+2008-01-10 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Darin Adler.
+
+ - fix http://bugs.webkit.org/show_bug.cgi?id=16782
+ <rdar://problem/5675331> REGRESSION(r29266): Reproducible crash in fast/replaced/image-map.html
+
+ The crash resulted from a native object (DumpRenderTree's
+ EventSender) causing its wrapper to be invalidated (by clicking a
+ link that replaced the document in the window) and consequently
+ deallocated. The fix is to use RefPtrs to protect the native object
+ from deletion by self-invalidation.
+
+ * bindings/runtime_method.cpp:
+ (RuntimeMethod::callAsFunction):
+ * bindings/runtime_object.cpp:
+ (RuntimeObjectImp::fallbackObjectGetter):
+ (RuntimeObjectImp::fieldGetter):
+ (RuntimeObjectImp::methodGetter):
+ (RuntimeObjectImp::put):
+ (RuntimeObjectImp::defaultValue):
+ (RuntimeObjectImp::callAsFunction):
+
2008-01-07 Mark Rowe <mrowe@apple.com>
Reviewed by Maciej Stachowiak.
JSValue *RuntimeObjectImp::fallbackObjectGetter(ExecState* exec, JSObject*, const Identifier& propertyName, const PropertySlot& slot)
{
RuntimeObjectImp *thisObj = static_cast<RuntimeObjectImp *>(slot.slotBase());
- Bindings::Instance *instance = thisObj->instance.get();
+ RefPtr<Bindings::Instance> instance = thisObj->instance;
if (!instance)
return throwInvalidAccessError(exec);
instance->begin();
Class *aClass = instance->getClass();
- JSValue *result = aClass->fallbackObject(exec, instance, propertyName);
+ JSValue* result = aClass->fallbackObject(exec, instance.get(), propertyName);
instance->end();
JSValue *RuntimeObjectImp::fieldGetter(ExecState* exec, JSObject*, const Identifier& propertyName, const PropertySlot& slot)
{
RuntimeObjectImp *thisObj = static_cast<RuntimeObjectImp *>(slot.slotBase());
- Bindings::Instance *instance = thisObj->instance.get();
+ RefPtr<Bindings::Instance> instance = thisObj->instance;
if (!instance)
return throwInvalidAccessError(exec);
instance->begin();
Class *aClass = instance->getClass();
- Field *aField = aClass->fieldNamed(propertyName, instance);
+ Field* aField = aClass->fieldNamed(propertyName, instance.get());
JSValue *result = instance->getValueOfField(exec, aField);
instance->end();
JSValue *RuntimeObjectImp::methodGetter(ExecState* exec, JSObject*, const Identifier& propertyName, const PropertySlot& slot)
{
RuntimeObjectImp *thisObj = static_cast<RuntimeObjectImp *>(slot.slotBase());
- Bindings::Instance *instance = thisObj->instance.get();
+ RefPtr<Bindings::Instance> instance = thisObj->instance;
if (!instance)
return throwInvalidAccessError(exec);
instance->begin();
Class *aClass = instance->getClass();
- MethodList methodList = aClass->methodsNamed(propertyName, instance);
+ MethodList methodList = aClass->methodsNamed(propertyName, instance.get());
JSValue *result = new RuntimeMethod(exec, propertyName, methodList);
instance->end();
return;
}
+ RefPtr<Bindings::Instance> protector(instance);
instance->begin();
// Set the value of the property.
JSValue *result;
+ RefPtr<Bindings::Instance> protector(instance);
instance->begin();
result = instance->defaultValue(hint);
if (!instance)
return throwInvalidAccessError(exec);
+ RefPtr<Bindings::Instance> protector(instance);
instance->begin();
JSValue *aValue = instance->invokeDefaultMethod(exec, args);
+2008-01-10 Dan Bernstein <mitz@apple.com>
+
+ Reviewed by Darin Adler.
+
+ - re-enable crashing test after fixing http://bugs.webkit.org/show_bug.cgi?id=16782
+ <rdar://problem/5675331> REGRESSION(r29266): Reproducible crash in fast/replaced/image-map.html
+
+ * fast/replaced/image-map-expected.txt: Updated results for the new
+ behavior, which is to replace the document with the success message.
+ * fast/replaced/image-map.html: Copied from LayoutTests/fast/replaced/image-map.html-disabled.
+ * fast/replaced/image-map.html-disabled: Removed.
+
2008-01-10 Dan Bernstein <mitz@apple.com>
Reviewed by John Sullivan.
git://git.webkit.org / WebKit-https.git / commitdiff