Updated WebKit from /home/shausman/src/webkit/trunk to origin/qtwebkit-4.5 ( 1535d41a668e5f74f44ff3aa1313a84d5718d2d7 )

Changes in WebKit since the last update:

++ b/WebCore/ChangeLog
2009-07-23  Simon Hausmann  <simon.hausmann@nokia.com>

        Reviewed by Holger Freyther.

        Fix crashes with the QObject bindings after garbage collection.

        There is one QtInstance per wrapped QObject, and that QtInstance keeps
        references to cached JSObjects for slots. When those objects get
        deleted due to GC, then they becoming dangling pointers.

        When a cached member dies, it is now removed from the QtInstance's
        cache.

        As we cannot track the lifetime of the children, we have to remove
        them from QtInstance alltogether. They are not cached and were
        only used for mark(), but we _want_ them to be subject to gc.

        * bridge/qt/qt_instance.cpp:
        (JSC::Bindings::QtInstance::~QtInstance): Minor coding style cleanup,
        use qDeleteAll().
        (JSC::Bindings::QtInstance::removeCachedMethod): New function, to
        clean m_methods and m_defaultMethod.
        (JSC::Bindings::QtInstance::mark): Avoid marking already marked objects.
        (JSC::Bindings::QtField::valueFromInstance): Don't save children for
        marking.
        * bridge/qt/qt_instance.h: Declare removeCachedMethod.
        * bridge/qt/qt_runtime.cpp:
        (JSC::Bindings::QtRuntimeMethod::~QtRuntimeMethod): Call removeCachedMethod
        with this on the instance.

2009-05-04  Jakub Wieczorek  <faw217@gmail.com>

        Reviewed by Simon Hausmann.

        As Qtish implementation of MIMETypeRegistry::getMIMETypeForExtension()
        returns the application/octet-stream mimetype when it can't associate
        extension with any mimetype, it can happen that the application/octet-stream
        mimetype will hit the list of supported image formats. For instance,
        it is possible when QImageReader or QImageWriter support an extension
        that is not in the extensions map.

        Make sure that this mimetype is not treated as displayable image type.

        * platform/MIMETypeRegistry.cpp:
        (WebCore::initializeSupportedImageMIMETypes):
        (WebCore::initializeSupportedImageMIMETypesForEncoding):

++ b/WebKit/qt/ChangeLog
2009-07-23  Simon Hausmann  <simon.hausmann@nokia.com>

        Reviewed by Holger Freyther.

        Added a testcase to verify that cached methods in the QOBject bindings
        remain alife even after garbage collection.

        * tests/qwebpage/tst_qwebpage.cpp:
        (tst_QWebPage::protectBindingsRuntimeObjectsFromCollector):

9 files changed, 114 insertions, 17 deletions

diff --git a/src/3rdparty/webkit/VERSION b/src/3rdparty/webkit/VERSION
index 88f32d9f0e..eaa0479d0b 100644
--- a/src/3rdparty/webkit/VERSION
+++ b/src/3rdparty/webkit/VERSION
@@ -8,4 +8,4 @@ The commit imported was from the
 
