<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />

<title>[184171] releases/WebKitGTK/webkit-2.8</title>

</head>

<body>

<style type="text/css"><!--

#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }

#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }

#msg dt:after { content:':';}

#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }

#msg dl a { font-weight: bold}

#msg dl a:link    { color:#fc3; }

#msg dl a:active  { color:#ff0; }

#msg dl a:visited { color:#cc6; }

h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }

#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }

#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }

#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }

#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }

#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }

#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }

#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }

#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }

#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }

#logmsg pre { background: #eee; padding: 1em; }

#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}

#logmsg dl { margin: 0; }

#logmsg dt { font-weight: bold; }

#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }

#logmsg dd:before { content:'\00bb';}

#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }

#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }

#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }

#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }

#logmsg table th.Corner { text-align: left; }

#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }

#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }

#patch { width: 100%; }

#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}

#patch .propset h4, #patch .binary h4 {margin:0;}

#patch pre {padding:0;line-height:1.2em;margin:0;}

#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}

#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}

#patch span {display:block;padding:0 10px;}

#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}

#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}

#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}

#patch .lines, .info {color:#888;background:#fff;}

--></style>

<div id="msg">

<dl class="meta">

<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/184171">184171</a></dd>

<dt>Author</dt> <dd>carlosgc@webkit.org</dd>

<dt>Date</dt> <dd>2015-05-12 01:15:53 -0700 (Tue, 12 May 2015)</dd>

</dl>

<h3>Log Message</h3>

<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/183781">r183781</a> - Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185

https://bugs.webkit.org/show_bug.cgi?id=144597

&lt;rdar://problem/20361579&gt;

Reviewed by Andreas Kling.

Source/WebCore:

Test: fast/dom/Window/window-open-activeWindow-null-frame.html

In our implementation of window.open(), we make sure that the window

which window.open() is called has a frame. However, we did not have the

same check for the activeDOMWindow (i.e. the lexicalGlobalObject) causing

us to crash in WebCore::createWindow() when dereferencing it.

This patch updates WebCore::createWindow() takes a reference to the

openerFrame instead of a pointer to make it clear the implementation

expects it to be non-null. A null check is then added for the frame

at the call site: DOMWindow::createWindow().

* inspector/InspectorFrontendClientLocal.cpp:

(WebCore::InspectorFrontendClientLocal::openInNewTab):

* loader/FrameLoader.cpp:

(WebCore::isDocumentSandboxed):

(WebCore::FrameLoader::submitForm):

(WebCore::createWindow):

Take a reference to openerFrame instead of a pointer as the

implementation expects it to be non-null.

* loader/FrameLoader.h:

* page/DOMWindow.cpp:

(WebCore::DOMWindow::createWindow):

Add null check for activeFrame before passing it to

WebCore::createWindow().

LayoutTests:

Add a layout test to cover the case where window.open() is called on a

window that is different than the activeDOMWindow and where the

activeDOMWindow does not have a frame.

* fast/dom/Window/resources/test-frame.html: Added.

* fast/dom/Window/window-open-activeWindow-null-frame-expected.txt: Added.

* fast/dom/Window/window-open-activeWindow-null-frame.html: Added.</pre>

<h3>Modified Paths</h3>

<ul>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog</a></li>

<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog</a></li>

<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreinspectorInspectorFrontendClientLocalcpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/inspector/InspectorFrontendClientLocal.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreloaderFrameLoadercpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.cpp</a></li>

<li><a href="#releasesWebKitGTKwebkit28SourceWebCoreloaderFrameLoaderh">releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.h</a></li>

<li><a href="#releasesWebKitGTKwebkit28SourceWebCorepageDOMWindowcpp">releases/WebKitGTK/webkit-2.8/Source/WebCore/page/DOMWindow.cpp</a></li>

</ul>

<h3>Added Paths</h3>

<ul>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestsfastdomWindowresourcestestframehtml">releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/resources/test-frame.html</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestsfastdomWindowwindowopenactiveWindownullframeexpectedtxt">releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame-expected.txt</a></li>

