BUG = 1357667

Redo the fix of issue 1357667. Previous fix does not address all cases (HTMLLinkElement.sheet). It works by create a hidden reference from JS wrapper of StyleSheet object to its owner node. This is down when creating the JS wrapper object. Add a test for HTMLLinkElement that crashes both Chrome and Safari 3.1.2. Review URL: http://codereview.chromium.org/1678 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@1990 0039d316-1c4b-4281-b951-d872f2087c98
author: fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2008-09-10 16:42:41 +0000
committer: fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98> 2008-09-10 16:42:41 +0000
commit: 6501779376fc890a5613519050756a9d6cf48ee8 (patch)
tree: d14bf31d29d2bfbcd4515feeb9902e65e3e67ff2 /webkit/port/bindings/v8/v8_proxy.cpp
parent: fca43faacfed770dd87246fdd2367df955b3df86 (diff)
download: chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.zip
chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.tar.gz
chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.tar.bz2
1 files changed, 20 insertions, 0 deletions
diff --git a/webkit/port/bindings/v8/v8_proxy.cpp b/webkit/port/bindings/v8/v8_proxy.cpp
index 184063e..9b595c1 100644
--- a/webkit/port/bindings/v8/v8_proxy.cpp
+++ b/webkit/port/bindings/v8/v8_proxy.cpp
@@ -1188,6 +1188,18 @@ v8::Persistent<v8::FunctionTemplate> V8Proxy::GetTemplate(
           CollectionIndexedPropertyEnumerator<HTMLFormElement>,
           v8::External::New(reinterpret_cast<void*>(V8ClassIndex::NODE)));
       break;
+    case V8ClassIndex::STYLESHEET:  // fall through
+    case V8ClassIndex::CSSSTYLESHEET: {
+      // We add an extra internal field to hold a reference to
+      // the owner node. 
+      v8::Local<v8::ObjectTemplate> instance_template =
+        desc->InstanceTemplate();
+      ASSERT(instance_template->InternalFieldCount() ==
+             V8Custom::kDefaultWrapperInternalFieldCount);
+      instance_template->SetInternalFieldCount(
+          V8Custom::kStyleSheetInternalFieldCount);
+      break;
+    }
     case V8ClassIndex::MEDIALIST:
       SetCollectionStringOrNullIndexedGetter<MediaList>(desc);
       break;
@@ -2521,6 +2533,14 @@ v8::Handle<v8::Object> V8Proxy::StyleSheetToV8Object(StyleSheet* sheet) {
     // Only update the DOM object map if the result is non-empty.
     dom_object_map().set(sheet, v8::Persistent<v8::Object>::New(result));
   }
+
+  // Add a hidden reference from stylesheet object to its owner node.
+  Node* owner_node = sheet->ownerNode();
+  if (owner_node) {
+    v8::Handle<v8::Object> owner = NodeToV8Object(owner_node);
+    result->SetInternalField(V8Custom::kStyleSheetOwnerNodeIndex, owner);
+  }
+
   return result;
 }
author	fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2008-09-10 16:42:41 +0000
committer	fqian@google.com <fqian@google.com@0039d316-1c4b-4281-b951-d872f2087c98>	2008-09-10 16:42:41 +0000
commit	6501779376fc890a5613519050756a9d6cf48ee8 (patch)
tree	d14bf31d29d2bfbcd4515feeb9902e65e3e67ff2 /webkit/port/bindings/v8/v8_proxy.cpp
parent	fca43faacfed770dd87246fdd2367df955b3df86 (diff)
download	chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.zip chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.tar.gz chromium_src-6501779376fc890a5613519050756a9d6cf48ee8.tar.bz2