Diff
Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (214995 => 214996)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-04-06 06:59:03 UTC (rev 214995)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-04-06 07:32:58 UTC (rev 214996)
@@ -1,3 +1,16 @@
+2017-01-06 Chris Dumez <[email protected]>
+
+ Regression(r189230): DOM Callbacks may use wrong global object
+ https://bugs.webkit.org/show_bug.cgi?id=166784
+
+ Reviewed by Mark Lam.
+
+ Add layout test coverage.
+
+ * fast/frames/frame-window-as-callback-expected.txt: Added.
+ * fast/frames/frame-window-as-callback.html: Added.
+ * fast/frames/resources/wrong-global-object.html: Added.
+
2017-01-03 Carlos Alberto Lopez Perez <[email protected]>
A floating element within <li> overlaps with the marker
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/frame-window-as-callback-expected.txt (0 => 214996)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/frame-window-as-callback-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/frame-window-as-callback-expected.txt 2017-04-06 07:32:58 UTC (rev 214996)
@@ -0,0 +1,10 @@
+Tests that we are using the right global object for DOM callbacks.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS: Global object was the right one.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/frame-window-as-callback.html (0 => 214996)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/frame-window-as-callback.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/frame-window-as-callback.html 2017-04-06 07:32:58 UTC (rev 214996)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+description("Tests that we are using the right global object for DOM callbacks.");
+jsTestIsAsync = true;
+
+document.result = "PASS: Global object was the right one.";
+var f = document.body.appendChild(document.createElement("iframe"));
+f._onload_ = function() {
+ f._onload_ = null;
+
+ try {
+ var iterator = document.createNodeIterator(document, NodeFilter.SHOW_ALL, f.contentWindow);
+ iterator.nextNode();
+ } catch(e) {
+ e.constructor.constructor("debug(document.result)")();
+ }
+
+ finishJSTest();
+};
+
+f.src = ""
+</script>
+<script src=""
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/resources/wrong-global-object.html (0 => 214996)
--- releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/resources/wrong-global-object.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/fast/frames/resources/wrong-global-object.html 2017-04-06 07:32:58 UTC (rev 214996)
@@ -0,0 +1,4 @@
+<script src=""
+<script>
+document.result = "FAIL: Wrong global object was used.";
+</script>
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (214995 => 214996)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 06:59:03 UTC (rev 214995)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 07:32:58 UTC (rev 214996)
@@ -1,3 +1,31 @@
+2017-01-06 Chris Dumez <[email protected]>
+
+ Regression(r189230): DOM Callbacks may use wrong global object
+ https://bugs.webkit.org/show_bug.cgi?id=166784
+
+ Reviewed by Mark Lam.
+
+ DOM Callbacks could end up using the wrong global object after r189230
+ because we were getting the globalObject from the callback object
+ instead of the one at the point the callback object was passed in by
+ _javascript_. This patch fixes the issue.
+
+ Test: fast/frames/frame-window-as-callback.html
+
+ * bindings/js/JSCallbackData.cpp:
+ (WebCore::JSCallbackData::invokeCallback):
+ * bindings/js/JSCallbackData.h:
+ (WebCore::JSCallbackData::globalObject):
+ (WebCore::JSCallbackData::JSCallbackData):
+ (WebCore::JSCallbackDataStrong::JSCallbackDataStrong):
+ (WebCore::JSCallbackDataStrong::callback):
+ (WebCore::JSCallbackDataStrong::invokeCallback):
+ (WebCore::JSCallbackDataWeak::JSCallbackDataWeak):
+ (WebCore::JSCallbackDataWeak::callback):
+ (WebCore::JSCallbackDataWeak::invokeCallback):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateCallbackImplementationContent):
+
2017-01-03 Carlos Alberto Lopez Perez <[email protected]>
A floating element within <li> overlaps with the marker
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/JSCallbackData.cpp (214995 => 214996)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/JSCallbackData.cpp 2017-04-06 06:59:03 UTC (rev 214995)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/JSCallbackData.cpp 2017-04-06 07:32:58 UTC (rev 214996)
@@ -39,14 +39,11 @@
namespace WebCore {
-JSValue JSCallbackData::invokeCallback(JSObject* callback, MarkedArgumentBuffer& args, CallbackType method, PropertyName functionName, NakedPtr<Exception>& returnedException)
+JSValue JSCallbackData::invokeCallback(JSDOMGlobalObject& globalObject, JSObject* callback, MarkedArgumentBuffer& args, CallbackType method, PropertyName functionName, NakedPtr<Exception>& returnedException)
{
ASSERT(callback);
- auto* globalObject = JSC::jsCast<JSDOMGlobalObject*>(callback->globalObject());
- ASSERT(globalObject);
-
- ExecState* exec = globalObject->globalExec();
+ ExecState* exec = globalObject.globalExec();
JSValue function;
CallData callData;
CallType callType = CallType::None;
@@ -73,7 +70,7 @@
ASSERT(!function.isEmpty());
ASSERT(callType != CallType::None);
- ScriptExecutionContext* context = globalObject->scriptExecutionContext();
+ ScriptExecutionContext* context = globalObject.scriptExecutionContext();
// We will fail to get the context if the frame has been detached.
if (!context)
return JSValue();
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/JSCallbackData.h (214995 => 214996)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/JSCallbackData.h 2017-04-06 06:59:03 UTC (rev 214995)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/js/JSCallbackData.h 2017-04-06 07:32:58 UTC (rev 214996)
@@ -47,10 +47,13 @@
public:
enum class CallbackType { Function, Object, FunctionOrObject };
+ JSDOMGlobalObject* globalObject() { return m_globalObject.get(); }
+
protected:
- JSCallbackData()
+ explicit JSCallbackData(JSDOMGlobalObject* globalObject)
+ : m_globalObject(globalObject)
#ifndef NDEBUG
- : m_thread(currentThread())
+ , m_thread(currentThread())
#endif
{
}
@@ -62,9 +65,10 @@
#endif
}
- static JSC::JSValue invokeCallback(JSC::JSObject* callback, JSC::MarkedArgumentBuffer&, CallbackType, JSC::PropertyName functionName, NakedPtr<JSC::Exception>& returnedException);
+ static JSC::JSValue invokeCallback(JSDOMGlobalObject&, JSC::JSObject* callback, JSC::MarkedArgumentBuffer&, CallbackType, JSC::PropertyName functionName, NakedPtr<JSC::Exception>& returnedException);
private:
+ JSC::Weak<JSDOMGlobalObject> m_globalObject;
#ifndef NDEBUG
ThreadIdentifier m_thread;
#endif
@@ -72,17 +76,21 @@
class JSCallbackDataStrong : public JSCallbackData {
public:
- JSCallbackDataStrong(JSC::JSObject* callback, void*)
- : m_callback(callback->globalObject()->vm(), callback)
+ JSCallbackDataStrong(JSC::JSObject* callback, JSDOMGlobalObject* globalObject, void*)
+ : JSCallbackData(globalObject)
+ , m_callback(globalObject->vm(), callback)
{
}
JSC::JSObject* callback() { return m_callback.get(); }
- JSDOMGlobalObject* globalObject() { return JSC::jsCast<JSDOMGlobalObject*>(m_callback->globalObject()); }
JSC::JSValue invokeCallback(JSC::MarkedArgumentBuffer& args, CallbackType callbackType, JSC::PropertyName functionName, NakedPtr<JSC::Exception>& returnedException)
{
- return JSCallbackData::invokeCallback(callback(), args, callbackType, functionName, returnedException);
+ auto* globalObject = this->globalObject();
+ if (!globalObject)
+ return { };
+
+ return JSCallbackData::invokeCallback(*globalObject, callback(), args, callbackType, functionName, returnedException);
}
private:
@@ -91,17 +99,21 @@
class JSCallbackDataWeak : public JSCallbackData {
public:
- JSCallbackDataWeak(JSC::JSObject* callback, void* owner)
- : m_callback(callback, &m_weakOwner, owner)
+ JSCallbackDataWeak(JSC::JSObject* callback, JSDOMGlobalObject* globalObject, void* owner)
+ : JSCallbackData(globalObject)
+ , m_callback(callback, &m_weakOwner, owner)
{
}
JSC::JSObject* callback() { return m_callback.get(); }
- JSDOMGlobalObject* globalObject() { return JSC::jsCast<JSDOMGlobalObject*>(m_callback->globalObject()); }
JSC::JSValue invokeCallback(JSC::MarkedArgumentBuffer& args, CallbackType callbackType, JSC::PropertyName functionName, NakedPtr<JSC::Exception>& returnedException)
{
- return JSCallbackData::invokeCallback(callback(), args, callbackType, functionName, returnedException);
+ auto* globalObject = this->globalObject();
+ if (!globalObject)
+ return { };
+
+ return JSCallbackData::invokeCallback(*globalObject, callback(), args, callbackType, functionName, returnedException);
}
private:
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (214995 => 214996)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-04-06 06:59:03 UTC (rev 214995)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2017-04-06 07:32:58 UTC (rev 214996)
@@ -4230,7 +4230,7 @@
push(@implContent, " : ${interfaceName}()\n");
}
push(@implContent, " , ActiveDOMCallback(globalObject->scriptExecutionContext())\n");
- push(@implContent, " , m_data(new " . GetJSCallbackDataType($interface) . "(callback, this))\n");
+ push(@implContent, " , m_data(new " . GetJSCallbackDataType($interface) . "(callback, globalObject, this))\n");
push(@implContent, "{\n");
push(@implContent, "}\n\n");
Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp (214995 => 214996)
--- releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp 2017-04-06 06:59:03 UTC (rev 214995)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/bindings/scripts/test/JS/JSTestCallbackFunction.cpp 2017-04-06 07:32:58 UTC (rev 214996)
@@ -39,7 +39,7 @@
JSTestCallbackFunction::JSTestCallbackFunction(JSObject* callback, JSDOMGlobalObject* globalObject)
: TestCallbackFunction()
, ActiveDOMCallback(globalObject->scriptExecutionContext())
- , m_data(new JSCallbackDataStrong(callback, this))
+ , m_data(new JSCallbackDataStrong(callback, globalObject, this))
{
}
