<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[184171] releases/WebKitGTK/webkit-2.8</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/184171">184171</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2015-05-12 01:15:53 -0700 (Tue, 12 May 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/183781">r183781</a> - Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185
https://bugs.webkit.org/show_bug.cgi?id=144597
<rdar://problem/20361579>
Reviewed by Andreas Kling.
Source/WebCore:
Test: fast/dom/Window/window-open-activeWindow-null-frame.html
In our implementation of window.open(), we make sure that the window
which window.open() is called has a frame. However, we did not have the
same check for the activeDOMWindow (i.e. the lexicalGlobalObject) causing
us to crash in WebCore::createWindow() when dereferencing it.
This patch updates WebCore::createWindow() takes a reference to the
openerFrame instead of a pointer to make it clear the implementation
expects it to be non-null. A null check is then added for the frame
at the call site: DOMWindow::createWindow().
* inspector/InspectorFrontendClientLocal.cpp:
(WebCore::InspectorFrontendClientLocal::openInNewTab):
* loader/FrameLoader.cpp:
(WebCore::isDocumentSandboxed):
(WebCore::FrameLoader::submitForm):
(WebCore::createWindow):
Take a reference to openerFrame instead of a pointer as the
implementation expects it to be non-null.
* loader/FrameLoader.h:
* page/DOMWindow.cpp:
(WebCore::DOMWindow::createWindow):
Add null check for activeFrame before passing it to
WebCore::createWindow().
LayoutTests:
Add a layout test to cover the case where window.open() is called on a
window that is different than the activeDOMWindow and where the
activeDOMWindow does not have a frame.
* fast/dom/Window/resources/test-frame.html: Added.
* fast/dom/Window/window-open-activeWindow-null-frame-expected.txt: Added.
* fast/dom/Window/window-open-activeWindow-null-frame.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreinspectorInspectorFrontendClientLocalcpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/inspector/InspectorFrontendClientLocal.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreloaderFrameLoadercpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreloaderFrameLoaderh">releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.h</a></li>
<li><a href="#releasesWebKitGTKwebkit28SourceWebCorepageDOMWindowcpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/page/DOMWindow.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsfastdomWindowresourcestestframehtml">releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/resources/test-frame.html</a></li>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsfastdomWindowwindowopenactiveWindownullframeexpectedtxt">releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit28LayoutTestsfastdomWindowwindowopenactiveWindownullframehtml">releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit28LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (184170 => 184171)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog        2015-05-12 08:15:27 UTC (rev 184170)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog        2015-05-12 08:15:53 UTC (rev 184171)
</span><span class="lines">@@ -1,5 +1,21 @@
</span><span class="cx"> 2015-05-04 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><ins>+ Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185
+ https://bugs.webkit.org/show_bug.cgi?id=144597
+ <rdar://problem/20361579>
+
+ Reviewed by Andreas Kling.
+
+ Add a layout test to cover the case where window.open() is called on a
+ window that is different than the activeDOMWindow and where the
+ activeDOMWindow does not have a frame.
+
+ * fast/dom/Window/resources/test-frame.html: Added.
+ * fast/dom/Window/window-open-activeWindow-null-frame-expected.txt: Added.
+ * fast/dom/Window/window-open-activeWindow-null-frame.html: Added.
+
+2015-05-04 Chris Dumez <cdumez@apple.com>
+
</ins><span class="cx"> REGRESSION (r178156): CSS Parser incorrectly rejects valid calc() in padding-right property
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=144584
</span><span class="cx"> <rdar://problem/20796829>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28LayoutTestsfastdomWindowresourcestestframehtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/resources/test-frame.html (0 => 184171)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/resources/test-frame.html         (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/resources/test-frame.html        2015-05-12 08:15:53 UTC (rev 184171)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+TEST
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit28LayoutTestsfastdomWindowwindowopenactiveWindownullframeexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame-expected.txt (0 => 184171)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame-expected.txt         (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame-expected.txt        2015-05-12 08:15:53 UTC (rev 184171)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+Tests window.open() call with an activeDOMWindow that has a null frame.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+This test passes if it doesn't crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit28LayoutTestsfastdomWindowwindowopenactiveWindownullframehtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame.html (0 => 184171)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame.html         (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame.html        2015-05-12 08:15:53 UTC (rev 184171)
</span><span class="lines">@@ -0,0 +1,36 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../../resources/js-test-pre.js"></script>
+<script>
+description("Tests window.open() call with an activeDOMWindow that has a null frame.");
+debug("This test passes if it doesn't crash.");
+
+window.jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setCanOpenWindows(true);
+
+function openWindow()
+{
+ testFrameWindowOpen.call(window);
+ finishJSTest();
+}
+
+function removeSubFrame()
+{
+ var testFrame = document.getElementById("testFrame");
+ testFrameWindow = testFrame.contentWindow;
+ testFrameWindowOpen = testFrameWindow.open;
+ testFrame.remove();
+ gc();
+
+ setTimeout(openWindow, 0);
+}
+</script>
+</head>
+<body>
+<iframe id="testFrame" src="resources/test-frame.html" onload="removeSubFrame()"></iframe>
+<script src="../../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (184170 => 184171)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog        2015-05-12 08:15:27 UTC (rev 184170)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog        2015-05-12 08:15:53 UTC (rev 184171)
</span><span class="lines">@@ -1,5 +1,40 @@
</span><span class="cx"> 2015-05-04 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><ins>+ Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185
+ https://bugs.webkit.org/show_bug.cgi?id=144597
+ <rdar://problem/20361579>
+
+ Reviewed by Andreas Kling.
+
+ Test: fast/dom/Window/window-open-activeWindow-null-frame.html
+
+ In our implementation of window.open(), we make sure that the window
+ which window.open() is called has a frame. However, we did not have the
+ same check for the activeDOMWindow (i.e. the lexicalGlobalObject) causing
+ us to crash in WebCore::createWindow() when dereferencing it.
+
+ This patch updates WebCore::createWindow() takes a reference to the
+ openerFrame instead of a pointer to make it clear the implementation
+ expects it to be non-null. A null check is then added for the frame
+ at the call site: DOMWindow::createWindow().
+
+ * inspector/InspectorFrontendClientLocal.cpp:
+ (WebCore::InspectorFrontendClientLocal::openInNewTab):
+ * loader/FrameLoader.cpp:
+ (WebCore::isDocumentSandboxed):
+ (WebCore::FrameLoader::submitForm):
+ (WebCore::createWindow):
+ Take a reference to openerFrame instead of a pointer as the
+ implementation expects it to be non-null.
+
+ * loader/FrameLoader.h:
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::createWindow):
+ Add null check for activeFrame before passing it to
+ WebCore::createWindow().
+
+2015-05-04 Chris Dumez <cdumez@apple.com>
+
</ins><span class="cx"> REGRESSION (r178156): CSS Parser incorrectly rejects valid calc() in padding-right property
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=144584
</span><span class="cx"> <rdar://problem/20796829>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreinspectorInspectorFrontendClientLocalcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/inspector/InspectorFrontendClientLocal.cpp (184170 => 184171)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/inspector/InspectorFrontendClientLocal.cpp        2015-05-12 08:15:27 UTC (rev 184170)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/inspector/InspectorFrontendClientLocal.cpp        2015-05-12 08:15:53 UTC (rev 184171)
</span><span class="lines">@@ -215,7 +215,7 @@
</span><span class="cx">
</span><span class="cx"> bool created;
</span><span class="cx"> WindowFeatures windowFeatures;
</span><del>- RefPtr<Frame> frame = WebCore::createWindow(&mainFrame, &mainFrame, request, windowFeatures, created);
</del><ins>+ RefPtr<Frame> frame = WebCore::createWindow(mainFrame, &mainFrame, request, windowFeatures, created);
</ins><span class="cx"> if (!frame)
</span><span class="cx"> return;
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.cpp (184170 => 184171)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.cpp        2015-05-12 08:15:27 UTC (rev 184170)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.cpp        2015-05-12 08:15:53 UTC (rev 184171)
</span><span class="lines">@@ -169,9 +169,9 @@
</span><span class="cx"> // non-member lets us exclude it from the header file, thus keeping FrameLoader.h's
</span><span class="cx"> // API simpler.
</span><span class="cx"> //
</span><del>-static bool isDocumentSandboxed(Frame* frame, SandboxFlags mask)
</del><ins>+static bool isDocumentSandboxed(Frame& frame, SandboxFlags mask)
</ins><span class="cx"> {
</span><del>- return frame->document() && frame->document()->isSandboxed(mask);
</del><ins>+ return frame.document() && frame.document()->isSandboxed(mask);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> class FrameLoader::FrameProgressTracker {
</span><span class="lines">@@ -359,7 +359,7 @@
</span><span class="cx"> if (submission->action().isEmpty())
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- if (isDocumentSandboxed(&m_frame, SandboxForms)) {
</del><ins>+ if (isDocumentSandboxed(m_frame, SandboxForms)) {
</ins><span class="cx"> // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.
</span><span class="cx"> m_frame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Blocked form submission to '" + submission->action().stringCenterEllipsizedToLength() + "' because the form's frame is sandboxed and the 'allow-forms' permission is not set.");
</span><span class="cx"> return;
</span><span class="lines">@@ -3415,14 +3415,14 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-PassRefPtr<Frame> createWindow(Frame* openerFrame, Frame* lookupFrame, const FrameLoadRequest& request, const WindowFeatures& features, bool& created)
</del><ins>+PassRefPtr<Frame> createWindow(Frame& openerFrame, Frame* lookupFrame, const FrameLoadRequest& request, const WindowFeatures& features, bool& created)
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(!features.dialog || request.frameName().isEmpty());
</span><span class="cx">
</span><span class="cx"> created = false;
</span><span class="cx">
</span><span class="cx"> if (!request.frameName().isEmpty() && request.frameName() != "_blank") {
</span><del>- if (RefPtr<Frame> frame = lookupFrame->loader().findFrameForNavigation(request.frameName(), openerFrame->document())) {
</del><ins>+ if (RefPtr<Frame> frame = lookupFrame->loader().findFrameForNavigation(request.frameName(), openerFrame.document())) {
</ins><span class="cx"> if (request.frameName() != "_self") {
</span><span class="cx"> if (Page* page = frame->page())
</span><span class="cx"> page->chrome().focus();
</span><span class="lines">@@ -3434,28 +3434,28 @@
</span><span class="cx"> // Sandboxed frames cannot open new auxiliary browsing contexts.
</span><span class="cx"> if (isDocumentSandboxed(openerFrame, SandboxPopups)) {
</span><span class="cx"> // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.
</span><del>- openerFrame->document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Blocked opening '" + request.resourceRequest().url().stringCenterEllipsizedToLength() + "' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.");
</del><ins>+ openerFrame.document()->addConsoleMessage(MessageSource::Security, MessageLevel::Error, "Blocked opening '" + request.resourceRequest().url().stringCenterEllipsizedToLength() + "' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.");
</ins><span class="cx"> return nullptr;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // FIXME: Setting the referrer should be the caller's responsibility.
</span><span class="cx"> FrameLoadRequest requestWithReferrer = request;
</span><del>- String referrer = SecurityPolicy::generateReferrerHeader(openerFrame->document()->referrerPolicy(), request.resourceRequest().url(), openerFrame->loader().outgoingReferrer());
</del><ins>+ String referrer = SecurityPolicy::generateReferrerHeader(openerFrame.document()->referrerPolicy(), request.resourceRequest().url(), openerFrame.loader().outgoingReferrer());
</ins><span class="cx"> if (!referrer.isEmpty())
</span><span class="cx"> requestWithReferrer.resourceRequest().setHTTPReferrer(referrer);
</span><del>- FrameLoader::addHTTPOriginIfNeeded(requestWithReferrer.resourceRequest(), openerFrame->loader().outgoingOrigin());
</del><ins>+ FrameLoader::addHTTPOriginIfNeeded(requestWithReferrer.resourceRequest(), openerFrame.loader().outgoingOrigin());
</ins><span class="cx">
</span><del>- Page* oldPage = openerFrame->page();
</del><ins>+ Page* oldPage = openerFrame.page();
</ins><span class="cx"> if (!oldPage)
</span><span class="cx"> return nullptr;
</span><span class="cx">
</span><del>- Page* page = oldPage->chrome().createWindow(openerFrame, requestWithReferrer, features, NavigationAction(requestWithReferrer.resourceRequest()));
</del><ins>+ Page* page = oldPage->chrome().createWindow(&openerFrame, requestWithReferrer, features, NavigationAction(requestWithReferrer.resourceRequest()));
</ins><span class="cx"> if (!page)
</span><span class="cx"> return nullptr;
</span><span class="cx">
</span><span class="cx"> RefPtr<Frame> frame = &page->mainFrame();
</span><span class="cx">
</span><del>- frame->loader().forceSandboxFlags(openerFrame->document()->sandboxFlags());
</del><ins>+ frame->loader().forceSandboxFlags(openerFrame.document()->sandboxFlags());
</ins><span class="cx">
</span><span class="cx"> if (request.frameName() != "_blank")
</span><span class="cx"> frame->tree().setName(request.frameName());
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCoreloaderFrameLoaderh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.h (184170 => 184171)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.h        2015-05-12 08:15:27 UTC (rev 184170)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.h        2015-05-12 08:15:53 UTC (rev 184171)
</span><span class="lines">@@ -451,7 +451,7 @@
</span><span class="cx"> //
</span><span class="cx"> // FIXME: Consider making this function part of an appropriate class (not FrameLoader)
</span><span class="cx"> // and moving it to a more appropriate location.
</span><del>-PassRefPtr<Frame> createWindow(Frame* openerFrame, Frame* lookupFrame, const FrameLoadRequest&, const WindowFeatures&, bool& created);
</del><ins>+PassRefPtr<Frame> createWindow(Frame& openerFrame, Frame* lookupFrame, const FrameLoadRequest&, const WindowFeatures&, bool& created);
</ins><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit28SourceWebCorepageDOMWindowcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/page/DOMWindow.cpp (184170 => 184171)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/page/DOMWindow.cpp        2015-05-12 08:15:27 UTC (rev 184170)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/page/DOMWindow.cpp        2015-05-12 08:15:53 UTC (rev 184171)
</span><span class="lines">@@ -2071,12 +2071,14 @@
</span><span class="cx"> PassRefPtr<Frame> DOMWindow::createWindow(const String& urlString, const AtomicString& frameName, const WindowFeatures& windowFeatures, DOMWindow& activeWindow, Frame* firstFrame, Frame* openerFrame, std::function<void (DOMWindow&)> prepareDialogFunction)
</span><span class="cx"> {
</span><span class="cx"> Frame* activeFrame = activeWindow.frame();
</span><ins>+ if (!activeFrame)
+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> URL completedURL = urlString.isEmpty() ? URL(ParsedURLString, emptyString()) : firstFrame->document()->completeURL(urlString);
</span><span class="cx"> if (!completedURL.isEmpty() && !completedURL.isValid()) {
</span><span class="cx"> // Don't expose client code to invalid URLs.
</span><span class="cx"> activeWindow.printErrorMessage("Unable to open a window with invalid URL '" + completedURL.string() + "'.\n");
</span><del>- return 0;
</del><ins>+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // For whatever reason, Firefox uses the first frame to determine the outgoingReferrer. We replicate that behavior here.
</span><span class="lines">@@ -2089,9 +2091,9 @@
</span><span class="cx"> // We pass the opener frame for the lookupFrame in case the active frame is different from
</span><span class="cx"> // the opener frame, and the name references a frame relative to the opener frame.
</span><span class="cx"> bool created;
</span><del>- RefPtr<Frame> newFrame = WebCore::createWindow(activeFrame, openerFrame, frameRequest, windowFeatures, created);
</del><ins>+ RefPtr<Frame> newFrame = WebCore::createWindow(*activeFrame, openerFrame, frameRequest, windowFeatures, created);
</ins><span class="cx"> if (!newFrame)
</span><del>- return 0;
</del><ins>+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> newFrame->loader().setOpener(openerFrame);
</span><span class="cx"> newFrame->page()->setOpenedByDOM();
</span><span class="lines">@@ -2111,7 +2113,7 @@
</span><span class="cx">
</span><span class="cx"> // Navigating the new frame could result in it being detached from its page by a navigation policy delegate.
</span><span class="cx"> if (!newFrame->page())
</span><del>- return 0;
</del><ins>+ return nullptr;
</ins><span class="cx">
</span><span class="cx"> return newFrame.release();
</span><span class="cx"> }
</span></span></pre>
</div>
</div>
</body>
</html>