 and has the sha1 checksum
 
-        a3e05ad8acdead3b534d0cef772b85f002e80b8d
+        1535d41a668e5f74f44ff3aa1313a84d5718d2d7
diff --git a/src/3rdparty/webkit/WebCore/ChangeLog b/src/3rdparty/webkit/WebCore/ChangeLog
index 19bb36afc7..83f5e6f632 100644
--- a/src/3rdparty/webkit/WebCore/ChangeLog
+++ b/src/3rdparty/webkit/WebCore/ChangeLog
@@ -1,3 +1,50 @@
+2009-07-23  Simon Hausmann  <simon.hausmann@nokia.com>
+
+        Reviewed by Holger Freyther.
+
+        Fix crashes with the QObject bindings after garbage collection.
+
+        There is one QtInstance per wrapped QObject, and that QtInstance keeps
+        references to cached JSObjects for slots. When those objects get
+        deleted due to GC, then they becoming dangling pointers.
+
+        When a cached member dies, it is now removed from the QtInstance's
+        cache.
+
+        As we cannot track the lifetime of the children, we have to remove
+        them from QtInstance alltogether. They are not cached and were
+        only used for mark(), but we _want_ them to be subject to gc.
+
+        * bridge/qt/qt_instance.cpp:
+        (JSC::Bindings::QtInstance::~QtInstance): Minor coding style cleanup,
+        use qDeleteAll().
+        (JSC::Bindings::QtInstance::removeCachedMethod): New function, to
+        clean m_methods and m_defaultMethod.
+        (JSC::Bindings::QtInstance::mark): Avoid marking already marked objects.
+        (JSC::Bindings::QtField::valueFromInstance): Don't save children for
+        marking.
+        * bridge/qt/qt_instance.h: Declare removeCachedMethod.
+        * bridge/qt/qt_runtime.cpp:
+        (JSC::Bindings::QtRuntimeMethod::~QtRuntimeMethod): Call removeCachedMethod
+        with this on the instance.
+
+2009-05-04  Jakub Wieczorek  <faw217@gmail.com>
+
+        Reviewed by Simon Hausmann.
+
+        As Qtish implementation of MIMETypeRegistry::getMIMETypeForExtension()
+        returns the application/octet-stream mimetype when it can't associate
+        extension with any mimetype, it can happen that the application/octet-stream
+        mimetype will hit the list of supported image formats. For instance,
+        it is possible when QImageReader or QImageWriter support an extension
+        that is not in the extensions map.
+
+        Make sure that this mimetype is not treated as displayable image type.
+
+        * platform/MIMETypeRegistry.cpp:
+        (WebCore::initializeSupportedImageMIMETypes):
+        (WebCore::initializeSupportedImageMIMETypesForEncoding):
+
 2009-06-18  Chris Evans  <scarybeasts@gmail.com>
 
         Reviewed by Adam Barth.
diff --git a/src/3rdparty/webkit/WebCore/bridge/qt/qt_instance.cpp b/src/3rdparty/webkit/WebCore/bridge/qt/qt_instance.cpp
index 4b94a94b08..4fc95fa62a 100644
--- a/src/3rdparty/webkit/WebCore/bridge/qt/qt_instance.cpp
+++ b/src/3rdparty/webkit/WebCore/bridge/qt/qt_instance.cpp
@@ -110,9 +110,7 @@ QtInstance::~QtInstance()
     // clean up (unprotect from gc) the JSValues we've created
     m_methods.clear();
 
-    foreach(QtField* f, m_fields.values()) {
-        delete f;
-    }
+    qDeleteAll(m_fields);
     m_fields.clear();
 
     if (m_object) {
@@ -158,6 +156,19 @@ RuntimeObjectImp* QtInstance::getRuntimeObject(ExecState* exec, PassRefPtr<QtIns
     return ret;
 }
 
+void QtInstance::removeCachedMethod(JSObject* method)
+{
+    if (m_defaultMethod == method)
+        m_defaultMethod = 0;
+
+    for(QHash<QByteArray, JSObject*>::Iterator it = m_methods.begin(),
+        end = m_methods.end(); it != end; ++it)
+        if (it.value() == method) {
+            m_methods.erase(it);
+            return;
+        }
+}
+
 Class* QtInstance::getClass() const
 {
     if (!m_class)
@@ -167,16 +178,12 @@ Class* QtInstance::getClass() const
 
 void QtInstance::mark()
 {
-    if (m_defaultMethod)
+    if (m_defaultMethod && !m_defaultMethod->marked())
         m_defaultMethod->mark();
     foreach(JSObject* val, m_methods.values()) {
         if (val && !val->marked())
             val->mark();
     }
-    foreach(JSValuePtr val, m_children.values()) {
-        if (val && !val->marked())
-            val->mark();
-    }
 }
 
 void QtInstance::begin()
@@ -329,13 +336,7 @@ JSValuePtr QtField::valueFromInstance(ExecState* exec, const Instance* inst) con
         else if (m_type == DynamicProperty)
             val = obj->property(m_dynamicProperty);
 
