binding: Window-returning attributes return null if a Window is detached.

Makes the attributes that return a WindowProxy return null if the browsing context of the Window is detached in order to avoid crashes that are caused by accessing to a ScriptState for the detached browsing context. This is a kind of first aid, and not the right fix. The spec requires DOM attributes such as Window.parent or top to return the WindowProxy of the browsing context if it's detached. I.e. we need to fully support detached frames. BUG=621730,621577 Review-Url: https://codereview.chromium.org/2085983002 Cr-Commit-Position: refs/heads/master@{#401007}

binding: Window-returning attributes return null if a Window is detached.
Makes the attributes that return a WindowProxy return null if the browsing context of the Window is detached in order to avoid crashes that are caused by accessing to a ScriptState for the detached browsing context. This is a kind of first aid, and not the right fix. The spec requires DOM attributes such as Window.parent or top to return the WindowProxy of the browsing context if it's detached. I.e. we need to fully support detached frames. BUG=621730,621577 Review-Url: https://codereview.chromium.org/2085983002 Cr-Commit-Position: refs/heads/master@{#401007}
eb73fb7b · yukishiino · Commit bot · e40d752d · eb73fb7b · eb73fb7b
Commit eb73fb7b authored Jun 21, 2016 by yukishiino Committed by Commit bot Jun 21, 2016
Showing with 17 additions and 6 deletions

third_party/WebKit/Source/bindings/core/v8/ToV8.cpp third_party/WebKit/Source/bindings/core/v8/ToV8.cpp +9 -4

third_party/WebKit/Source/core/frame/DOMWindow.cpp third_party/WebKit/Source/core/frame/DOMWindow.cpp +8 -2

No files found.
--- a/third_party/WebKit/Source/bindings/core/v8/ToV8.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/ToV8.cpp
@@ -20,12 +20,17 @@ v8::Local<v8::Value> toV8(DOMWindow* window, v8::Local<v8::Object> creationConte

    if (UNLIKELY(!window))
        return v8::Null(isolate);
-    // Initializes environment of a frame, and return the global object
-    // of the frame.
-    Frame * frame = window->frame();
-    if (!frame)
+
+    // TODO(yukishiino): There must be no case to return undefined.
+    // 'window', 'frames' and 'self' attributes in Window interface return
+    // the WindowProxy object of the browsing context, which never be undefined.
+    // 'top' and 'parent' attributes return the same when detached.  Therefore,
+    // there must be no case to return undefined.
+    // See http://crbug.com/621730 and http://crbug.com/621577 .
+    if (!window->isCurrentlyDisplayedInFrame())
        return v8Undefined();

+    Frame* frame = window->frame();
    return frame->windowProxy(DOMWrapperWorld::current(isolate))->globalIfNotDetached();
 }


--- a/third_party/WebKit/Source/core/frame/DOMWindow.cpp
+++ b/third_party/WebKit/Source/core/frame/DOMWindow.cpp
@@ -103,7 +103,10 @@ DOMWindow* DOMWindow::opener() const

 DOMWindow* DOMWindow::parent() const
 {
-    if (!frame())
+    // TODO(yukishiino): The 'parent' attribute must return |this|
+    // (the WindowProxy object of the browsing context itself) when it's
+    // top-level or detached.
+    if (!isCurrentlyDisplayedInFrame())
        return nullptr;

    Frame* parent = frame()->tree().parent();
@@ -112,7 +115,10 @@ DOMWindow* DOMWindow::parent() const

 DOMWindow* DOMWindow::top() const
 {
-    if (!frame())
+    // TODO(yukishiino): The 'top' attribute must return |this|
+    // (the WindowProxy object of the browsing context itself) when it's
+    // top-level or detached.
+    if (!isCurrentlyDisplayedInFrame())
        return nullptr;

    return frame()->tree().top()->domWindow();