Commit 49aa540c authored by inferno@chromium.org's avatar inferno@chromium.org

2011-01-25 Cris Neckar <cdn@chromium.org>

        Reviewed by Adam Barth.

        Test for crash when a window's location changes before creating an object URL.
        https://bugs.webkit.org/show_bug.cgi?id=53038

        * fast/dom/window-domurl-crash-expected.txt: Added.
        * fast/dom/window-domurl-crash.html: Added.
2011-01-25  Cris Neckar  <cdn@chromium.org>

        Reviewed by Adam Barth.

        Add a hashset of DOMURLs to ScriptExecutionContext to track back references.
        https://bugs.webkit.org/show_bug.cgi?id=53038

        Test: fast/dom/window-domurl-crash.html

        * dom/ScriptExecutionContext.cpp:
        (WebCore::ScriptExecutionContext::~ScriptExecutionContext):
        (WebCore::ScriptExecutionContext::createdDomUrl):
        (WebCore::ScriptExecutionContext::destroyedDomUrl):
        * dom/ScriptExecutionContext.h:
        (WebCore::ScriptExecutionContext::domUrls):
        * html/DOMURL.cpp:
        (WebCore::DOMURL::DOMURL):
        (WebCore::DOMURL::~DOMURL):
        (WebCore::DOMURL::contextDestroyed):
        * html/DOMURL.h:
        (WebCore::DOMURL::scriptExecutionContext):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76652 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 1ef1789e
2011-01-25 Cris Neckar <cdn@chromium.org>
Reviewed by Adam Barth.
Test for crash when a window's location changes before creating an object URL.
https://bugs.webkit.org/show_bug.cgi?id=53038
* fast/dom/window-domurl-crash-expected.txt: Added.
* fast/dom/window-domurl-crash.html: Added.
2011-01-25 James Simonsen <simonjam@chromium.org>
Reviewed by Tony Chang.
......
<html>
<head>
<script>
var blob = (new BlobBuilder).getBlob();
var url = null;
var count = 0;
if (!window.gc)
{
window.gc = function()
{
if (window.GCController)
return GCController.collect();
for (var i = 0; i < 10000; i++)
var s = new String("abc");
}
}
function load()
{
if (window.layoutTestController)
{
layoutTestController.dumpAsText();
layoutTestController.setCanOpenWindows();
layoutTestController.setCloseRemainingWindowsWhenComplete(true);
layoutTestController.waitUntilDone();
}
win = window.open();
if (win.webkitURL)
{
url = win.webkitURL;
win.location = "nothing";
setTimeout(crash, 0);
return;
}
document.body.innerHTML = "PASS";
if (window.layoutTestController)
layoutTestController.notifyDone();
}
function crash()
{
gc();
url.createObjectURL(blob);
if (count++ < 5)
{
setTimeout(crash, 0);
return;
}
document.body.innerHTML = "PASS";
if (window.layoutTestController)
layoutTestController.notifyDone();
}
</script>
</head>
<body onload="load()">
RUNNING...
</body>
</html>
2011-01-25 Cris Neckar <cdn@chromium.org>
Reviewed by Adam Barth.
Add a hashset of DOMURLs to ScriptExecutionContext to track back references.
https://bugs.webkit.org/show_bug.cgi?id=53038
Test: fast/dom/window-domurl-crash.html
* dom/ScriptExecutionContext.cpp:
(WebCore::ScriptExecutionContext::~ScriptExecutionContext):
(WebCore::ScriptExecutionContext::createdDomUrl):
(WebCore::ScriptExecutionContext::destroyedDomUrl):
* dom/ScriptExecutionContext.h:
(WebCore::ScriptExecutionContext::domUrls):
* html/DOMURL.cpp:
