[Webkit-unassigned] [Bug 13250] REGRESSION: Browser crash on clicking back button while at link specified above (inspector: ObjC wrapper outlives JS wrapper)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 3 15:45:52 PDT 2007


------- Comment #14 from ggaren at apple.com  2007-04-03 15:45 PDT -------
In the WebScriptObject API, once a RootObject becomes invalid, any
WebScriptObject created with it goes "inert" with respect to JavaScript. This
means, for example, that if you call -valueForKey: on such an object, you'll
unconditionally get back nil. I don't think that's a great API, but we probably
shouldn't change it now.

This patch would poke a small hole in that API, allowing you to pass an inert
WebScriptObject as an argument to a JavaScript function, even though you
couldn't use the WebScriptObject in any other JavaScript context. I see three
problems with that:

1. It's inconsistent, and therefore confusing.

2. It doesn't fix the crash in all cases. A WebScriptObject will fail to
regenerate its JS counterpart if its document is not in a frame, in which case,
it will still vend a stale pointer.

3. Because it resets the WebScriptObject's RootObject, it breaks the
(admittedly not very strong) cross-frame scripting security model.

I think it's possible to make the object's inert-ness apply when its used as an
argument to a function, too. The -_imp method can just return nil if
rootObject->isValid() returns false. The tricky part will be finding all the
callers of _imp and getting them to respect a nil return value, but I think
that's definitely do-able.

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list