Changeset 31145 in webkit for trunk/JavaScriptCore/kjs/object.cpp


Ignore:
Timestamp:
Mar 18, 2008, 6:50:11 PM (17 years ago)
Author:
[email protected]
Message:

Fix http://bugs.webkit.org/show_bug.cgi?id=17925 and http://bugs.webkit.org/show_bug.cgi?id=17927.

  • Bug 17925: Crash in KJS::JSObject::put after setting this.proto
  • Bug 17927: Hang after attempting to create circular proto
  • kjs/object.cpp:

(KJS::JSObject::put): Silently ignore attempts to set proto to a non-object, non-null value.
Return after setting the exception when an attempt to set a cyclic proto is detected so that
the cyclic value is not set.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/kjs/object.cpp

    r31121 r31145  
    211211  if (propertyName == exec->propertyNames().underscoreProto) {
    212212    JSObject* proto = value->getObject();
     213
     214    // Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla
     215    if (!proto && value != jsNull())
     216      return;
     217
    213218    while (proto) {
    214       if (proto == this)
     219      if (proto == this) {
    215220        throwError(exec, GeneralError, "cyclic __proto__ value");
     221        return;
     222      }
    216223      proto = proto->prototype() ? proto->prototype()->getObject() : 0;
    217224    }
Note: See TracChangeset for help on using the changeset viewer.