Diff
Modified: trunk/LayoutTests/ChangeLog (128815 => 128816)
--- trunk/LayoutTests/ChangeLog 2012-09-17 22:45:47 UTC (rev 128815)
+++ trunk/LayoutTests/ChangeLog 2012-09-17 22:47:37 UTC (rev 128816)
@@ -1,3 +1,26 @@
+2012-09-17 Filip Pizlo <[email protected]>
+
+ We don't have a bad enough time if an object's prototype chain crosses global objects
+ https://bugs.webkit.org/show_bug.cgi?id=96962
+
+ Reviewed by Geoffrey Garen.
+
+ * fast/js/cross-frame-really-bad-time-expected.txt: Added.
+ * fast/js/cross-frame-really-bad-time-with-__proto__-expected.txt: Added.
+ * fast/js/cross-frame-really-bad-time-with-__proto__.html: Added.
+ * fast/js/cross-frame-really-bad-time.html: Added.
+ * fast/js/script-tests/cross-frame-really-bad-time-with-__proto__.js: Added.
+ (foo):
+ (evil):
+ (bar):
+ (done):
+ * fast/js/script-tests/cross-frame-really-bad-time.js: Added.
+ (Cons):
+ (foo):
+ (evil):
+ (bar):
+ (done):
+
2012-09-17 Beth Dakin <[email protected]>
https://bugs.webkit.org/show_bug.cgi?id=96945
Added: trunk/LayoutTests/fast/js/cross-frame-really-bad-time-expected.txt (0 => 128816)
--- trunk/LayoutTests/fast/js/cross-frame-really-bad-time-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/cross-frame-really-bad-time-expected.txt 2012-09-17 22:47:37 UTC (rev 128816)
@@ -0,0 +1,12 @@
+Tests that having a bad time has correct cross frame behavior, if an instance object is created in a different global object than the affected prototype.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Array is: 42,,42,,42,,42,,42,
+PASS Array has holes in odd numbered entries.
+PASS Got 5 ouches.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/cross-frame-really-bad-time-with-__proto__-expected.txt (0 => 128816)
--- trunk/LayoutTests/fast/js/cross-frame-really-bad-time-with-__proto__-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/cross-frame-really-bad-time-with-__proto__-expected.txt 2012-09-17 22:47:37 UTC (rev 128816)
@@ -0,0 +1,12 @@
+Tests that having a bad time has correct cross frame behavior, if an instance object is created in a different global object than the affected prototype, and the prototype is assigned using __proto__.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Array is: 42,,42,,42,,42,,42,
+PASS Array has holes in odd numbered entries.
+PASS Got 5 ouches.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/cross-frame-really-bad-time-with-__proto__.html (0 => 128816)
--- trunk/LayoutTests/fast/js/cross-frame-really-bad-time-with-__proto__.html (rev 0)
+++ trunk/LayoutTests/fast/js/cross-frame-really-bad-time-with-__proto__.html 2012-09-17 22:47:37 UTC (rev 128816)
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<iframe id="myframe"></iframe>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/fast/js/cross-frame-really-bad-time.html (0 => 128816)
--- trunk/LayoutTests/fast/js/cross-frame-really-bad-time.html (rev 0)
+++ trunk/LayoutTests/fast/js/cross-frame-really-bad-time.html 2012-09-17 22:47:37 UTC (rev 128816)
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<iframe id="myframe"></iframe>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/fast/js/script-tests/cross-frame-really-bad-time-with-__proto__.js (0 => 128816)
--- trunk/LayoutTests/fast/js/script-tests/cross-frame-really-bad-time-with-__proto__.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/cross-frame-really-bad-time-with-__proto__.js 2012-09-17 22:47:37 UTC (rev 128816)
@@ -0,0 +1,58 @@
+description(
+"Tests that having a bad time has correct cross frame behavior, if an instance object is created in a different global object than the affected prototype, and the prototype is assigned using __proto__."
