Skip to site navigation (Press enter)

[webkit-changes] [187165] trunk

commit-queue Wed, 22 Jul 2015 10:21:55 -0700

Title: [187165] trunk

Revision: 187165
Author: commit-qu...@webkit.org
Date: 2015-07-22 10:21:14 -0700 (Wed, 22 Jul 2015)

Log Message

Source/WebCore:
Fix toJSDOMWindow() in the case of an object that has the actual JS DOM window in its prototype chain.
https://bugs.webkit.org/show_bug.cgi?id=146785


Patch by Mark Dittmer <mark.s.ditt...@gmail.com> on 2015-07-22
Reviewed by Mark Lam.

* bindings/js/JSDOMWindowBase.cpp: toJSDOMWindow(): Walk the prototype chain of the given JSValue until a JSDOMWindow or JSDOMWindowShell is found.

LayoutTests:
New test: Object.create(window).location will trigger a crash when toJSDOMWindow() returns NULL on an object that have the JS DOM Window in its prototype chain.
https://bugs.webkit.org/show_bug.cgi?id=146785

Patch by Mark Dittmer <mark.s.ditt...@gmail.com> on 2015-07-22
Reviewed by Mark Lam.

* js/property-of-window-as-prototype-expected.txt:
* js/property-of-window-as-prototype.html:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

Added Paths

trunk/LayoutTests/js/property-of-window-as-prototype-expected.txt
trunk/LayoutTests/js/property-of-window-as-prototype.html

Diff

Modified: trunk/LayoutTests/ChangeLog (187164 => 187165)


--- trunk/LayoutTests/ChangeLog	2015-07-22 17:17:12 UTC (rev 187164)
+++ trunk/LayoutTests/ChangeLog	2015-07-22 17:21:14 UTC (rev 187165)
@@ -1,3 +1,13 @@
+2015-07-22  Mark Dittmer  <mark.s.ditt...@gmail.com>
+
+        New test: Object.create(window).location will trigger a crash when toJSDOMWindow() returns NULL on an object that have the JS DOM Window in its prototype chain.
+        https://bugs.webkit.org/show_bug.cgi?id=146785
+
+        Reviewed by Mark Lam.
+
+        * js/property-of-window-as-prototype-expected.txt:
+        * js/property-of-window-as-prototype.html:
+
 2015-07-21  Alexey Proskuryakov  <a...@apple.com>
 
         Update Mac test results for libxml2 v2.9.2.

Added: trunk/LayoutTests/js/property-of-window-as-prototype-expected.txt (0 => 187165)


--- trunk/LayoutTests/js/property-of-window-as-prototype-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/property-of-window-as-prototype-expected.txt	2015-07-22 17:21:14 UTC (rev 187165)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/js/property-of-window-as-prototype.html (0 => 187165)


--- trunk/LayoutTests/js/property-of-window-as-prototype.html	                        (rev 0)
+++ trunk/LayoutTests/js/property-of-window-as-prototype.html	2015-07-22 17:21:14 UTC (rev 187165)
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+// So long as the line below doesn't crash, this test passes.
+Object.create(window).location;
+</script>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (187164 => 187165)


--- trunk/Source/WebCore/ChangeLog	2015-07-22 17:17:12 UTC (rev 187164)
+++ trunk/Source/WebCore/ChangeLog	2015-07-22 17:21:14 UTC (rev 187165)
@@ -1,3 +1,12 @@
+2015-07-22  Mark Dittmer  <mark.s.ditt...@gmail.com>
+
+        Fix toJSDOMWindow() in the case of an object that has the actual JS DOM window in its prototype chain.
+        https://bugs.webkit.org/show_bug.cgi?id=146785
+
+        Reviewed by Mark Lam.
+
+        * bindings/js/JSDOMWindowBase.cpp: toJSDOMWindow(): Walk the prototype chain of the given JSValue until a JSDOMWindow or JSDOMWindowShell is found.
+
 2015-07-22  Matthew Daiter  <mdai...@apple.com>
 
         Remove revealing getVideoTracks() and getAudioTracks()

Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp (187164 => 187165)


--- trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp	2015-07-22 17:17:12 UTC (rev 187164)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp	2015-07-22 17:21:14 UTC (rev 187165)
@@ -248,11 +248,15 @@
 {
     if (!value.isObject())
         return 0;
-    const ClassInfo* classInfo = asObject(value)->classInfo();
-    if (classInfo == JSDOMWindow::info())
-        return jsCast<JSDOMWindow*>(asObject(value));
-    if (classInfo == JSDOMWindowShell::info())
-        return jsCast<JSDOMWindowShell*>(asObject(value))->window();
+    while (!value.isNull()) {
+        JSObject* object = asObject(value);
+        const ClassInfo* classInfo = object->classInfo();
+        if (classInfo == JSDOMWindow::info())
+            return jsCast<JSDOMWindow*>(object);
+        if (classInfo == JSDOMWindowShell::info())
+            return jsCast<JSDOMWindowShell*>(object)->window();
+        value = object->prototype();
+    }
     return 0;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes