Diff
Copied: branches/chromium/1132/LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt (from rev 119158, trunk/LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt) (0 => 120102)
--- branches/chromium/1132/LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt 2012-06-12 19:17:26 UTC (rev 120102)
@@ -0,0 +1,19 @@
+This test ensures that WebKit doesn't crash when the document.createTouchList API is called with non-Touch parameters
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.createTouchList(document).item(0) is null
+PASS document.createTouchList({"a":1}).item(0) is null
+PASS document.createTouchList(new Array(5)).item(0) is null
+PASS document.createTouchList("string").item(0) is null
+PASS document.createTouchList(null).item(0) is null
+PASS document.createTouchList(undefined).item(0) is null
+PASS tl.length is 3
+PASS tl.item(0) is non-null.
+PASS tl.item(1) is null
+PASS tl.item(2) is non-null.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/chromium/1132/LayoutTests/fast/events/touch/document-create-touch-list-crash.html (from rev 119158, trunk/LayoutTests/fast/events/touch/document-create-touch-list-crash.html) (0 => 120102)
--- branches/chromium/1132/LayoutTests/fast/events/touch/document-create-touch-list-crash.html (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/events/touch/document-create-touch-list-crash.html 2012-06-12 19:17:26 UTC (rev 120102)
@@ -0,0 +1,16 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+<!--
+ Touch tests that involve the ontouchstart, ontouchmove, ontouchend or ontouchcancel callbacks
+ should be written in an asynchronous fashion so they can be run on mobile platforms like Android.
+ You will need to invoke isSuccessfullyParsed() in your test script when the test completes.
+-->
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src=""
+</body>
+</html>
Copied: branches/chromium/1132/LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js (from rev 119158, trunk/LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js) (0 => 120102)
--- branches/chromium/1132/LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js (rev 0)
+++ branches/chromium/1132/LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js 2012-06-12 19:17:26 UTC (rev 120102)
@@ -0,0 +1,19 @@
+description("This test ensures that WebKit doesn't crash when the document.createTouchList API is called with non-Touch parameters");
+
+shouldBeNull('document.createTouchList(document).item(0)');
+shouldBeNull('document.createTouchList({"a":1}).item(0)');
+shouldBeNull('document.createTouchList(new Array(5)).item(0)');
+shouldBeNull('document.createTouchList("string").item(0)');
+shouldBeNull('document.createTouchList(null).item(0)');
+shouldBeNull('document.createTouchList(undefined).item(0)');
+
+var t = document.createTouch(window, document.body, 12341, 60, 65, 100, 105);
+var t2 = document.createTouch(window, document.body, 12342, 50, 55, 115, 120);
+var tl = document.createTouchList(t, document, t2);
+
+shouldBe('tl.length', '3');
+shouldBeNonNull('tl.item(0)');
+shouldBeNull('tl.item(1)');
+shouldBeNonNull('tl.item(2)');
+
+isSuccessfullyParsed();
Modified: branches/chromium/1132/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp (120101 => 120102)
--- branches/chromium/1132/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp 2012-06-12 19:07:56 UTC (rev 120101)
+++ branches/chromium/1132/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp 2012-06-12 19:17:26 UTC (rev 120102)
@@ -43,6 +43,7 @@
#include "V8CanvasRenderingContext2D.h"
#include "V8CustomXPathNSResolver.h"
#include "V8DOMImplementation.h"
+#include "V8DOMWrapper.h"
#include "V8HTMLDocument.h"
#include "V8IsolatedContext.h"
#include "V8Node.h"
@@ -142,9 +143,8 @@
RefPtr<TouchList> touchList = TouchList::create();
for (int i = 0; i < args.Length(); i++) {
- if (!args[i]->IsObject())
- return v8::Undefined();
- touchList->append(V8Touch::toNative(args[i]->ToObject()));
+ Touch* touch = V8DOMWrapper::isWrapperOfType(args[i], &V8Touch::info) ? V8Touch::toNative(args[i]->ToObject()) : 0;
+ touchList->append(touch);
}
return toV8(touchList.release(), args.GetIsolate());
Modified: branches/chromium/1132/Source/WebCore/dom/Document.cpp (120101 => 120102)
--- branches/chromium/1132/Source/WebCore/dom/Document.cpp 2012-06-12 19:07:56 UTC (rev 120101)
+++ branches/chromium/1132/Source/WebCore/dom/Document.cpp 2012-06-12 19:17:26 UTC (rev 120102)
@@ -5820,15 +5820,9 @@
// http://developer.apple.com/library/safari/#documentation/UserExperience/Reference/DocumentAdditionsReference/DocumentAdditions/DocumentAdditions.html
// when this method should throw and nor is it by inspection of iOS behavior. It would be nice to verify any cases where it throws under iOS
// and implement them here. See https://bugs.webkit.org/show_bug.cgi?id=47819
- // Ditto for the createTouchList method below.
Frame* frame = window ? window->frame() : this->frame();
return Touch::create(frame, target, identifier, screenX, screenY, pageX, pageY, radiusX, radiusY, rotationAngle, force);
}
-
-PassRefPtr<TouchList> Document::createTouchList(ExceptionCode&) const
-{
- return TouchList::create();
-}
#endif
static void wheelEventHandlerCountChanged(Document* document)
Modified: branches/chromium/1132/Source/WebCore/dom/Document.h (120101 => 120102)
--- branches/chromium/1132/Source/WebCore/dom/Document.h 2012-06-12 19:07:56 UTC (rev 120101)
+++ branches/chromium/1132/Source/WebCore/dom/Document.h 2012-06-12 19:17:26 UTC (rev 120102)
@@ -1116,7 +1116,6 @@
#if ENABLE(TOUCH_EVENTS)
PassRefPtr<Touch> createTouch(DOMWindow*, EventTarget*, int identifier, int pageX, int pageY, int screenX, int screenY, int radiusX, int radiusY, float rotationAngle, float force, ExceptionCode&) const;
- PassRefPtr<TouchList> createTouchList(ExceptionCode&) const;
#endif
const DocumentTiming* timing() const { return &m_documentTiming; }
