Context Navigation

JSGlobalObject.cpp

Timestamp:

Sep 17, 2012, 3:47:37 PM (13 years ago)

Author:

Message:

We don't have a bad enough time if an object's prototype chain crosses global objects
https://bugs.webkit.org/show_bug.cgi?id=96962

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

(JSC):

LayoutTests:

(foo):
(evil):
(bar):
(done):

(Cons):
(foo):
(evil):
(bar):
(done):

File:

-              r128813
+              r128816
     JSObject* object = asObject(cell);
+    // Run this filter first, since it's cheap, and ought to filter out a lot of objects.
+    if (!hasBrokenIndexing(object))
+        return;
     // We only want to have a bad time in the affected global object, not in the entire
+    // VM.
+    if (object->unwrappedGlobalObject() != m_globalObject)
+        return;
+    if (!hasBrokenIndexing(object))
+    // VM. But we have to be careful, since there may be objects that claim to belong to
+    // a different global object that has prototypes from our global object.
+    bool foundGlobalObject = false;
+    for (JSObject* current = object; ;) {
+        if (current->unwrappedGlobalObject() == m_globalObject) {
+            foundGlobalObject = true;
+            break;
+        }
+        JSValue prototypeValue = current->prototype();
+        if (prototypeValue.isNull())
+            break;
+        current = asObject(prototypeValue);
+    }
+    if (!foundGlobalObject)
         return;

Note: See TracChangeset for help on using the changeset viewer.