2009-04-14 Antony Sargent <asargent@chromium.org>

        Reviewed by Dimitri Glazkov.

        This is some cleanup motivated by the crash in http://crbug.com/9775 , which
        happens because of calling window.open inside a window.onload handler.

        These changes are just part of the fix, along with some asserts to help prevent
        breakage on future changes.

        https://bugs.webkit.org/show_bug.cgi?id=25132

        * bindings/v8/V8EventListenerList.cpp:
        (WebCore::V8EventListenerList::add):
        (WebCore::V8EventListenerList::remove):
        (WebCore::V8EventListenerList::clear):
        * bindings/v8/V8EventListenerList.h:
        (WebCore::V8EventListenerList::size):

git-svn-id: svn://svn.chromium.org/blink/trunk@42510 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/WebCore/ChangeLog

+2009-04-14  Antony Sargent  <asargent@chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        This is some cleanup motivated by the crash in http://crbug.com/9775 , which 
+        happens because of calling window.open inside a window.onload handler. 
+
+        These changes are just part of the fix, along with some asserts to help prevent
+        breakage on future changes. 
+
+        https://bugs.webkit.org/show_bug.cgi?id=25132
+
+        * bindings/v8/V8EventListenerList.cpp:
+        (WebCore::V8EventListenerList::add):
+        (WebCore::V8EventListenerList::remove):
+        (WebCore::V8EventListenerList::clear):
+        * bindings/v8/V8EventListenerList.h:
+        (WebCore::V8EventListenerList::size):
+
 2009-04-14  Evan Martin  <evan@chromium.org>
 
         Reviewed by Darin Adler.

third_party/WebKit/WebCore/bindings/v8/V8EventListenerList.cpp

@@ -74,6 +74,7 @@ v8::Handle<v8::String> V8EventListenerList::getKey(bool isInline)
 // See comment in .h file for this function, and update accordingly if implementation details change here.
 void V8EventListenerList::add(V8EventListener* listener)
 {
+    ASSERT(v8::Context::InContext());
     m_list.append(listener);
 
     v8::HandleScope handleScope;
@@ -84,12 +85,19 @@ void V8EventListenerList::add(V8EventListener* listener)
 
 void V8EventListenerList::remove(V8EventListener* listener)
 {
+    ASSERT(v8::Context::InContext());
     v8::HandleScope handleScope;
+    v8::Handle<v8::String> key = getKey(listener->isInline());
     for (size_t i = 0; i < m_list.size(); i++) {
         V8EventListener* element = m_list.at(i);
         if (element->isInline() == listener->isInline() && element == listener) {
             v8::Local<v8::Object> object = listener->getListenerObject();
-            object->DeleteHiddenValue(getKey(listener->isInline()));
+
+            // FIXME(asargent) this check for hidden value being !empty is a workaround for
+            // http://code.google.com/p/v8/issues/detail?id=300
+            // Once the fix for that is pulled into chromium we can remove the check here.
+            if (!object->GetHiddenValue(key).IsEmpty())
+              object->DeleteHiddenValue(getKey(listener->isInline()));
             m_list.remove(i);
             break;
         }
@@ -98,6 +106,7 @@ void V8EventListenerList::remove(V8EventListener* listener)
 
 void V8EventListenerList::clear()
 {
+    ASSERT(v8::Context::InContext());
     v8::HandleScope handleScope;
     for (size_t i = 0; i < m_list.size(); i++) {
         V8EventListener* element = m_list.at(i);

third_party/WebKit/WebCore/bindings/v8/V8EventListenerList.h

@@ -56,6 +56,7 @@ namespace WebCore {
         void remove(V8EventListener*);
         V8EventListener* find(v8::Local<v8::Object>, bool isInline);
         void clear();
+        size_t size() { return m_list.size(); }
 
     private:
         v8::Handle<v8::String> getKey(bool isInline);