Title: [199905] trunk/Source/WebCore
- Revision
- 199905
- Author
- [email protected]
- Date
- 2016-04-22 14:24:27 -0700 (Fri, 22 Apr 2016)
Log Message
buildObjectForEventListener should not call into JSC with a null ExecState
https://bugs.webkit.org/show_bug.cgi?id=156923
Reviewed by Joseph Pecoraro.
If a user had disabled _javascript_ on their page then the inspector tried to
add an event listener we would fail to create an ExecState. Since we didn't
check this ExecState was valid we would then attempt to stringify the value,
which would cause JSC to crash.
* inspector/InspectorDOMAgent.cpp:
(WebCore::InspectorDOMAgent::buildObjectForEventListener):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (199904 => 199905)
--- trunk/Source/WebCore/ChangeLog 2016-04-22 21:22:52 UTC (rev 199904)
+++ trunk/Source/WebCore/ChangeLog 2016-04-22 21:24:27 UTC (rev 199905)
@@ -1,3 +1,18 @@
+2016-04-22 Keith Miller <[email protected]>
+
+ buildObjectForEventListener should not call into JSC with a null ExecState
+ https://bugs.webkit.org/show_bug.cgi?id=156923
+
+ Reviewed by Joseph Pecoraro.
+
+ If a user had disabled _javascript_ on their page then the inspector tried to
+ add an event listener we would fail to create an ExecState. Since we didn't
+ check this ExecState was valid we would then attempt to stringify the value,
+ which would cause JSC to crash.
+
+ * inspector/InspectorDOMAgent.cpp:
+ (WebCore::InspectorDOMAgent::buildObjectForEventListener):
+
2016-04-22 Dean Jackson <[email protected]>
Yet another attempt at fixing Windows.
Modified: trunk/Source/WebCore/inspector/InspectorDOMAgent.cpp (199904 => 199905)
--- trunk/Source/WebCore/inspector/InspectorDOMAgent.cpp 2016-04-22 21:22:52 UTC (rev 199904)
+++ trunk/Source/WebCore/inspector/InspectorDOMAgent.cpp 2016-04-22 21:24:27 UTC (rev 199905)
@@ -1472,7 +1472,7 @@
JSC::JSLockHolder lock(scriptListener->isolatedWorld().vm());
state = execStateFromNode(scriptListener->isolatedWorld(), &node->document());
handler = scriptListener->jsFunction(&node->document());
- if (handler) {
+ if (handler && state) {
body = handler->toString(state)->value(state);
if (auto function = JSC::jsDynamicCast<JSC::JSFunction*>(handler)) {
if (!function->isHostOrBuiltinFunction()) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