-        JSValuePtr ret = convertQVariantToValue(exec, inst->rootObject(), val);
-
-        // Need to save children so we can mark them
-        if (m_type == ChildObject)
-            instance->m_children.insert(ret);
-
-        return ret;
+        return convertQVariantToValue(exec, inst->rootObject(), val);
     } else {
         QString msg = QString(QLatin1String("cannot access member `%1' of deleted QObject")).arg(QLatin1String(name()));
         return throwError(exec, GeneralError, msg.toLatin1().constData());
diff --git a/src/3rdparty/webkit/WebCore/bridge/qt/qt_instance.h b/src/3rdparty/webkit/WebCore/bridge/qt/qt_instance.h
index 50d4cf14cd..bc22725908 100644
--- a/src/3rdparty/webkit/WebCore/bridge/qt/qt_instance.h
+++ b/src/3rdparty/webkit/WebCore/bridge/qt/qt_instance.h
@@ -64,6 +64,8 @@ public:
     static PassRefPtr<QtInstance> getQtInstance(QObject*, PassRefPtr<RootObject>, QScriptEngine::ValueOwnership ownership);
     static RuntimeObjectImp* getRuntimeObject(ExecState* exec, PassRefPtr<QtInstance>);
 
+    void removeCachedMethod(JSObject*);
+
 private:
     static PassRefPtr<QtInstance> create(QObject *instance, PassRefPtr<RootObject> rootObject, QScriptEngine::ValueOwnership ownership)
     {
@@ -78,7 +80,6 @@ private:
     QObject* m_hashkey;
     mutable QHash<QByteArray, JSObject*> m_methods;
     mutable QHash<QString, QtField*> m_fields;
-    mutable QSet<JSValuePtr> m_children;
     mutable QtRuntimeMetaMethod* m_defaultMethod;
     QScriptEngine::ValueOwnership m_ownership;
 };
diff --git a/src/3rdparty/webkit/WebCore/bridge/qt/qt_runtime.cpp b/src/3rdparty/webkit/WebCore/bridge/qt/qt_runtime.cpp
index c7ba6c2d48..c0883a98fd 100644
--- a/src/3rdparty/webkit/WebCore/bridge/qt/qt_runtime.cpp
+++ b/src/3rdparty/webkit/WebCore/bridge/qt/qt_runtime.cpp
@@ -913,6 +913,8 @@ QtRuntimeMethod::QtRuntimeMethod(QtRuntimeMethodData* dd, ExecState* exec, const
 
 QtRuntimeMethod::~QtRuntimeMethod()
 {
+    QW_D(QtRuntimeMethod);
+    d->m_instance->removeCachedMethod(this);
     delete d_ptr;
 }
 
diff --git a/src/3rdparty/webkit/WebCore/platform/MIMETypeRegistry.cpp b/src/3rdparty/webkit/WebCore/platform/MIMETypeRegistry.cpp
index 8f987357fe..a85d706b64 100644
--- a/src/3rdparty/webkit/WebCore/platform/MIMETypeRegistry.cpp
+++ b/src/3rdparty/webkit/WebCore/platform/MIMETypeRegistry.cpp
@@ -100,6 +100,9 @@ static void initializeSupportedImageMIMETypes()
         supportedImageMIMETypes->add(mimeType);
         supportedImageResourceMIMETypes->add(mimeType);
     }
+
+    supportedImageMIMETypes->remove("application/octet-stream");
+    supportedImageResourceMIMETypes->remove("application/octet-stream");
 #else
     // assume that all implementations at least support the following standard
     // image types:
@@ -145,6 +148,8 @@ static void initializeSupportedImageMIMETypesForEncoding()
         String mimeType = MIMETypeRegistry::getMIMETypeForExtension(formats.at(i).constData());
         supportedImageMIMETypesForEncoding->add(mimeType);
     }
+
+    supportedImageMIMETypesForEncoding->remove("application/octet-stream");
 #elif PLATFORM(CAIRO)
     supportedImageMIMETypesForEncoding->add("image/png");
 #endif
diff --git a/src/3rdparty/webkit/WebKit/qt/Api/qwebframe.cpp b/src/3rdparty/webkit/WebKit/qt/Api/qwebframe.cpp
index e565476418..bd43ce38de 100644
--- a/src/3rdparty/webkit/WebKit/qt/Api/qwebframe.cpp
+++ b/src/3rdparty/webkit/WebKit/qt/Api/qwebframe.cpp
@@ -32,6 +32,7 @@
 #include "Frame.h"
 #include "FrameTree.h"
 #include "FrameView.h"
+#include "GCController.h"
 #include "IconDatabase.h"
 #include "InspectorController.h"
 #include "Page.h"
@@ -105,6 +106,11 @@ void QWEBKIT_EXPORT qt_drt_setJavaScriptProfilingEnabled(QWebFrame* qframe, bool
         controller->disableProfiler();
 }
 
