Skip to site navigation (Press enter)

[webkit-changes] [121998] releases/WebKitGTK/webkit-1.8

mrobinson Fri, 06 Jul 2012 13:02:08 -0700

Title: [121998] releases/WebKitGTK/webkit-1.8

Revision: 121998
Author: mrobin...@webkit.org
Date: 2012-07-06 13:01:57 -0700 (Fri, 06 Jul 2012)

Log Message

Merge 117304 - Missing RenderApplet cast check in HTMLAppletElement::renderWidgetForJSBindings.
https://bugs.webkit.org/show_bug.cgi?id=86627


Patch by Abhishek Arya <infe...@chromium.org> on 2012-05-16
Reviewed by Andreas Kling.

Source/WebCore:

Test: java/inline-applet-crash.html

* html/HTMLAppletElement.cpp:
(WebCore::HTMLAppletElement::renderWidgetForJSBindings):

LayoutTests:

* java/inline-applet-crash-expected.txt: Added.
* java/inline-applet-crash.html: Added.

Modified Paths

releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog
releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog
releases/WebKitGTK/webkit-1.8/Source/WebCore/html/HTMLAppletElement.cpp

Added Paths

releases/WebKitGTK/webkit-1.8/LayoutTests/java/inline-applet-crash-expected.txt
releases/WebKitGTK/webkit-1.8/LayoutTests/java/inline-applet-crash.html

Diff

Modified: releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog (121997 => 121998)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog	2012-07-06 20:01:44 UTC (rev 121997)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/ChangeLog	2012-07-06 20:01:57 UTC (rev 121998)
@@ -1,3 +1,13 @@
+2012-05-16  Abhishek Arya  <infe...@chromium.org>
+
+        Missing RenderApplet cast check in HTMLAppletElement::renderWidgetForJSBindings.
+        https://bugs.webkit.org/show_bug.cgi?id=86627
+
+        Reviewed by Andreas Kling.
+
+        * java/inline-applet-crash-expected.txt: Added.
+        * java/inline-applet-crash.html: Added.
+
 2012-05-10  Abhishek Arya  <infe...@chromium.org>
 
         Crash in ApplyStyleCommand::joinChildTextNodes.

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/java/inline-applet-crash-expected.txt (0 => 121998)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/java/inline-applet-crash-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/java/inline-applet-crash-expected.txt	2012-07-06 20:01:57 UTC (rev 121998)
@@ -0,0 +1 @@
+Test passes if it does not crash.
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/java/inline-applet-crash-expected.txt
___________________________________________________________________

Added: svn:eol-style

Added: releases/WebKitGTK/webkit-1.8/LayoutTests/java/inline-applet-crash.html (0 => 121998)


--- releases/WebKitGTK/webkit-1.8/LayoutTests/java/inline-applet-crash.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-1.8/LayoutTests/java/inline-applet-crash.html	2012-07-06 20:01:57 UTC (rev 121998)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+Test passes if it does not crash.
+<applet code=doesnotexist.class></applet>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.overridePreference("WebKitJavaEnabled", "1");
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+}
+
+function walk(arr, currentPrefix, index, domNode) {
+    if (!domNode) 
+        return;
+
+    newPrefix = currentPrefix + "_" + index;
+    walk(arr, currentPrefix, index + 1, domNode.nextSibling);
+    walk(arr, newPrefix, 0, domNode.firstChild);
+}
+
+function crash() {
+    var temp = new Array();
+    walk(temp, "", 0, document.documentElement);
+    if (window.layoutTestController)
+        layoutTestController.notifyDone();
+}
+ 
+setTimeout("crash();", 0);
+</script>
+</html>
Property changes on: releases/WebKitGTK/webkit-1.8/LayoutTests/java/inline-applet-crash.html
___________________________________________________________________

Added: svn:executable

Added: svn:eol-style

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog (121997 => 121998)


--- releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog	2012-07-06 20:01:44 UTC (rev 121997)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/ChangeLog	2012-07-06 20:01:57 UTC (rev 121998)
@@ -1,3 +1,15 @@
+2012-05-16  Abhishek Arya  <infe...@chromium.org>
+
+        Missing RenderApplet cast check in HTMLAppletElement::renderWidgetForJSBindings.
+        https://bugs.webkit.org/show_bug.cgi?id=86627
+
+        Reviewed by Andreas Kling.
+
+        Test: java/inline-applet-crash.html
+
+        * html/HTMLAppletElement.cpp:
+        (WebCore::HTMLAppletElement::renderWidgetForJSBindings):
+
 2012-05-10  Abhishek Arya  <infe...@chromium.org>
 
         Crash in ApplyStyleCommand::joinChildTextNodes.

Modified: releases/WebKitGTK/webkit-1.8/Source/WebCore/html/HTMLAppletElement.cpp (121997 => 121998)


--- releases/WebKitGTK/webkit-1.8/Source/WebCore/html/HTMLAppletElement.cpp	2012-07-06 20:01:44 UTC (rev 121997)
+++ releases/WebKitGTK/webkit-1.8/Source/WebCore/html/HTMLAppletElement.cpp	2012-07-06 20:01:57 UTC (rev 121998)
@@ -115,10 +115,11 @@
     if (!canEmbedJava())
         return 0;
 
+    if (!renderer() || !renderer()->isApplet())
+        return 0;
+
     RenderApplet* applet = toRenderApplet(renderer());
-    if (applet)
-        applet->createWidgetIfNecessary();
-
+    applet->createWidgetIfNecessary();
     return applet;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes