[webkit-changes] [187858] releases/WebKitGTK/webkit-2.8

[carlosgc]

Title: [187858] releases/WebKitGTK/webkit-2.8

Revision

187858

Author

carlo...@webkit.org

Date

2015-08-04 06:24:06 -0700 (Tue, 04 Aug 2015)

Log Message

Source/WebCore:
Fix toJSDOMWindow() in the case of an object that has the actual JS DOM window in its prototype chain.
https://bugs.webkit.org/show_bug.cgi?id=146785

Patch by Mark Dittmer <mark.s.ditt...@gmail.com> on 2015-07-22
Reviewed by Mark Lam.

* bindings/js/JSDOMWindowBase.cpp: toJSDOMWindow(): Walk the prototype chain of the given JSValue until a JSDOMWindow or JSDOMWindowShell is found.

LayoutTests:
New test: Object.create(window).location will trigger a crash when toJSDOMWindow() returns NULL on an object that have the JS DOM Window in its prototype chain.
https://bugs.webkit.org/show_bug.cgi?id=146785

Patch by Mark Dittmer <mark.s.ditt...@gmail.com> on 2015-07-22
Reviewed by Mark Lam.

* js/property-of-window-as-prototype-expected.txt:
* js/property-of-window-as-prototype.html:

Modified Paths

• releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog
• releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog
• releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

Added Paths

• releases/WebKitGTK/webkit-2.8/LayoutTests/js/property-of-window-as-prototype-expected.txt
• releases/WebKitGTK/webkit-2.8/LayoutTests/js/property-of-window-as-prototype.html

Diff

Modified: releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog (187857 => 187858)

--- releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog	2015-08-04 13:20:34 UTC (rev 187857)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/ChangeLog	2015-08-04 13:24:06 UTC (rev 187858)
@@ -1,3 +1,13 @@
+2015-07-22  Mark Dittmer  <mark.s.ditt...@gmail.com>
+
+        New test: Object.create(window).location will trigger a crash when toJSDOMWindow() returns NULL on an object that have the JS DOM Window in its prototype chain.
+        https://bugs.webkit.org/show_bug.cgi?id=146785
+
+        Reviewed by Mark Lam.
+
+        * js/property-of-window-as-prototype-expected.txt:
+        * js/property-of-window-as-prototype.html:
+
 2015-07-21  Benjamin Poulain  <bpoul...@apple.com>
 
         StyleSheetContents::wrapperInsertRule() can create rules that overflow RuleData's selector index

Added: releases/WebKitGTK/webkit-2.8/LayoutTests/js/property-of-window-as-prototype-expected.txt (0 => 187858)

--- releases/WebKitGTK/webkit-2.8/LayoutTests/js/property-of-window-as-prototype-expected.txt	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/js/property-of-window-as-prototype-expected.txt	2015-08-04 13:24:06 UTC (rev 187858)
@@ -0,0 +1,4 @@
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: releases/WebKitGTK/webkit-2.8/LayoutTests/js/property-of-window-as-prototype.html (0 => 187858)

--- releases/WebKitGTK/webkit-2.8/LayoutTests/js/property-of-window-as-prototype.html	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.8/LayoutTests/js/property-of-window-as-prototype.html	2015-08-04 13:24:06 UTC (rev 187858)
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+// So long as the line below doesn't crash, this test passes.
+Object.create(window).location;
+</script>
+<script src=""
+</body>
+</html>

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog (187857 => 187858)

--- releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog	2015-08-04 13:20:34 UTC (rev 187857)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/ChangeLog	2015-08-04 13:24:06 UTC (rev 187858)
@@ -1,3 +1,12 @@
+2015-07-22  Mark Dittmer  <mark.s.ditt...@gmail.com>
+
+        Fix toJSDOMWindow() in the case of an object that has the actual JS DOM window in its prototype chain.
+        https://bugs.webkit.org/show_bug.cgi?id=146785
+
+        Reviewed by Mark Lam.
+
+        * bindings/js/JSDOMWindowBase.cpp: toJSDOMWindow(): Walk the prototype chain of the given JSValue until a JSDOMWindow or JSDOMWindowShell is found.
+
 2015-07-21  Benjamin Poulain  <bpoul...@apple.com>
 
         StyleSheetContents::wrapperInsertRule() can create rules that overflow RuleData's selector index

Modified: releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowBase.cpp (187857 => 187858)

--- releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowBase.cpp	2015-08-04 13:20:34 UTC (rev 187857)
+++ releases/WebKitGTK/webkit-2.8/Source/WebCore/bindings/js/JSDOMWindowBase.cpp	2015-08-04 13:24:06 UTC (rev 187858)
@@ -248,11 +248,15 @@
 {
     if (!value.isObject())
         return 0;
-    const ClassInfo* classInfo = asObject(value)->classInfo();
-    if (classInfo == JSDOMWindow::info())
-        return jsCast<JSDOMWindow*>(asObject(value));
-    if (classInfo == JSDOMWindowShell::info())
-        return jsCast<JSDOMWindowShell*>(asObject(value))->window();
+    while (!value.isNull()) {
+        JSObject* object = asObject(value);
+        const ClassInfo* classInfo = object->classInfo();
+        if (classInfo == JSDOMWindow::info())
+            return jsCast<JSDOMWindow*>(object);
+        if (classInfo == JSDOMWindowShell::info())
+            return jsCast<JSDOMWindowShell*>(object)->window();
+        value = object->prototype();
+    }
     return 0;
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes