From: commit-queue@webkit.org Date: Thu, 22 Sep 2011 00:17:45 +0000 (+0000) Subject: [Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorG... X-Git-Tag: 070512121124~23923 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=7ab42b1fb12539d9753f6e21889e2396b3bdff51;p=profile%2Fivi%2Fwebkit-efl.git [Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorGetter https://bugs.webkit.org/show_bug.cgi?id=68584 Patch by Sergey Glazunov on 2011-09-21 Reviewed by Adam Barth. Source/WebCore: Test: fast/dom/message-port-deleted-by-accessor.html * bindings/v8/custom/V8MessageEventCustom.cpp: (WebCore::V8MessageEvent::portsAccessorGetter): LayoutTests: * fast/dom/message-port-deleted-by-accessor-expected.txt: Added. * fast/dom/message-port-deleted-by-accessor.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95689 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog index c89e1bc..d610a29 100644 --- a/LayoutTests/ChangeLog +++ b/LayoutTests/ChangeLog @@ -1,3 +1,13 @@ +2011-09-21 Sergey Glazunov + + [Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorGetter + https://bugs.webkit.org/show_bug.cgi?id=68584 + + Reviewed by Adam Barth. + + * fast/dom/message-port-deleted-by-accessor-expected.txt: Added. + * fast/dom/message-port-deleted-by-accessor.html: Added. + 2011-09-21 David Levin [chromium] Rebaselines for passing tests and expectation updates/narrowing. diff --git a/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt b/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt new file mode 100644 index 0000000..730ebf6 --- /dev/null +++ b/LayoutTests/fast/dom/message-port-deleted-by-accessor-expected.txt @@ -0,0 +1 @@ +This test passes if it doesn't crash. diff --git a/LayoutTests/fast/dom/message-port-deleted-by-accessor.html b/LayoutTests/fast/dom/message-port-deleted-by-accessor.html new file mode 100644 index 0000000..9a6f495 --- /dev/null +++ b/LayoutTests/fast/dom/message-port-deleted-by-accessor.html @@ -0,0 +1,25 @@ + + + + + +This test passes if it doesn't crash. + + diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog index c48917f..f3ba2b9 100644 --- a/Source/WebCore/ChangeLog +++ b/Source/WebCore/ChangeLog @@ -1,3 +1,15 @@ +2011-09-21 Sergey Glazunov + + [Chromium] Protect message ports from being deleted in V8MessageEvent::portsAccessorGetter + https://bugs.webkit.org/show_bug.cgi?id=68584 + + Reviewed by Adam Barth. + + Test: fast/dom/message-port-deleted-by-accessor.html + + * bindings/v8/custom/V8MessageEventCustom.cpp: + (WebCore::V8MessageEvent::portsAccessorGetter): + 2011-09-21 Anders Carlsson Add back protection against the NSView going away while handling mouseDown diff --git a/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp b/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp index b99672d..6047cdd 100644 --- a/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp +++ b/Source/WebCore/bindings/v8/custom/V8MessageEventCustom.cpp @@ -88,10 +88,12 @@ v8::Handle V8MessageEvent::portsAccessorGetter(v8::Local MessagePortArray* ports = event->ports(); if (!ports) return v8::Array::New(0); + + MessagePortArray portsCopy(*ports); - v8::Local portArray = v8::Array::New(ports->size()); - for (size_t i = 0; i < ports->size(); ++i) - portArray->Set(v8::Integer::New(i), toV8((*ports)[i].get())); + v8::Local portArray = v8::Array::New(portsCopy.size()); + for (size_t i = 0; i < portsCopy.size(); ++i) + portArray->Set(v8::Integer::New(i), toV8(portsCopy[i].get())); return portArray; }