LayoutTests:
authorandersca <andersca@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Jul 2007 20:15:44 +0000 (20:15 +0000)
committerandersca <andersca@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 3 Jul 2007 20:15:44 +0000 (20:15 +0000)
        Reviewed by Darin.

        <rdar://problem/5289718>
        http://bugs.webkit.org/show_bug.cgi?id=14437
        CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)

        Add test from Alexey Proskuryakov.

        * plugins/plugin-remove-subframe-expected.txt: Added.
        * plugins/plugin-remove-subframe.html: Added.

WebCore:

        Reviewed by Darin.

        <rdar://problem/5289718>
        http://bugs.webkit.org/show_bug.cgi?id=14437
        CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)

        Based on a patch from Maxime Britto.

        * page/mac/WebCoreFrameBridge.mm:
        (-[WebCoreFrameBridge stringByEvaluatingJavaScriptFromString:forceUserGesture:]):
        If the script caused the frame to go away, return nil. This can only happen if a plugin in a subframe destroys
        its frame.

        (-[WebCoreFrameBridge aeDescByEvaluatingJavaScriptFromString:]):
        ASSERT that this is only called on the main frame.

WebKit:

        Reviewed by Darin.

        * WebView/WebView.mm:
        (-[WebView stringByEvaluatingJavaScriptFromString:]):
        ASSERT that the value returned isn't nil. It can't be nil when invoked on the main frame.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@23950 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/plugins/plugin-remove-subframe-expected.txt [new file with mode: 0644]
LayoutTests/plugins/plugin-remove-subframe.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/page/mac/WebCoreFrameBridge.mm
WebKit/ChangeLog
WebKit/WebView/WebView.mm

index a4fbd3e31781ecdc700d0bda86c9960e5dcf15ae..c68210eaaa691c051cd412a8b038527459837768 100644 (file)
@@ -1,3 +1,16 @@
+2007-07-03  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Darin.
+
+        <rdar://problem/5289718>
+        http://bugs.webkit.org/show_bug.cgi?id=14437
+        CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)
+        
+        Add test from Alexey Proskuryakov.
+        
+        * plugins/plugin-remove-subframe-expected.txt: Added.
+        * plugins/plugin-remove-subframe.html: Added.
+
 2007-07-03  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Darin.
diff --git a/LayoutTests/plugins/plugin-remove-subframe-expected.txt b/LayoutTests/plugins/plugin-remove-subframe-expected.txt
new file mode 100644 (file)
index 0000000..83c681b
--- /dev/null
@@ -0,0 +1,5 @@
+Test for bug 14437: RTÉ video crashes Safari.
+
+Only works with DumpRenderTree.
+
+
diff --git a/LayoutTests/plugins/plugin-remove-subframe.html b/LayoutTests/plugins/plugin-remove-subframe.html
new file mode 100644 (file)
index 0000000..1895bf0
--- /dev/null
@@ -0,0 +1,34 @@
+<head>
+<script>
+function MyCallback() {
+  
+}
+
+function test() {
+  try {
+
+    var plugin = window.frames["subframe"].document.plugins[0];
+    plugin.getURL('javascript:parent.document.getElementById("d").innerHTML = "";', '_self');
+
+  } catch (ex) {
+    alert(ex);
+  }
+
+  setTimeout(done, 10);
+}
+
+function done() {
+  layoutTestController.dumpAsText();
+  layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body onload="layoutTestController.waitUntilDone(); setTimeout(test, 10)">
+<p>Test for <a href="http://bugs.webkit.org/show_bug.cgi?id=14437">bug 14437</a>:
+RTÉ video crashes Safari.</p>
+<p>Only works with DumpRenderTree.</p>
+
+<div id=d>
+  <iframe id=subframe src='data:text/html, <embed id="testCPlugin" type="application/x-webkit-test-netscape"></embed>'></iframe>
+</div>
+</body>
index 87aff6f6097265791ce3940a59c38effff64a475..aeabeffe705cd4bc7e3615ea89ae6243c4be962b 100644 (file)
@@ -1,3 +1,21 @@
+2007-07-03  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Darin.
+
+        <rdar://problem/5289718>
+        http://bugs.webkit.org/show_bug.cgi?id=14437
+        CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)
+        
+        Based on a patch from Maxime Britto.
+        
+        * page/mac/WebCoreFrameBridge.mm:
+        (-[WebCoreFrameBridge stringByEvaluatingJavaScriptFromString:forceUserGesture:]):
+        If the script caused the frame to go away, return nil. This can only happen if a plugin in a subframe destroys
+        its frame.
+
+        (-[WebCoreFrameBridge aeDescByEvaluatingJavaScriptFromString:]):
+        ASSERT that this is only called on the main frame.
+
 2007-07-03  John Sullivan  <sullivan@apple.com>
 
         Written by Darin, reviewed by me
index 0de0217c3a82663e26d756cfa421890942f88717..b4a0315d58e525c0726d9573fbdf621a31f6ed93 100644 (file)
@@ -101,6 +101,7 @@ using KJS::BooleanType;
 using KJS::DateInstance;
 using KJS::ExecState;
 using KJS::GetterSetterType;
+using KJS::JSImmediate;
 using KJS::JSLock;
 using KJS::JSObject;
 using KJS::JSValue;
@@ -684,6 +685,20 @@ static HTMLFormElement *formElementFromDOMElement(DOMElement *element)
     ASSERT(m_frame->document());
     JSValue* result = m_frame->loader()->executeScript(0, string, forceUserGesture);
 
+    // If the value returned isn't an object, we don't need an ExecState to convert it
+    if (result && !result->isObject()) {
+        JSLock lock;
+
+        if (JSImmediate::isImmediate(result))
+            return String(JSImmediate::toString(result));
+
+        return String(result->getString());
+    }
+    
+    // Return nil if the frame was destroyed by the script
+    if (!m_frame)
+        return nil;
+    
     JSLock lock;
     return String(result ? result->toString(m_frame->scriptProxy()->interpreter()->globalExec()) : "");
 }
@@ -691,6 +706,7 @@ static HTMLFormElement *formElementFromDOMElement(DOMElement *element)
 - (NSAppleEventDescriptor *)aeDescByEvaluatingJavaScriptFromString:(NSString *)string
 {
     ASSERT(m_frame->document());
+    ASSERT(m_frame == m_frame->page()->mainFrame());
     JSValue* result = m_frame->loader()->executeScript(0, string, true);
     if (!result) // FIXME: pass errors
         return 0;
index 44b05db2c65bd57eb62114c77543c303160d8589..1f72066ef452a9137f31ccbbe496080af9893b53 100644 (file)
@@ -1,3 +1,11 @@
+2007-07-03  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Darin.
+
+        * WebView/WebView.mm:
+        (-[WebView stringByEvaluatingJavaScriptFromString:]):
+        ASSERT that the value returned isn't nil. It can't be nil when invoked on the main frame.
+
 2007-07-04  Mark Rowe  <mrowe@apple.com>
 
         Unreviewed 64-bit build fixes.
index 43f8aa4d6de0e430151131f872a069250a378432..dc33a29baed5a4d8dee8db4f1f3b72a6898d5085 100644 (file)
@@ -2240,7 +2240,13 @@ NS_ENDHANDLER
         if (returnStringRange.length != 0 && returnStringRange.location == 0)
             script = [script substringFromIndex: returnStringRange.location + returnStringRange.length];
     }
-    return [[[self mainFrame] _bridge] stringByEvaluatingJavaScriptFromString:script];
+    
+    NSString *result = [[[self mainFrame] _bridge] stringByEvaluatingJavaScriptFromString:script];
+    // The only way stringByEvaluatingJavaScriptFromString can return nil is if the frame was removed by the script
+    // Since there's no way to get rid of the main frame, result will never ever be nil here.
+    ASSERT(result);
+    
+    return result;
 }
 
 - (WebScriptObject *)windowScriptObject