<li><a href="#releasesWebKitGTKwebkit28LayoutTestsfastdomWindowwindowopenactiveWindownullframehtml">releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame.html</a></li>

</ul>

</div>

<div id="patch">

<h3>Diff</h3>

<a id="releasesWebKitGTKwebkit28LayoutTestsChangeLog"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (184170 => 184171)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog        2015-05-12 08:15:27 UTC (rev 184170)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog        2015-05-12 08:15:53 UTC (rev 184171)

</span><span class="lines">@@ -1,5 +1,21 @@

</span><span class="cx"> 2015-05-04  Chris Dumez  &lt;cdumez@apple.com&gt;

</span><span class="cx"> 

</span><ins>+        Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185

+        https://bugs.webkit.org/show_bug.cgi?id=144597

+        &lt;rdar://problem/20361579&gt;

+

+        Reviewed by Andreas Kling.

+

+        Add a layout test to cover the case where window.open() is called on a

+        window that is different than the activeDOMWindow and where the

+        activeDOMWindow does not have a frame.

+

+        * fast/dom/Window/resources/test-frame.html: Added.

+        * fast/dom/Window/window-open-activeWindow-null-frame-expected.txt: Added.

+        * fast/dom/Window/window-open-activeWindow-null-frame.html: Added.

+

+2015-05-04  Chris Dumez  &lt;cdumez@apple.com&gt;

+

</ins><span class="cx">         REGRESSION (r178156): CSS Parser incorrectly rejects valid calc() in padding-right property

</span><span class="cx">         https://bugs.webkit.org/show_bug.cgi?id=144584

</span><span class="cx">         &lt;rdar://problem/20796829&gt;

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestsfastdomWindowresourcestestframehtml"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/resources/test-frame.html (0 => 184171)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/resources/test-frame.html                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/resources/test-frame.html        2015-05-12 08:15:53 UTC (rev 184171)

</span><span class="lines">@@ -0,0 +1,6 @@

</span><ins>+&lt;!DOCTYPE html&gt;

+&lt;html&gt;

+&lt;body&gt;

+TEST

+&lt;/body&gt;

+&lt;/html&gt;

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestsfastdomWindowwindowopenactiveWindownullframeexpectedtxt"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame-expected.txt (0 => 184171)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame-expected.txt                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame-expected.txt        2015-05-12 08:15:53 UTC (rev 184171)

</span><span class="lines">@@ -0,0 +1,10 @@

<ins>+Tests window.open() call with an activeDOMWindow that has a null frame.

+

+On success, you will see a series of &quot;PASS&quot; messages, followed by &quot;TEST COMPLETE&quot;.

+

+

+This test passes if it doesn't crash.

+PASS successfullyParsed is true

+

+TEST COMPLETE

+

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28LayoutTestsfastdomWindowwindowopenactiveWindownullframehtml"></a>

<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame.html (0 => 184171)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame.html                                (rev 0)

+++ releases/WebKitGTK/webkit-2.8/LayoutTests/fast/dom/Window/window-open-activeWindow-null-frame.html        2015-05-12 08:15:53 UTC (rev 184171)

</span><span class="lines">@@ -0,0 +1,36 @@

</span><ins>+&lt;!DOCTYPE html&gt;

+&lt;html&gt;

+&lt;head&gt;

+&lt;script src=&quot;../../../resources/js-test-pre.js&quot;&gt;&lt;/script&gt;

+&lt;script&gt;

+description(&quot;Tests window.open() call with an activeDOMWindow that has a null frame.&quot;);

+debug(&quot;This test passes if it doesn't crash.&quot;);

+

+window.jsTestIsAsync = true;

+

+if (window.testRunner)

+    testRunner.setCanOpenWindows(true);

+

+function openWindow()

+{

+    testFrameWindowOpen.call(window);

