diff options
author | Ben Murdoch <benm@google.com> | 2012-06-01 05:09:01 -0700 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2012-06-01 05:09:01 -0700 |
commit | b24a3340c25da2884c62ee2c261fd90099247687 (patch) | |
tree | 421f2e13071f7ec4b05ce574357949b0f0b1604d | |
parent | 1d988a5cfd58943ebc6097ff78b68b6fba9ac232 (diff) | |
parent | c69907062387aaedf35962337b254c01893d398b (diff) | |
download | external_webkit-b24a3340c25da2884c62ee2c261fd90099247687.zip external_webkit-b24a3340c25da2884c62ee2c261fd90099247687.tar.gz external_webkit-b24a3340c25da2884c62ee2c261fd90099247687.tar.bz2 |
am c6990706: am 678de4ac: Fix document.createTouchList crash.
* commit 'c69907062387aaedf35962337b254c01893d398b':
Fix document.createTouchList crash.
6 files changed, 60 insertions, 10 deletions
diff --git a/LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt b/LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt new file mode 100644 index 0000000..848712a --- /dev/null +++ b/LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt @@ -0,0 +1,19 @@ +This test ensures that WebKit doesn't crash when the document.createTouchList API is called with non-Touch parameters + +On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". + + +PASS document.createTouchList(document).item(0) is null +PASS document.createTouchList({"a":1}).item(0) is null +PASS document.createTouchList(new Array(5)).item(0) is null +PASS document.createTouchList("string").item(0) is null +PASS document.createTouchList(null).item(0) is null +PASS document.createTouchList(undefined).item(0) is null +PASS tl.length is 3 +PASS tl.item(0) is non-null. +PASS tl.item(1) is null +PASS tl.item(2) is non-null. +PASS successfullyParsed is true + +TEST COMPLETE + diff --git a/LayoutTests/fast/events/touch/document-create-touch-list-crash.html b/LayoutTests/fast/events/touch/document-create-touch-list-crash.html new file mode 100644 index 0000000..9204abb --- /dev/null +++ b/LayoutTests/fast/events/touch/document-create-touch-list-crash.html @@ -0,0 +1,18 @@ +<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> +<html> +<head> +<link rel="stylesheet" href="../../js/resources/js-test-style.css"> +<script src="../../js/resources/js-test-pre.js"></script> +<script src="../../js/resources/js-test-post-function.js"></script> +<!-- + Touch tests that involve the ontouchstart, ontouchmove, ontouchend or ontouchcancel callbacks + should be written in an asynchronous fashion so they can be run on mobile platforms like Android. + You will need to invoke isSuccessfullyParsed() in your test script when the test completes. +--> +</head> +<body> +<p id="description"></p> +<div id="console"></div> +<script src="script-tests/document-create-touch-list-crash.js"></script> +</body> +</html> diff --git a/LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js b/LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js new file mode 100644 index 0000000..19cf913 --- /dev/null +++ b/LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js @@ -0,0 +1,20 @@ +description("This test ensures that WebKit doesn't crash when the document.createTouchList API is called with non-Touch parameters"); + +shouldBeNull('document.createTouchList(document).item(0)'); +shouldBeNull('document.createTouchList({"a":1}).item(0)'); +shouldBeNull('document.createTouchList(new Array(5)).item(0)'); +shouldBeNull('document.createTouchList("string").item(0)'); +shouldBeNull('document.createTouchList(null).item(0)'); +shouldBeNull('document.createTouchList(undefined).item(0)'); + +var t = document.createTouch(window, document.body, 12341, 60, 65, 100, 105); +var t2 = document.createTouch(window, document.body, 12342, 50, 55, 115, 120); +var tl = document.createTouchList(t, document, t2); + +shouldBe('tl.length', '3'); +shouldBeNonNull('tl.item(0)'); +shouldBeNull('tl.item(1)'); +shouldBeNonNull('tl.item(2)'); + +successfullyParsed = true; +isSuccessfullyParsed(); diff --git a/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp b/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp index 7cad58e..d142a9f 100644 --- a/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp +++ b/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp @@ -43,6 +43,7 @@ #include "V8CanvasRenderingContext2D.h" #include "V8CustomXPathNSResolver.h" #include "V8DOMImplementation.h" +#include "V8DOMWrapper.h" #include "V8HTMLDocument.h" #include "V8IsolatedContext.h" #include "V8Node.h" @@ -144,9 +145,8 @@ v8::Handle<v8::Value> V8Document::createTouchListCallback(const v8::Arguments& a RefPtr<TouchList> touchList = TouchList::create(); for (int i = 0; i < args.Length(); i++) { - if (!args[i]->IsObject()) - return v8::Undefined(); - touchList->append(V8Touch::toNative(args[i]->ToObject())); + Touch* touch = V8DOMWrapper::isWrapperOfType(args[i], &V8Touch::info) ? V8Touch::toNative(args[i]->ToObject()) : 0; + touchList->append(touch); } return toV8(touchList.release()); diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp index ff50390..b6a1393 100644 --- a/Source/WebCore/dom/Document.cpp +++ b/Source/WebCore/dom/Document.cpp @@ -5064,15 +5064,9 @@ PassRefPtr<Touch> Document::createTouch(DOMWindow* window, EventTarget* target, // http://developer.apple.com/library/safari/#documentation/UserExperience/Reference/DocumentAdditionsReference/DocumentAdditions/DocumentAdditions.html // when this method should throw and nor is it by inspection of iOS behavior. It would be nice to verify any cases where it throws under iOS // and implement them here. See https://bugs.webkit.org/show_bug.cgi?id=47819 - // Ditto for the createTouchList method below. Frame* frame = window ? window->frame() : this->frame(); return Touch::create(frame, target, identifier, screenX, screenY, pageX, pageY); } - -PassRefPtr<TouchList> Document::createTouchList(ExceptionCode&) const -{ - return TouchList::create(); -} #endif DocumentLoader* Document::loader() const diff --git a/Source/WebCore/dom/Document.h b/Source/WebCore/dom/Document.h index a4fc266..ce82b2e 100644 --- a/Source/WebCore/dom/Document.h +++ b/Source/WebCore/dom/Document.h @@ -1085,7 +1085,6 @@ public: #if ENABLE(TOUCH_EVENTS) PassRefPtr<Touch> createTouch(DOMWindow*, EventTarget*, int identifier, int pageX, int pageY, int screenX, int screenY, ExceptionCode&) const; - PassRefPtr<TouchList> createTouchList(ExceptionCode&) const; #endif const DocumentTiming* timing() const { return &m_documentTiming; } |