+);
+
+if (window.testRunner)
+ testRunner.waitUntilDone();
+
+var ouches = 0;
+
+var array;
+
+function foo(thePrototype) {
+ array = {};
+ array.__proto__ = thePrototype;
+ array.length = 10;
+ for (var i = 0; i < 10; i+=2)
+ array[i] = 42;
+}
+
+function evil(thePrototype) {
+ for (var i = 0; i < 10; i+=2)
+ thePrototype.__defineSetter__(i + 1, function() { ouches++; });
+}
+
+function bar() {
+ for (var i = 0; i < 10; i+=2)
+ array[i + 1] = 63;
+}
+
+function done() {
+ var string = Array.prototype.join.apply(array, [","]);
+ debug("Array is: " + string);
+ if (string == "42,,42,,42,,42,,42,")
+ testPassed("Array has holes in odd numbered entries.");
+ else
+ testFailed("Array does not have the required holes.");
+
+ if (ouches == 5)
+ testPassed("Got 5 ouches.");
+ else
+ testFailed("Did not get 5 ouches. Got " + ouches + " + instead.");
+
+ if (testRunner)
+ testRunner.notifyDone();
+}
+
+var frame = document.getElementById("myframe");
+
+frame.contentDocument.open();
+frame.contentDocument.write(
+ "<!DOCTYPE html>\n<html><body><script type=\"text/_javascript_\">\n" +
+ "var thePrototype = {};\n" +
+ "window.parent.foo(thePrototype);\n" +
+ "window.parent.evil(thePrototype);\n" +
+ "window.parent.bar();\n" +
+ "window.parent.done();\n" +
+ "</script></body></html>");
+frame.contentDocument.close();
Added: trunk/LayoutTests/fast/js/script-tests/cross-frame-really-bad-time.js (0 => 128816)
--- trunk/LayoutTests/fast/js/script-tests/cross-frame-really-bad-time.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/cross-frame-really-bad-time.js 2012-09-17 22:47:37 UTC (rev 128816)
@@ -0,0 +1,59 @@
+description(
+"Tests that having a bad time has correct cross frame behavior, if an instance object is created in a different global object than the affected prototype."
+);
+
+if (window.testRunner)
+ testRunner.waitUntilDone();
+
+var ouches = 0;
+
+function Cons() { }
+
+var array;
+
+function foo() {
+ array = new Cons();
+ array.length = 10;
+ for (var i = 0; i < 10; i+=2)
+ array[i] = 42;
+}
+
+function evil() {
+ for (var i = 0; i < 10; i+=2)
+ Cons.prototype.__defineSetter__(i + 1, function() { ouches++; });
+}
+
+function bar() {
+ for (var i = 0; i < 10; i+=2)
+ array[i + 1] = 63;
+}
+
+function done() {
+ var string = Array.prototype.join.apply(array, [","]);
+ debug("Array is: " + string);
+ if (string == "42,,42,,42,,42,,42,")
+ testPassed("Array has holes in odd numbered entries.");
+ else
+ testFailed("Array does not have the required holes.");
+
+ if (ouches == 5)
+ testPassed("Got 5 ouches.");
+ else
+ testFailed("Did not get 5 ouches. Got " + ouches + " + instead.");
+
+ if (testRunner)
+ testRunner.notifyDone();
+}
+
+var frame = document.getElementById("myframe");
+
+frame.contentDocument.open();
+frame.contentDocument.write(
+ "<!DOCTYPE html>\n<html><body><script type=\"text/_javascript_\">\n" +
+ "window.parent.Cons.prototype = {};\n" +
+ "window.parent.foo();\n" +
+ "window.parent.evil();\n" +
+ "window.parent.bar();\n" +
+ "window.parent.done();\n" +
+ "</script></body></html>");
+frame.contentDocument.close();
Modified: trunk/Source/_javascript_Core/ChangeLog (128815 => 128816)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-17 22:45:47 UTC (rev 128815)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-17 22:47:37 UTC (rev 128816)
@@ -1,5 +1,15 @@
2012-09-17 Filip Pizlo <[email protected]>
+ We don't have a bad enough time if an object's prototype chain crosses global objects
+ https://bugs.webkit.org/show_bug.cgi?id=96962
+
+ Reviewed by Geoffrey Garen.
+
+ * runtime/JSGlobalObject.cpp:
+ (JSC):
+
+2012-09-17 Filip Pizlo <[email protected]>
+
Unreviewed, fix a broken assertion in offlineasm.
* offlineasm/armv7.rb:
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (128815 => 128816)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2012-09-17 22:45:47 UTC (rev 128815)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2012-09-17 22:47:37 UTC (rev 128816)
@@ -363,15 +363,29 @@
return;
JSObject* object = asObject(cell);
+
+ // Run this filter first, since it's cheap, and ought to filter out a lot of objects.
+ if (!hasBrokenIndexing(object))
+ return;
// We only want to have a bad time in the affected global object, not in the entire
- // VM.
- if (object->unwrappedGlobalObject() != m_globalObject)
+ // VM. But we have to be careful, since there may be objects that claim to belong to
+ // a different global object that has prototypes from our global object.
+ bool foundGlobalObject = false;
+ for (JSObject* current = object; ;) {
+ if (current->unwrappedGlobalObject() == m_globalObject) {
+ foundGlobalObject = true;
+ break;
+ }
+
+ JSValue prototypeValue = current->prototype();
+ if (prototypeValue.isNull())
+ break;
+ current = asObject(prototypeValue);
+ }
+ if (!foundGlobalObject)
return;
- if (!hasBrokenIndexing(object))
- return;
-
m_foundObjects.append(object);
}
