<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul, pre { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[23950] trunk</title>
</head>
<body>
<div id="msg">
<dl>
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/23950">23950</a></dd>
<dt>Author</dt> <dd>andersca</dd>
<dt>Date</dt> <dd>2007-07-03 13:15:44 -0700 (Tue, 03 Jul 2007)</dd>
</dl>
<h3>Log Message</h3>
<pre>LayoutTests:
Reviewed by Darin.
<rdar://problem/5289718>
http://bugs.webkit.org/show_bug.cgi?id=14437
CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)
Add test from Alexey Proskuryakov.
* plugins/plugin-remove-subframe-expected.txt: Added.
* plugins/plugin-remove-subframe.html: Added.
WebCore:
Reviewed by Darin.
<rdar://problem/5289718>
http://bugs.webkit.org/show_bug.cgi?id=14437
CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)
Based on a patch from Maxime Britto.
* page/mac/WebCoreFrameBridge.mm:
(-[WebCoreFrameBridge stringByEvaluatingJavaScriptFromString:forceUserGesture:]):
If the script caused the frame to go away, return nil. This can only happen if a plugin in a subframe destroys
its frame.
(-[WebCoreFrameBridge aeDescByEvaluatingJavaScriptFromString:]):
ASSERT that this is only called on the main frame.
WebKit:
Reviewed by Darin.
* WebView/WebView.mm:
(-[WebView stringByEvaluatingJavaScriptFromString:]):
ASSERT that the value returned isn't nil. It can't be nil when invoked on the main frame.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkWebCoreChangeLog">trunk/WebCore/ChangeLog</a></li>
<li><a href="#trunkWebCorepagemacWebCoreFrameBridgemm">trunk/WebCore/page/mac/WebCoreFrameBridge.mm</a></li>
<li><a href="#trunkWebKitChangeLog">trunk/WebKit/ChangeLog</a></li>
<li><a href="#trunkWebKitWebViewWebViewmm">trunk/WebKit/WebView/WebView.mm</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestspluginspluginremovesubframeexpectedtxt">trunk/LayoutTests/plugins/plugin-remove-subframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestspluginspluginremovesubframehtml">trunk/LayoutTests/plugins/plugin-remove-subframe.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (23949 => 23950)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2007-07-03 19:22:28 UTC (rev 23949)
+++ trunk/LayoutTests/ChangeLog 2007-07-03 20:15:44 UTC (rev 23950)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2007-07-03 Anders Carlsson <andersca@apple.com>
+
+ Reviewed by Darin.
+
+ <rdar://problem/5289718>
+ http://bugs.webkit.org/show_bug.cgi?id=14437
+ CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)
+
+ Add test from Alexey Proskuryakov.
+
+ * plugins/plugin-remove-subframe-expected.txt: Added.
+ * plugins/plugin-remove-subframe.html: Added.
+
</ins><span class="cx"> 2007-07-03 Sam Weinig <sam@webkit.org>
</span><span class="cx">
</span><span class="cx"> Reviewed by Darin.
</span></span></pre></div>
<a id="trunkLayoutTestspluginspluginremovesubframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/plugins/plugin-remove-subframe-expected.txt (0 => 23950)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/plugins/plugin-remove-subframe-expected.txt (rev 0)
+++ trunk/LayoutTests/plugins/plugin-remove-subframe-expected.txt 2007-07-03 20:15:44 UTC (rev 23950)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+Test for bug 14437: RTÉ video crashes Safari.
+
+Only works with DumpRenderTree.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestspluginspluginremovesubframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/plugins/plugin-remove-subframe.html (0 => 23950)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/plugins/plugin-remove-subframe.html (rev 0)
+++ trunk/LayoutTests/plugins/plugin-remove-subframe.html 2007-07-03 20:15:44 UTC (rev 23950)
</span><span class="lines">@@ -0,0 +1,34 @@
</span><ins>+<head>
+<script>
+function MyCallback() {
+
+}
+
+function test() {
+ try {
+
+ var plugin = window.frames["subframe"].document.plugins[0];
+ plugin.getURL('javascript:parent.document.getElementById("d").innerHTML = "";', '_self');
+
+ } catch (ex) {
+ alert(ex);
+ }
+
+ setTimeout(done, 10);
+}
+
+function done() {
+ layoutTestController.dumpAsText();
+ layoutTestController.notifyDone();
+}
+</script>
+</head>
+<body onload="layoutTestController.waitUntilDone(); setTimeout(test, 10)">
+<p>Test for <a href="http://bugs.webkit.org/show_bug.cgi?id=14437">bug 14437</a>:
+RTÉ video crashes Safari.</p>
+<p>Only works with DumpRenderTree.</p>
+
+<div id=d>
+ <iframe id=subframe src='data:text/html, <embed id="testCPlugin" type="application/x-webkit-test-netscape"></embed>'></iframe>
+</div>
+</body>
</ins></span></pre></div>
<a id="trunkWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/ChangeLog (23949 => 23950)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/ChangeLog 2007-07-03 19:22:28 UTC (rev 23949)
+++ trunk/WebCore/ChangeLog 2007-07-03 20:15:44 UTC (rev 23950)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2007-07-03 Anders Carlsson <andersca@apple.com>
+
+ Reviewed by Darin.
