_bug.cgi?id=14437
+ CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)
+
+ Add test from Alexey Proskuryakov.
+
+ * plugins/plugin-remove-subframe-expected.txt: Added.
+ * plugins/plugin-remove-subframe.html: Added.
+
2007-07-03 Sam Weinig <sam@webkit.org>
Reviewed by Darin.
--- /dev/null
+Test for bug 14437: RTÉ video crashes Safari.
+
+Only works with DumpRenderTree.
+
+
--- /dev/null
+<head>
+<script>
+function MyCallback() {
+
+}
+
+function test() {
+ try {
+
+ var plugin = window.frames["subframe"].document.plugins[0];
+ plugin.getURL('javascript:parent.document.getElementById("d").innerHTML = "";', '_self');
+
+ } catch (ex) {
+ alert(ex);
+ }
+
+ setTimeout(done, 10);
+}
+
+function done() {
+ layoutTestController.dumpAsText();
+ layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body onload="layoutTestController.waitUntilDone(); setTimeout(test, 10)">
+<p>Test for <a href="http://bugs.webkit.org/show_bug.cgi?id=14437">bug 14437</a>:
+RTÉ video crashes Safari.</p>
+<p>Only works with DumpRenderTree.</p>
+
+<div id=d>
+ <iframe id=subframe src='data:text/html, <embed id="testCPlugin" type="application/x-webkit-test-netscape"></embed>'></iframe>
+</div>
+</body>
+2007-07-03 Anders Carlsson <andersca@apple.com>
+
+ Reviewed by Darin.
+
+ <rdar://problem/5289718>
+ http://bugs.webkit.org/show_bug.cgi?id=14437
+ CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)
+
+ Based on a patch from Maxime Britto.
+
+ * page/mac/WebCoreFrameBridge.mm:
+ (-[WebCoreFrameBridge stringByEvaluatingJavaScriptFromString:forceUserGesture:]):
+ If the script caused the frame to go away, return nil. This can only happen if a plugin in a subframe destroys
+ its frame.
+
+ (-[WebCoreFrameBridge aeDescByEvaluatingJavaScriptFromString:]):
+ ASSERT that this is only called on the main frame.
+
2007-07-03 John Sullivan <sullivan@apple.com>
Written by Darin, reviewed by me
using KJS::DateInstance;
using KJS::ExecState;
using KJS::GetterSetterType;
+using KJS::JSImmediate;
using KJS::JSLock;
using KJS::JSObject;
using KJS::JSValue;
ASSERT(m_frame->document());
JSValue* result = m_frame->loader()->executeScript(0, string, forceUserGesture);
+ // If the value returned isn't an object, we don't need an ExecState to convert it
+ if (result && !result->isObject()) {
+ JSLock lock;
+
+ if (JSImmediate::isImmediate(result))
+ return String(JSImmediate::toString(result));
+
+ return String(result->getString());
+ }
+
+ // Return nil if the frame was destroyed by the script
+ if (!m_frame)
+ return nil;
+
JSLock lock;
return String(result ? result->toString(m_frame->scriptProxy()->interpreter()->globalExec()) : "");
}
- (NSAppleEventDescriptor *)aeDescByEvaluatingJavaScriptFromString:(NSString *)string
{
ASSERT(m_frame->document());
+ ASSERT(m_frame == m_frame->page()->mainFrame());
JSValue* result = m_frame->loader()->executeScript(0, string, true);
if (!result) // FIXME: pass errors
return 0;
+2007-07-03 Anders Carlsson <andersca@apple.com>
+
+ Reviewed by Darin.
+
+ * WebView/WebView.mm:
+ (-[WebView stringByEvaluatingJavaScriptFromString:]):
+ ASSERT that the value returned isn't nil. It can't be nil when invoked on the main frame.
+
2007-07-04 Mark Rowe <mrowe@apple.com>
Unreviewed 64-bit build fixes.
if (returnStringRange.length != 0 && returnStringRange.location == 0)
script = [script substringFromIndex: returnStringRange.location + returnStringRange.length];
}
- return [[[self mainFrame] _bridge] stringByEvaluatingJavaScriptFromString:script];
+
+ NSString *result = [[[self mainFrame] _bridge] stringByEvaluatingJavaScriptFromString:script];
+ // The only way stringByEvaluatingJavaScriptFromString can return nil is if the frame was removed by the script
+ // Since there's no way to get rid of the main frame, result will never ever be nil here.
+ ASSERT(result);
+
+ return result;
}
- (WebScriptObject *)windowScriptObject
git://git.webkit.org / WebKit-https.git / commitdiff