Diff
Modified: trunk/LayoutTests/ChangeLog (125653 => 125654)
--- trunk/LayoutTests/ChangeLog 2012-08-15 07:14:09 UTC (rev 125653)
+++ trunk/LayoutTests/ChangeLog 2012-08-15 08:10:30 UTC (rev 125654)
@@ -1,3 +1,17 @@
+2012-08-14 Andrey Kosyakov <[email protected]>
+
+ Web Inspector: Calling getEventListeners() on element with malformed _javascript_ event listeners crashes
+ https://bugs.webkit.org/show_bug.cgi?id=93937
+
+ Reviewed by Pavel Feldman.
+
+ - added test for crash on invalid syntax in an attribute JS listener;
+ - added custom expectation for chrome due to JS error logged to console by JSC while compiling attribute listener;
+
+ * inspector/console/command-line-api-getEventListeners-expected.txt:
+ * inspector/console/command-line-api-getEventListeners.html:
+ * platform/chromium/inspector/console/command-line-api-getEventListeners-expected.txt: Copied from LayoutTests/inspector/console/command-line-api-getEventListeners-expected.txt.
+
2012-08-15 Christophe Dumez <[email protected]>
[EFL] Update expectations for canvas/philip tests that require space collapsing
Modified: trunk/LayoutTests/inspector/console/command-line-api-getEventListeners-expected.txt (125653 => 125654)
--- trunk/LayoutTests/inspector/console/command-line-api-getEventListeners-expected.txt 2012-08-15 07:14:09 UTC (rev 125653)
+++ trunk/LayoutTests/inspector/console/command-line-api-getEventListeners-expected.txt 2012-08-15 08:10:30 UTC (rev 125654)
@@ -1,6 +1,7 @@
+CONSOLE MESSAGE: line 26: SyntaxError: Expected an identifier but found '_javascript_' instead
Tests getEventListeners() method of console command line API.
-
+
- inner -
keydown: {
0: {
@@ -45,6 +46,7 @@
}
}
- empty -
+- invalid -
- object -
undefined
- null -
Modified: trunk/LayoutTests/inspector/console/command-line-api-getEventListeners.html (125653 => 125654)
--- trunk/LayoutTests/inspector/console/command-line-api-getEventListeners.html 2012-08-15 07:14:09 UTC (rev 125653)
+++ trunk/LayoutTests/inspector/console/command-line-api-getEventListeners.html 2012-08-15 08:10:30 UTC (rev 125654)
@@ -23,7 +23,7 @@
<div id="empty">
</div>
<button id="button" _onclick_="alert(1)" _onmouseover_="listener2()"></button>
-
+<button id="invalid" _onclick_="Invalid _javascript_"></button>
<script>
function listener1()
{
@@ -80,6 +80,8 @@
dumpObject(getEventListeners(document.getElementById("button")));
output("- empty -");
dumpObject(getEventListeners(document.getElementById("empty")));
+ output("- invalid -");
+ dumpObject(getEventListeners(document.getElementById("invalid")));
output("- object -");
output(typeof getEventListeners({}));
output("- null -");
Copied: trunk/LayoutTests/platform/chromium/inspector/console/command-line-api-getEventListeners-expected.txt (from rev 125653, trunk/LayoutTests/inspector/console/command-line-api-getEventListeners-expected.txt) (0 => 125654)
--- trunk/LayoutTests/platform/chromium/inspector/console/command-line-api-getEventListeners-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/chromium/inspector/console/command-line-api-getEventListeners-expected.txt 2012-08-15 08:10:30 UTC (rev 125654)
@@ -0,0 +1,57 @@
+Tests getEventListeners() method of console command line API.
+
+
+- inner -
+keydown: {
+ 0: {
+ listener: function listener1() { }
+ useCapture: false
+ }
+ 1: {
+ listener: function listener2() { }
+ useCapture: true
+ }
+}
+- outer -
+mousemove: {
+ 0: {
+ listener: function listener1() { }
+ useCapture: false
+ }
+}
+keydown: {
+ 0: {
+ listener: function listener2() { }
+ useCapture: true
+ }
+}
+mousedown: {
+ 0: {
+ listener: function listener2() { }
+ useCapture: true
+ }
+}
+- attribute event listeners -
+mouseover: {
+ 0: {
+ listener: function onmouseover(event) { listener2() }
+ useCapture: false
+ }
+}
+click: {
+ 0: {
+ listener: function onclick(event) { alert(1) }
+ useCapture: false
+ }
+}
+- empty -
+- invalid -
+- object -
+undefined
+- null -
+undefined
+- undefined -
+undefined
+- window -
+undefined
+
Modified: trunk/Source/WebCore/ChangeLog (125653 => 125654)
--- trunk/Source/WebCore/ChangeLog 2012-08-15 07:14:09 UTC (rev 125653)
+++ trunk/Source/WebCore/ChangeLog 2012-08-15 08:10:30 UTC (rev 125654)
@@ -1,3 +1,17 @@
+2012-08-14 Andrey Kosyakov <[email protected]>
+
+ Web Inspector: Calling getEventListeners() on element with malformed _javascript_ event listeners crashes
+ https://bugs.webkit.org/show_bug.cgi?id=93937
+
+ Reviewed by Pavel Feldman.
+
+ - check listener function to be non-null (happens upon an exception while compiling attribute listeners)
+
+ * bindings/js/JSInjectedScriptHostCustom.cpp:
+ (WebCore::getJSListenerFunctions):
+ * bindings/v8/custom/V8InjectedScriptHostCustom.cpp:
+ (WebCore::getJSListenerFunctions):
+
2012-08-14 Jan Keromnes <[email protected]>
Web Inspector: CodeMirrorTextEditor doesn't clear execution line
Modified: trunk/Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp (125653 => 125654)
--- trunk/Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp 2012-08-15 07:14:09 UTC (rev 125653)
+++ trunk/Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp 2012-08-15 08:10:30 UTC (rev 125654)
@@ -203,6 +203,8 @@
if (jsListener->isolatedWorld() != currentWorld(exec))
continue;
JSObject* function = jsListener->jsFunction(document);
+ if (!function)
+ continue;
JSObject* listenerEntry = constructEmptyObject(exec);
listenerEntry->putDirect(exec->globalData(), Identifier(exec, "listener"), function);
listenerEntry->putDirect(exec->globalData(), Identifier(exec, "useCapture"), jsBoolean(listenerInfo.eventListenerVector[i].useCapture));
Modified: trunk/Source/WebCore/bindings/v8/custom/V8InjectedScriptHostCustom.cpp (125653 => 125654)
--- trunk/Source/WebCore/bindings/v8/custom/V8InjectedScriptHostCustom.cpp 2012-08-15 07:14:09 UTC (rev 125653)
+++ trunk/Source/WebCore/bindings/v8/custom/V8InjectedScriptHostCustom.cpp 2012-08-15 08:10:30 UTC (rev 125654)
@@ -207,7 +207,15 @@
// Hide listeners from other contexts.
if (context != v8::Context::GetCurrent())
continue;
- v8::Local<v8::Object> function = v8Listener->getListenerObject(document);
+ v8::Local<v8::Object> function;
+ {
+ // getListenerObject() may cause JS in the event attribute to get compiled, potentially unsuccessfully.
+ v8::TryCatch block;
+ function = v8Listener->getListenerObject(document);
+ if (block.HasCaught())
+ continue;
+ }
+ ASSERT(!function.IsEmpty());
v8::Local<v8::Object> listenerEntry = v8::Object::New();
listenerEntry->Set(v8::String::New("listener"), function);
listenerEntry->Set(v8::String::New("useCapture"), v8::Boolean::New(listenerInfo.eventListenerVector[i].useCapture));
