Changeset 36875 in webkit for trunk/JavaScriptCore/kjs


Ignore:
Timestamp:
Sep 24, 2008, 5:07:29 PM (17 years ago)
Author:
[email protected]
Message:

JavaScriptCore:

2008-09-24 Sam Weinig <[email protected]>

Reviewed by Darin Adler.

Fix for https://bugs.webkit.org/show_bug.cgi?id=21080
<rdar://problem/6243534>
Crash below Function.apply when using a runtime array as the argument list

Test: plugins/bindings-array-apply-crash.html

  • kjs/FunctionPrototype.cpp: (JSC::functionProtoFuncApply): Revert to the slow case if the object inherits from JSArray (via ClassInfo) but is not a JSArray.

WebKitTools:

2008-09-24 Sam Weinig <[email protected]>

Reviewed by Darin Adler.

Fix for https://bugs.webkit.org/show_bug.cgi?id=21080
<rdar://problem/6243534>
Crash below Function.apply when using a runtime array as the argument list

Add method to ObjCController to return a runtime array.

  • DumpRenderTree/mac/ObjCController.m: (+[ObjCController isSelectorExcludedFromWebScript:]): (+[ObjCController webScriptNameForSelector:]): (-[ObjCController testArray]):

LayoutTests:

2008-09-24 Sam Weinig <[email protected]>

Reviewed by Darin Adler.

Test for https://bugs.webkit.org/show_bug.cgi?id=21080
<rdar://problem/6243534>
Crash below Function.apply when using a runtime array as the argument list

  • platform/mac/plugins/bindings-array-apply-crash-expected.txt: Added.
  • platform/mac/plugins/bindings-array-apply-crash.html: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/kjs/FunctionPrototype.cpp

    r36782 r36875  
    102102            else if (exec->machine()->isJSArray(argArray))
    103103                static_cast<JSArray*>(argArray)->fillArgList(exec, applyArgs);
    104             else if (static_cast<JSObject*>(argArray)->inherits(&JSArray::info))
    105                 static_cast<JSArray*>(argArray)->fillArgList(exec, applyArgs);
    106             else
     104            else if (static_cast<JSObject*>(argArray)->inherits(&JSArray::info)) {
     105                unsigned length = static_cast<JSObject*>(argArray)->get(exec, exec->propertyNames().length)->toUInt32(exec);
     106                for (unsigned i = 0; i < length; ++i)
     107                    applyArgs.append(static_cast<JSObject*>(argArray)->get(exec, i));
     108            } else
    107109                return throwError(exec, TypeError);
    108110        } else
Note: See TracChangeset for help on using the changeset viewer.