Crash when calling QWebFrame::evaluateJavaScript

https://bugs.webkit.org/show_bug.cgi?id=113434

Reviewed by Simon Hausmann.

Ensure we hold the JSLock when converting JSValue to JSValueRef.

* Api/qwebelement.cpp:
(setupScriptContext):
(QWebElement::evaluateJavaScript):
* WebCoreSupport/QWebFrameAdapter.cpp:
(QWebFrameAdapter::evaluateJavaScript):

Change-Id: I1bcab3ec31d1fbbb55246982a2c69e72ae9d0948
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@149671 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

1 files changed, 15 insertions, 10 deletions

diff --git a/Source/WebKit/qt/Api/qwebelement.cpp b/Source/WebKit/qt/Api/qwebelement.cpp
index 82f579d95..96278333b 100644
--- a/Source/WebKit/qt/Api/qwebelement.cpp
+++ b/Source/WebKit/qt/Api/qwebelement.cpp
@@ -44,6 +44,7 @@
 #include "qt_runtime.h"
 #include "NodeList.h"
 #include "RenderImage.h"
+#include "ScriptSourceCode.h"
 #include "ScriptState.h"
 #include "StaticNodeList.h"
 #include "StyleResolver.h"
@@ -709,7 +710,7 @@ QWebFrame *QWebElement::webFrame() const
     return frameAdapter->apiHandle();
 }
 
-static bool setupScriptContext(WebCore::Element* element, JSC::JSValue& thisValue, ScriptState*& state, ScriptController*& scriptController)
+static bool setupScriptContext(WebCore::Element* element, ScriptState*& state, ScriptController*& scriptController)
 {
     if (!element)
         return false;
@@ -730,10 +731,6 @@ static bool setupScriptContext(WebCore::Element* element, JSC::JSValue& thisValu
     if (!state)
         return false;
 
-    thisValue = toJS(state, deprecatedGlobalObjectForPrototype(state), element);
-    if (!thisValue)
-        return false;
-
     return true;
 }
 
@@ -746,21 +743,29 @@ QVariant QWebElement::evaluateJavaScript(const QString& scriptSource)
         return QVariant();
 
     ScriptState* state = 0;
-    JSC::JSValue thisValue;
     ScriptController* scriptController = 0;
 
-    if (!setupScriptContext(m_element, thisValue, state, scriptController))
+    if (!setupScriptContext(m_element, state, scriptController))
+        return QVariant();
+
+    JSC::JSLockHolder lock(state);
+    RefPtr<Element> protect = m_element;
+
+    JSC::JSValue thisValue = toJS(state, toJSDOMGlobalObject(m_element->document(), state), m_element);
+    if (!thisValue)
         return QVariant();
-    String script(reinterpret_cast_ptr<const UChar*>(scriptSource.data()), scriptSource.length());
+
+    ScriptSourceCode sourceCode(scriptSource);
 
     JSC::JSValue evaluationException;
-    JSC::JSValue evaluationResult = JSC::evaluate(state, JSC::makeSource(script), thisValue, &evaluationException);
+    JSC::JSValue evaluationResult = JSC::evaluate(state, sourceCode.jsSourceCode(), thisValue, &evaluationException);
     if (evaluationException)
         return QVariant();
+    JSValueRef evaluationResultRef = toRef(state, evaluationResult);
 
     int distance = 0;
     JSValueRef* ignoredException = 0;
-    return JSC::Bindings::convertValueToQVariant(toRef(state), toRef(state, evaluationResult), QMetaType::Void, &distance, ignoredException);
+    return JSC::Bindings::convertValueToQVariant(toRef(state), evaluationResultRef, QMetaType::Void, &distance, ignoredException);
 }
 
 /*!