+
+ <rdar://problem/5289718>
+ http://bugs.webkit.org/show_bug.cgi?id=14437
+ CrashTracer: [REGRESSION] 76 crashes in Safari at com.apple.WebCore: WebCore::Frame::settings const + 6 (14437)
+
+ Based on a patch from Maxime Britto.
+
+ * page/mac/WebCoreFrameBridge.mm:
+ (-[WebCoreFrameBridge stringByEvaluatingJavaScriptFromString:forceUserGesture:]):
+ If the script caused the frame to go away, return nil. This can only happen if a plugin in a subframe destroys
+ its frame.
+
+ (-[WebCoreFrameBridge aeDescByEvaluatingJavaScriptFromString:]):
+ ASSERT that this is only called on the main frame.
+
</ins><span class="cx"> 2007-07-03 John Sullivan <sullivan@apple.com>
</span><span class="cx">
</span><span class="cx"> Written by Darin, reviewed by me
</span></span></pre></div>
<a id="trunkWebCorepagemacWebCoreFrameBridgemm"></a>
<div class="modfile"><h4>Modified: trunk/WebCore/page/mac/WebCoreFrameBridge.mm (23949 => 23950)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebCore/page/mac/WebCoreFrameBridge.mm 2007-07-03 19:22:28 UTC (rev 23949)
+++ trunk/WebCore/page/mac/WebCoreFrameBridge.mm 2007-07-03 20:15:44 UTC (rev 23950)
</span><span class="lines">@@ -101,6 +101,7 @@
</span><span class="cx"> using KJS::DateInstance;
</span><span class="cx"> using KJS::ExecState;
</span><span class="cx"> using KJS::GetterSetterType;
</span><ins>+using KJS::JSImmediate;
</ins><span class="cx"> using KJS::JSLock;
</span><span class="cx"> using KJS::JSObject;
</span><span class="cx"> using KJS::JSValue;
</span><span class="lines">@@ -684,6 +685,20 @@
</span><span class="cx"> ASSERT(m_frame->document());
</span><span class="cx"> JSValue* result = m_frame->loader()->executeScript(0, string, forceUserGesture);
</span><span class="cx">
</span><ins>+ // If the value returned isn't an object, we don't need an ExecState to convert it
+ if (result && !result->isObject()) {
+ JSLock lock;
+
+ if (JSImmediate::isImmediate(result))
+ return String(JSImmediate::toString(result));
+
+ return String(result->getString());
+ }
+
+ // Return nil if the frame was destroyed by the script
+ if (!m_frame)
+ return nil;
+
</ins><span class="cx"> JSLock lock;
</span><span class="cx"> return String(result ? result->toString(m_frame->scriptProxy()->interpreter()->globalExec()) : "");
</span><span class="cx"> }
</span><span class="lines">@@ -691,6 +706,7 @@
</span><span class="cx"> - (NSAppleEventDescriptor *)aeDescByEvaluatingJavaScriptFromString:(NSString *)string
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_frame->document());
</span><ins>+ ASSERT(m_frame == m_frame->page()->mainFrame());
</ins><span class="cx"> JSValue* result = m_frame->loader()->executeScript(0, string, true);
</span><span class="cx"> if (!result) // FIXME: pass errors
</span><span class="cx"> return 0;
</span></span></pre></div>
<a id="trunkWebKitChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/WebKit/ChangeLog (23949 => 23950)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebKit/ChangeLog 2007-07-03 19:22:28 UTC (rev 23949)
+++ trunk/WebKit/ChangeLog 2007-07-03 20:15:44 UTC (rev 23950)
</span><span class="lines">@@ -1,3 +1,11 @@
</span><ins>+2007-07-03 Anders Carlsson <andersca@apple.com>
+
+ Reviewed by Darin.
+
+ * WebView/WebView.mm:
+ (-[WebView stringByEvaluatingJavaScriptFromString:]):
+ ASSERT that the value returned isn't nil. It can't be nil when invoked on the main frame.
+
</ins><span class="cx"> 2007-07-04 Mark Rowe <mrowe@apple.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed 64-bit build fixes.
</span></span></pre></div>
<a id="trunkWebKitWebViewWebViewmm"></a>
<div class="modfile"><h4>Modified: trunk/WebKit/WebView/WebView.mm (23949 => 23950)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/WebKit/WebView/WebView.mm 2007-07-03 19:22:28 UTC (rev 23949)
+++ trunk/WebKit/WebView/WebView.mm 2007-07-03 20:15:44 UTC (rev 23950)
</span><span class="lines">@@ -2240,7 +2240,13 @@
</span><span class="cx"> if (returnStringRange.length != 0 && returnStringRange.location == 0)
</span><span class="cx"> script = [script substringFromIndex: returnStringRange.location + returnStringRange.length];
</span><span class="cx"> }
</span><del>- return [[[self mainFrame] _bridge] stringByEvaluatingJavaScriptFromString:script];
</del><ins>+
+ NSString *result = [[[self mainFrame] _bridge] stringByEvaluatingJavaScriptFromString:script];
+ // The only way stringByEvaluatingJavaScriptFromString can return nil is if the frame was removed by the script
+ // Since there's no way to get rid of the main frame, result will never ever be nil here.
+ ASSERT(result);
+
+ return result;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> - (WebScriptObject *)windowScriptObject
</span></span></pre>
</div>
</div>
</body>
</html>