+    finishJSTest();

+}

+

+function removeSubFrame()

+{

+    var testFrame = document.getElementById(&quot;testFrame&quot;);

+    testFrameWindow = testFrame.contentWindow;

+    testFrameWindowOpen = testFrameWindow.open;

+    testFrame.remove();

+    gc();

+

+    setTimeout(openWindow, 0);

+}

+&lt;/script&gt;

+&lt;/head&gt;

+&lt;body&gt;

+&lt;iframe id=&quot;testFrame&quot; src=&quot;resources/test-frame.html&quot; onload=&quot;removeSubFrame()&quot;&gt;&lt;/iframe&gt;

+&lt;script src=&quot;../../../resources/js-test-post.js&quot;&gt;&lt;/script&gt;

+&lt;/body&gt;

+&lt;/html&gt;

</ins></span></pre></div>

<a id="releasesWebKitGTKwebkit28SourceWebCoreChangeLog"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (184170 => 184171)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog        2015-05-12 08:15:27 UTC (rev 184170)

+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog        2015-05-12 08:15:53 UTC (rev 184171)

</span><span class="lines">@@ -1,5 +1,40 @@

</span><span class="cx"> 2015-05-04  Chris Dumez  &lt;cdumez@apple.com&gt;

</span><span class="cx"> 

</span><ins>+        Crash at com.apple.WebKit.WebContent at com.apple.WebCore: WebCore::createWindow + 185

+        https://bugs.webkit.org/show_bug.cgi?id=144597

+        &lt;rdar://problem/20361579&gt;

+

+        Reviewed by Andreas Kling.

+

+        Test: fast/dom/Window/window-open-activeWindow-null-frame.html

+

+        In our implementation of window.open(), we make sure that the window

+        which window.open() is called has a frame. However, we did not have the

+        same check for the activeDOMWindow (i.e. the lexicalGlobalObject) causing

+        us to crash in WebCore::createWindow() when dereferencing it.

+

+        This patch updates WebCore::createWindow() takes a reference to the

+        openerFrame instead of a pointer to make it clear the implementation

+        expects it to be non-null. A null check is then added for the frame

+        at the call site: DOMWindow::createWindow().

+

+        * inspector/InspectorFrontendClientLocal.cpp:

+        (WebCore::InspectorFrontendClientLocal::openInNewTab):

+        * loader/FrameLoader.cpp:

+        (WebCore::isDocumentSandboxed):

+        (WebCore::FrameLoader::submitForm):

+        (WebCore::createWindow):

+        Take a reference to openerFrame instead of a pointer as the

+        implementation expects it to be non-null.

+

+        * loader/FrameLoader.h:

+        * page/DOMWindow.cpp:

+        (WebCore::DOMWindow::createWindow):

+        Add null check for activeFrame before passing it to

+        WebCore::createWindow().

+

+2015-05-04  Chris Dumez  &lt;cdumez@apple.com&gt;

+

</ins><span class="cx">         REGRESSION (r178156): CSS Parser incorrectly rejects valid calc() in padding-right property

</span><span class="cx">         https://bugs.webkit.org/show_bug.cgi?id=144584

</span><span class="cx">         &lt;rdar://problem/20796829&gt;

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit28SourceWebCoreinspectorInspectorFrontendClientLocalcpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/inspector/InspectorFrontendClientLocal.cpp (184170 => 184171)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/inspector/InspectorFrontendClientLocal.cpp        2015-05-12 08:15:27 UTC (rev 184170)

+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/inspector/InspectorFrontendClientLocal.cpp        2015-05-12 08:15:53 UTC (rev 184171)

</span><span class="lines">@@ -215,7 +215,7 @@

</span><span class="cx"> 

</span><span class="cx">     bool created;

</span><span class="cx">     WindowFeatures windowFeatures;

</span><del>-    RefPtr&lt;Frame&gt; frame = WebCore::createWindow(&amp;mainFrame, &amp;mainFrame, request, windowFeatures, created);

</del><ins>+    RefPtr&lt;Frame&gt; frame = WebCore::createWindow(mainFrame, &amp;mainFrame, request, windowFeatures, created);

</ins><span class="cx">     if (!frame)

</span><span class="cx">         return;

</span><span class="cx"> 

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit28SourceWebCoreloaderFrameLoadercpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.cpp (184170 => 184171)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.cpp        2015-05-12 08:15:27 UTC (rev 184170)

+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.cpp        2015-05-12 08:15:53 UTC (rev 184171)

</span><span class="lines">@@ -169,9 +169,9 @@

</span><span class="cx"> // non-member lets us exclude it from the header file, thus keeping FrameLoader.h's

<span class="cx"> // API simpler.

</span><span class="cx"> //

</span><del>-static bool isDocumentSandboxed(Frame* frame, SandboxFlags mask)

</del><ins>+static bool isDocumentSandboxed(Frame&amp; frame, SandboxFlags mask)

</ins><span class="cx"> {

</span><del>-    return frame-&gt;document() &amp;&amp; frame-&gt;document()-&gt;isSandboxed(mask);

</del><ins>+    return frame.document() &amp;&amp; frame.document()-&gt;isSandboxed(mask);

</ins><span class="cx"> }

</span><span class="cx"> 

</span><span class="cx"> class FrameLoader::FrameProgressTracker {

</span><span class="lines">@@ -359,7 +359,7 @@

</span><span class="cx">     if (submission-&gt;action().isEmpty())

</span><span class="cx">         return;

</span><span class="cx"> 

</span><del>-    if (isDocumentSandboxed(&amp;m_frame, SandboxForms)) {

</del><ins>+    if (isDocumentSandboxed(m_frame, SandboxForms)) {

</ins><span class="cx">         // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.

</span><span class="cx">         m_frame.document()-&gt;addConsoleMessage(MessageSource::Security, MessageLevel::Error, &quot;Blocked form submission to '&quot; + submission-&gt;action().stringCenterEllipsizedToLength() + &quot;' because the form's frame is sandboxed and the 'allow-forms' permission is not set.&quot;);

</span><span class="cx">         return;

</span><span class="lines">@@ -3415,14 +3415,14 @@

</span><span class="cx">     return true;

</span><span class="cx"> }

</span><span class="cx"> 

</span><del>-PassRefPtr&lt;Frame&gt; createWindow(Frame* openerFrame, Frame* lookupFrame, const FrameLoadRequest&amp; request, const WindowFeatures&amp; features, bool&amp; created)

</del><ins>+PassRefPtr&lt;Frame&gt; createWindow(Frame&amp; openerFrame, Frame* lookupFrame, const FrameLoadRequest&amp; request, const WindowFeatures&amp; features, bool&amp; created)

</ins><span class="cx"> {

</span><span class="cx">     ASSERT(!features.dialog || request.frameName().isEmpty());

</span><span class="cx"> 

</span><span class="cx">     created = false;

</span><span class="cx"> 

</span><span class="cx">     if (!request.frameName().isEmpty() &amp;&amp; request.frameName() != &quot;_blank&quot;) {

</span><del>-        if (RefPtr&lt;Frame&gt; frame = lookupFrame-&gt;loader().findFrameForNavigation(request.frameName(), openerFrame-&gt;document())) {

</del><ins>+        if (RefPtr&lt;Frame&gt; frame = lookupFrame-&gt;loader().findFrameForNavigation(request.frameName(), openerFrame.document())) {

</ins><span class="cx">             if (request.frameName() != &quot;_self&quot;) {

</span><span class="cx">                 if (Page* page = frame-&gt;page())

</span><span class="cx">                     page-&gt;chrome().focus();

</span><span class="lines">@@ -3434,28 +3434,28 @@

<span class="cx">     // Sandboxed frames cannot open new auxiliary browsing contexts.

</span><span class="cx">     if (isDocumentSandboxed(openerFrame, SandboxPopups)) {

<span class="cx">         // FIXME: This message should be moved off the console once a solution to https://bugs.webkit.org/show_bug.cgi?id=103274 exists.

</span><del>-        openerFrame-&gt;document()-&gt;addConsoleMessage(MessageSource::Security, MessageLevel::Error, &quot;Blocked opening '&quot; + request.resourceRequest().url().stringCenterEllipsizedToLength() + &quot;' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.&quot;);

</del><ins>+        openerFrame.document()-&gt;addConsoleMessage(MessageSource::Security, MessageLevel::Error, &quot;Blocked opening '&quot; + request.resourceRequest().url().stringCenterEllipsizedToLength() + &quot;' in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.&quot;);

</ins><span class="cx">         return nullptr;

</span><span class="cx">     }

</span><span class="cx"> 

<span class="cx">     // FIXME: Setting the referrer should be the caller's responsibility.

</span><span class="cx">     FrameLoadRequest requestWithReferrer = request;

</span><del>-    String referrer = SecurityPolicy::generateReferrerHeader(openerFrame-&gt;document()-&gt;referrerPolicy(), request.resourceRequest().url(), openerFrame-&gt;loader().outgoingReferrer());

</del><ins>+    String referrer = SecurityPolicy::generateReferrerHeader(openerFrame.document()-&gt;referrerPolicy(), request.resourceRequest().url(), openerFrame.loader().outgoingReferrer());

</ins><span class="cx">     if (!referrer.isEmpty())

</span><span class="cx">         requestWithReferrer.resourceRequest().setHTTPReferrer(referrer);

</span><del>-    FrameLoader::addHTTPOriginIfNeeded(requestWithReferrer.resourceRequest(), openerFrame-&gt;loader().outgoingOrigin());

</del><ins>+    FrameLoader::addHTTPOriginIfNeeded(requestWithReferrer.resourceRequest(), openerFrame.loader().outgoingOrigin());

</ins><span class="cx"> 

</span><del>-    Page* oldPage = openerFrame-&gt;page();

</del><ins>+    Page* oldPage = openerFrame.page();

</ins><span class="cx">     if (!oldPage)

</span><span class="cx">         return nullptr;

</span><span class="cx"> 

</span><del>-    Page* page = oldPage-&gt;chrome().createWindow(openerFrame, requestWithReferrer, features, NavigationAction(requestWithReferrer.resourceRequest()));

</del><ins>+    Page* page = oldPage-&gt;chrome().createWindow(&amp;openerFrame, requestWithReferrer, features, NavigationAction(requestWithReferrer.resourceRequest()));

</ins><span class="cx">     if (!page)

</span><span class="cx">         return nullptr;

</span><span class="cx"> 

</span><span class="cx">     RefPtr&lt;Frame&gt; frame = &amp;page-&gt;mainFrame();

</span><span class="cx"> 

</span><del>-    frame-&gt;loader().forceSandboxFlags(openerFrame-&gt;document()-&gt;sandboxFlags());

</del><ins>+    frame-&gt;loader().forceSandboxFlags(openerFrame.document()-&gt;sandboxFlags());

</ins><span class="cx"> 

</span><span class="cx">     if (request.frameName() != &quot;_blank&quot;)

</span><span class="cx">         frame-&gt;tree().setName(request.frameName());

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit28SourceWebCoreloaderFrameLoaderh"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.h (184170 => 184171)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.h        2015-05-12 08:15:27 UTC (rev 184170)

+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/loader/FrameLoader.h        2015-05-12 08:15:53 UTC (rev 184171)

</span><span class="lines">@@ -451,7 +451,7 @@

</span><span class="cx"> //

</span><span class="cx"> // FIXME: Consider making this function part of an appropriate class (not FrameLoader)

<span class="cx"> // and moving it to a more appropriate location.

</span><del>-PassRefPtr&lt;Frame&gt; createWindow(Frame* openerFrame, Frame* lookupFrame, const FrameLoadRequest&amp;, const WindowFeatures&amp;, bool&amp; created);

</del><ins>+PassRefPtr&lt;Frame&gt; createWindow(Frame&amp; openerFrame, Frame* lookupFrame, const FrameLoadRequest&amp;, const WindowFeatures&amp;, bool&amp; created);

</ins><span class="cx"> 

</span><span class="cx"> } // namespace WebCore

</span><span class="cx"> 

</span></span></pre></div>

<a id="releasesWebKitGTKwebkit28SourceWebCorepageDOMWindowcpp"></a>

<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/page/DOMWindow.cpp (184170 => 184171)</h4>

<pre class="diff"><span>

<span class="info">--- releases/WebKitGTK/webkit-2.8/Source/WebCore/page/DOMWindow.cpp        2015-05-12 08:15:27 UTC (rev 184170)

+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/page/DOMWindow.cpp        2015-05-12 08:15:53 UTC (rev 184171)

</span><span class="lines">@@ -2071,12 +2071,14 @@

</span><span class="cx"> PassRefPtr&lt;Frame&gt; DOMWindow::createWindow(const String&amp; urlString, const AtomicString&amp; frameName, const WindowFeatures&amp; windowFeatures, DOMWindow&amp; activeWindow, Frame* firstFrame, Frame* openerFrame, std::function&lt;void (DOMWindow&amp;)&gt; prepareDialogFunction)

</span><span class="cx"> {

</span><span class="cx">     Frame* activeFrame = activeWindow.frame();

</span><ins>+    if (!activeFrame)

+        return nullptr;

</ins><span class="cx"> 

</span><span class="cx">     URL completedURL = urlString.isEmpty() ? URL(ParsedURLString, emptyString()) : firstFrame-&gt;document()-&gt;completeURL(urlString);

</span><span class="cx">     if (!completedURL.isEmpty() &amp;&amp; !completedURL.isValid()) {

<span class="cx">         // Don't expose client code to invalid URLs.

</span><span class="cx">         activeWindow.printErrorMessage(&quot;Unable to open a window with invalid URL '&quot; + completedURL.string() + &quot;'.\n&quot;);

</span><del>-        return 0;

</del><ins>+        return nullptr;

</ins><span class="cx">     }

</span><span class="cx"> 

<span class="cx">     // For whatever reason, Firefox uses the first frame to determine the outgoingReferrer. We replicate that behavior here.

</span><span class="lines">@@ -2089,9 +2091,9 @@

</span><span class="cx">     // We pass the opener frame for the lookupFrame in case the active frame is different from

<span class="cx">     // the opener frame, and the name references a frame relative to the opener frame.

</span><span class="cx">     bool created;

</span><del>-    RefPtr&lt;Frame&gt; newFrame = WebCore::createWindow(activeFrame, openerFrame, frameRequest, windowFeatures, created);

</del><ins>+    RefPtr&lt;Frame&gt; newFrame = WebCore::createWindow(*activeFrame, openerFrame, frameRequest, windowFeatures, created);

</ins><span class="cx">     if (!newFrame)

</span><del>-        return 0;

</del><ins>+        return nullptr;

</ins><span class="cx"> 

</span><span class="cx">     newFrame-&gt;loader().setOpener(openerFrame);

</span><span class="cx">     newFrame-&gt;page()-&gt;setOpenedByDOM();

</span><span class="lines">@@ -2111,7 +2113,7 @@

</span><span class="cx"> 

<span class="cx">     // Navigating the new frame could result in it being detached from its page by a navigation policy delegate.

</span><span class="cx">     if (!newFrame-&gt;page())

</span><del>-        return 0;

</del><ins>+        return nullptr;

</ins><span class="cx"> 

</span><span class="cx">     return newFrame.release();

</span><span class="cx"> }

</span></span></pre>

</div>

</div>

</body>

</html>