+void QWEBKIT_EXPORT qt_drt_garbageCollector_collect()
+{
+    gcController().garbageCollectNow();
+}
+
 void QWebFramePrivate::init(QWebFrame *qframe, WebCore::Page *webcorePage, QWebFrameData *frameData)
 {
     q = qframe;
diff --git a/src/3rdparty/webkit/WebKit/qt/ChangeLog b/src/3rdparty/webkit/WebKit/qt/ChangeLog
index a7e176d8ec..125e556adc 100644
--- a/src/3rdparty/webkit/WebKit/qt/ChangeLog
+++ b/src/3rdparty/webkit/WebKit/qt/ChangeLog
@@ -1,3 +1,13 @@
+2009-07-23  Simon Hausmann  <simon.hausmann@nokia.com>
+
+        Reviewed by Holger Freyther.
+
+        Added a testcase to verify that cached methods in the QOBject bindings
+        remain alife even after garbage collection.
+
+        * tests/qwebpage/tst_qwebpage.cpp:
+        (tst_QWebPage::protectBindingsRuntimeObjectsFromCollector):
+
 2009-06-16  Morten Engvoldsen  <morten.engvoldsen@nokia.com>
 
         Reviewed by Ariya Hidayat.
diff --git a/src/3rdparty/webkit/WebKit/qt/tests/qwebpage/tst_qwebpage.cpp b/src/3rdparty/webkit/WebKit/qt/tests/qwebpage/tst_qwebpage.cpp
index 620aa31a60..c3ed54cc1b 100644
--- a/src/3rdparty/webkit/WebKit/qt/tests/qwebpage/tst_qwebpage.cpp
+++ b/src/3rdparty/webkit/WebKit/qt/tests/qwebpage/tst_qwebpage.cpp
@@ -107,6 +107,7 @@ private slots:
     void textEditing();
 
     void requestCache();
+    void protectBindingsRuntimeObjectsFromCollector();
 
 private:
 
@@ -1037,5 +1038,29 @@ void tst_QWebPage::requestCache()
              (int)QNetworkRequest::PreferCache);
 }
 
+void QWEBKIT_EXPORT qt_drt_garbageCollector_collect();
+
+void tst_QWebPage::protectBindingsRuntimeObjectsFromCollector()
+{
+    QSignalSpy loadSpy(m_view, SIGNAL(loadFinished(bool)));
+
+    PluginPage* newPage = new PluginPage(m_view);
+    m_view->setPage(newPage);
+
+    m_view->settings()->setAttribute(QWebSettings::PluginsEnabled, true);
+
+    m_view->setHtml(QString("<html><body><object type='application/x-qt-plugin' classid='lineedit' id='mylineedit'/></body></html>"));
+    QTRY_COMPARE(loadSpy.count(), 1);
+
+    newPage->mainFrame()->evaluateJavaScript("function testme(text) { var lineedit = document.getElementById('mylineedit'); lineedit.setText(text); lineedit.selectAll(); }");
+
+    newPage->mainFrame()->evaluateJavaScript("testme('foo')");
+
+    qt_drt_garbageCollector_collect();
+
+    // don't crash!
+    newPage->mainFrame()->evaluateJavaScript("testme('bar')");
+}
+
 QTEST_MAIN(tst_QWebPage)
 #include "tst_qwebpage.moc"