(WebCore::DOMURL::DOMURL):
(WebCore::DOMURL::~DOMURL):
(WebCore::DOMURL::contextDestroyed):
* html/DOMURL.h:
(WebCore::DOMURL::scriptExecutionContext):
2011-01-23 Antti Koivisto <antti@apple.com>
Reviewed by Darin Adler.
......@@ -30,6 +30,7 @@
#include "ActiveDOMObject.h"
#include "Blob.h"
#include "BlobURL.h"
#include "DOMURL.h"
#include "Database.h"
#include "DatabaseTask.h"
#include "DatabaseThread.h"
......@@ -120,6 +121,12 @@ ScriptExecutionContext::~ScriptExecutionContext()
HashSet<String>::iterator publicBlobURLsEnd = m_publicBlobURLs.end();
for (HashSet<String>::iterator iter = m_publicBlobURLs.begin(); iter != publicBlobURLsEnd; ++iter)
ThreadableBlobRegistry::unregisterBlobURL(KURL(ParsedURLString, *iter));
HashSet<DOMURL*>::iterator domUrlsEnd = m_domUrls.end();
for (HashSet<DOMURL*>::iterator iter = m_domUrls.begin(); iter != domUrlsEnd; ++iter) {
ASSERT((*iter)->scriptExecutionContext() == this);
(*iter)->contextDestroyed();
}
#endif
}
......@@ -194,6 +201,20 @@ void ScriptExecutionContext::destroyedMessagePort(MessagePort* port)
m_messagePorts.remove(port);
}
#if ENABLE(BLOB)
void ScriptExecutionContext::createdDomUrl(DOMURL* url)
{
ASSERT(url);
m_domUrls.add(url);
}
void ScriptExecutionContext::destroyedDomUrl(DOMURL* url)
{
ASSERT(url);
m_domUrls.remove(url);
}
#endif
bool ScriptExecutionContext::canSuspendActiveDOMObjects()
{
// No protection against m_activeDOMObjects changing during iteration: canSuspend() shouldn't execute arbitrary JS.
......
......@@ -60,6 +60,7 @@ namespace WebCore {
class FileThread;
#endif
class MessagePort;
class DOMURL;
class SecurityOrigin;
class ScriptCallStack;
......@@ -112,6 +113,11 @@ namespace WebCore {
void destroyedMessagePort(MessagePort*);
const HashSet<MessagePort*>& messagePorts() const { return m_messagePorts; }
#if ENABLE(BLOB)
void createdDomUrl(DOMURL*);
void destroyedDomUrl(DOMURL*);
const HashSet<DOMURL*>& domUrls() const { return m_domUrls; }
#endif
void ref() { refScriptExecutionContext(); }
void deref() { derefScriptExecutionContext(); }
......@@ -171,6 +177,7 @@ namespace WebCore {
#if ENABLE(BLOB)
HashSet<String> m_publicBlobURLs;
HashSet<DOMURL*> m_domUrls;
#endif
virtual void refScriptExecutionContext() = 0;
......
......@@ -37,6 +37,19 @@ namespace WebCore {
DOMURL::DOMURL(ScriptExecutionContext* scriptExecutionContext)
: m_scriptExecutionContext(scriptExecutionContext)
{
m_scriptExecutionContext->createdDomUrl(this);
}
DOMURL::~DOMURL()
{
if (m_scriptExecutionContext)
m_scriptExecutionContext->destroyedDomUrl(this);
}
void DOMURL::contextDestroyed()
{
ASSERT(m_scriptExecutionContext);
m_scriptExecutionContext = 0;
}
String DOMURL::createObjectURL(Blob* blob)
......
......@@ -40,10 +40,14 @@ class ScriptExecutionContext;
class DOMURL : public RefCounted<DOMURL> {
public:
static PassRefPtr<DOMURL> create(ScriptExecutionContext* scriptExecutionContext) { return adoptRef(new DOMURL(scriptExecutionContext)); }
~DOMURL();
String createObjectURL(Blob*);
void revokeObjectURL(const String&);
void contextDestroyed();
ScriptExecutionContext* scriptExecutionContext() const { return m_scriptExecutionContext; }
private:
explicit DOMURL(ScriptExecutionContext*);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment