From 678de4acf72e6fd4c6fb9426d2c69445acc18135 Mon Sep 17 00:00:00 2001
From: Ben Murdoch <benm@google.com>
Date: Wed, 30 May 2012 16:07:49 +0100
Subject: Fix document.createTouchList crash.

Cherry pick of WebKit r119158.

Note the layout test is tweaked slighly from upstream to make it
happy in our older webkit snapshot.

See: http://trac.webkit.org/changeset/119158

Bug: 6578213

Change-Id: Id6cc23938b5139cf0416e3d4c6e7ba227b1b6a0c
---
 .../document-create-touch-list-crash-expected.txt    | 19 +++++++++++++++++++
 .../touch/document-create-touch-list-crash.html      | 18 ++++++++++++++++++
 .../script-tests/document-create-touch-list-crash.js | 20 ++++++++++++++++++++
 .../WebCore/bindings/v8/custom/V8DocumentCustom.cpp  |  6 +++---
 Source/WebCore/dom/Document.cpp                      |  6 ------
 Source/WebCore/dom/Document.h                        |  1 -
 6 files changed, 60 insertions(+), 10 deletions(-)
 create mode 100644 LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt
 create mode 100644 LayoutTests/fast/events/touch/document-create-touch-list-crash.html
 create mode 100644 LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js

diff --git a/LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt b/LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt
new file mode 100644
index 0000000..848712a
--- /dev/null
+++ b/LayoutTests/fast/events/touch/document-create-touch-list-crash-expected.txt
@@ -0,0 +1,19 @@
+This test ensures that WebKit doesn't crash when the document.createTouchList API is called with non-Touch parameters
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS document.createTouchList(document).item(0) is null
+PASS document.createTouchList({"a":1}).item(0) is null
+PASS document.createTouchList(new Array(5)).item(0) is null
+PASS document.createTouchList("string").item(0) is null
+PASS document.createTouchList(null).item(0) is null
+PASS document.createTouchList(undefined).item(0) is null
+PASS tl.length is 3
+PASS tl.item(0) is non-null.
+PASS tl.item(1) is null
+PASS tl.item(2) is non-null.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/events/touch/document-create-touch-list-crash.html b/LayoutTests/fast/events/touch/document-create-touch-list-crash.html
new file mode 100644
index 0000000..9204abb
--- /dev/null
+++ b/LayoutTests/fast/events/touch/document-create-touch-list-crash.html
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="../../js/resources/js-test-style.css">
+<script src="../../js/resources/js-test-pre.js"></script>
+<script src="../../js/resources/js-test-post-function.js"></script>
+<!--
+  Touch tests that involve the ontouchstart, ontouchmove, ontouchend or ontouchcancel callbacks
+  should be written in an asynchronous fashion so they can be run on mobile platforms like Android.
+  You will need to invoke isSuccessfullyParsed() in your test script when the test completes.
+-->
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/document-create-touch-list-crash.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js b/LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js
new file mode 100644
index 0000000..19cf913
--- /dev/null
+++ b/LayoutTests/fast/events/touch/script-tests/document-create-touch-list-crash.js
@@ -0,0 +1,20 @@
+description("This test ensures that WebKit doesn't crash when the document.createTouchList API is called with non-Touch parameters");
+
+shouldBeNull('document.createTouchList(document).item(0)');
+shouldBeNull('document.createTouchList({"a":1}).item(0)');
+shouldBeNull('document.createTouchList(new Array(5)).item(0)');
+shouldBeNull('document.createTouchList("string").item(0)');
+shouldBeNull('document.createTouchList(null).item(0)');
+shouldBeNull('document.createTouchList(undefined).item(0)');
+
+var t = document.createTouch(window, document.body, 12341, 60, 65, 100, 105);
+var t2 = document.createTouch(window, document.body, 12342, 50, 55, 115, 120);
+var tl = document.createTouchList(t, document, t2);
+
+shouldBe('tl.length', '3');
+shouldBeNonNull('tl.item(0)');
+shouldBeNull('tl.item(1)');
+shouldBeNonNull('tl.item(2)');
+
+successfullyParsed = true;
+isSuccessfullyParsed();
diff --git a/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp b/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp
index 7cad58e..d142a9f 100644
--- a/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp
+++ b/Source/WebCore/bindings/v8/custom/V8DocumentCustom.cpp
@@ -43,6 +43,7 @@
 #include "V8CanvasRenderingContext2D.h"
 #include "V8CustomXPathNSResolver.h"
 #include "V8DOMImplementation.h"
+#include "V8DOMWrapper.h"
 #include "V8HTMLDocument.h"
 #include "V8IsolatedContext.h"
 #include "V8Node.h"
@@ -144,9 +145,8 @@ v8::Handle<v8::Value> V8Document::createTouchListCallback(const v8::Arguments& a
     RefPtr<TouchList> touchList = TouchList::create();
 
     for (int i = 0; i < args.Length(); i++) {
-        if (!args[i]->IsObject())
-            return v8::Undefined();
-        touchList->append(V8Touch::toNative(args[i]->ToObject()));
+        Touch* touch = V8DOMWrapper::isWrapperOfType(args[i], &V8Touch::info) ? V8Touch::toNative(args[i]->ToObject()) : 0;
+        touchList->append(touch);
     }
 
     return toV8(touchList.release());
diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
index ff50390..b6a1393 100644
--- a/Source/WebCore/dom/Document.cpp
+++ b/Source/WebCore/dom/Document.cpp
@@ -5064,15 +5064,9 @@ PassRefPtr<Touch> Document::createTouch(DOMWindow* window, EventTarget* target,
     // http://developer.apple.com/library/safari/#documentation/UserExperience/Reference/DocumentAdditionsReference/DocumentAdditions/DocumentAdditions.html
     // when this method should throw and nor is it by inspection of iOS behavior. It would be nice to verify any cases where it throws under iOS
     // and implement them here. See https://bugs.webkit.org/show_bug.cgi?id=47819
-    // Ditto for the createTouchList method below.
     Frame* frame = window ? window->frame() : this->frame();
     return Touch::create(frame, target, identifier, screenX, screenY, pageX, pageY);
 }
-
-PassRefPtr<TouchList> Document::createTouchList(ExceptionCode&) const
-{
-    return TouchList::create();
-}
 #endif
 
 DocumentLoader* Document::loader() const
diff --git a/Source/WebCore/dom/Document.h b/Source/WebCore/dom/Document.h
index a4fc266..ce82b2e 100644
--- a/Source/WebCore/dom/Document.h
+++ b/Source/WebCore/dom/Document.h
@@ -1085,7 +1085,6 @@ public:
 
 #if ENABLE(TOUCH_EVENTS)
     PassRefPtr<Touch> createTouch(DOMWindow*, EventTarget*, int identifier, int pageX, int pageY, int screenX, int screenY, ExceptionCode&) const;
-    PassRefPtr<TouchList> createTouchList(ExceptionCode&) const;
 #endif
 
     const DocumentTiming* timing() const { return &m_documentTiming; }
-- 
cgit v1.1