Created attachment 111118 [details] Patch

Comment on attachment 111118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=111118&action=review > Source/WebCore/bindings/js/JSHTMLFrameSetElementCustom.cpp:54 > + if (Document* document = static_cast<HTMLFrameElement*>(frameElement)->contentDocument()) { I know this is in the original code, but it's unclear to me what makes this cast safe. It seems like you could add non HTMLFrameElement children to an HTMLFrameSetElement via the DOM (though not with the parser).

Comment on attachment 111118 [details] Patch Clearing flags on attachment: 111118 Committed r97551: <http://trac.webkit.org/changeset/97551>

All reviewed patches have been landed. Closing bug.

Comment on attachment 111118 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=111118&action=review >> Source/WebCore/bindings/js/JSHTMLFrameSetElementCustom.cpp:54 >> + if (Document* document = static_cast<HTMLFrameElement*>(frameElement)->contentDocument()) { > > I know this is in the original code, but it's unclear to me what makes this cast safe. It seems like you could add non HTMLFrameElement children to an HTMLFrameSetElement via the DOM (though not with the parser). I had the same question. What makes this safe is that this function is only called if canGetItemsForName returns true. This function could repeat the logic, and I considered it, but there is no need for that.