Context Navigation

← Previous Change
Next Change →

Changeset 38148 in webkit for trunk/JavaScriptCore

Timestamp:

Nov 5, 2008, 7:26:30 PM (17 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

2008-11-05 Gavin Barraclough <[email protected]>

Reviewed by Maciej Stachowiak.

https://bugs.webkit.org/show_bug.cgi?id=22094

Fix for bug where the callee incorrectly recieves the caller's lexical
global object as this, rather than its own. Implementation closely
follows the spec, passing jsNull, checking in the callee and replacing
with the global object where necessary.

VM/CTI.cpp: (JSC::CTI::compileOpCall):
VM/Machine.cpp: (JSC::Machine::cti_op_call_NotJSFunction): (JSC::Machine::cti_op_call_eval):
runtime/JSCell.h: (JSC::JSValue::toThisObject):
runtime/JSImmediate.cpp: (JSC::JSImmediate::toThisObject):
runtime/JSImmediate.h:

LayoutTests:

2008-11-05 Gavin Barraclough <[email protected]>

Reviewed by Maciej Stachowiak.

Previosly the test 'cross-site-this' checked that the second level deep method called
across frames recieved the correct this pointer, when no base object is provided.

Test updated so that it check that the code in the child frame, and both the first
and second functions called in the parent frame recieve the correct this values.

fast/frames/cross-site-this.html:
fast/frames/resources/cross-site-this-helper.html:

Location:

trunk/JavaScriptCore

Files:

: 6 edited

ChangeLog (modified) (1 diff)
VM/CTI.cpp (modified) (1 diff)
VM/Machine.cpp (modified) (2 diffs)
runtime/JSCell.h (modified) (1 diff)
runtime/JSImmediate.cpp (modified) (1 diff)
runtime/JSImmediate.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JavaScriptCore/ChangeLog

-              r38146
+              r38148
+-11-05  Gavin Barraclough  <[email protected]>
+        Reviewed by Maciej Stachowiak.
+        https://bugs.webkit.org/show_bug.cgi?id=22094
+        Fix for bug where the callee incorrectly recieves the caller's lexical
+        global object as this, rather than its own.  Implementation closely
+        follows the spec, passing jsNull, checking in the callee and replacing
+        with the global object where necessary.
+        * VM/CTI.cpp:
+        (JSC::CTI::compileOpCall):
+        * VM/Machine.cpp:
+        (JSC::Machine::cti_op_call_NotJSFunction):
+        (JSC::Machine::cti_op_call_eval):
+        * runtime/JSCell.h:
+        (JSC::JSValue::toThisObject):
+        * runtime/JSImmediate.cpp:
+        (JSC::JSImmediate::toThisObject):
+        * runtime/JSImmediate.h:
 -11-05  Kevin Ollivier  <[email protected]>

trunk/JavaScriptCore/VM/CTI.cpp

-              r38012
+              r38148
     if (opcodeID != op_construct) {
         int thisVal = instruction[3].u.operand;
+        if (thisVal == missingThisObjectMarker()) {
+            // FIXME: should this be loaded dynamically off m_callFrame?
+            m_jit.movl_i32m(asInteger(m_callFrame->globalThisValue()), firstArg * sizeof(Register), X86::edi);
+        } else {
+        if (thisVal == missingThisObjectMarker())
+            m_jit.movl_i32m(asInteger(jsNull()), firstArg * sizeof(Register), X86::edi);
+        else {
             emitGetArg(thisVal, X86::eax);
             emitPutResult(firstArg);

trunk/JavaScriptCore/VM/Machine.cpp

-              r38137
+              r38148
+        {
             SamplingTool::HostCallRecord callRecord(CTI_SAMPLER);
+            returnValue = callData.native.function(callFrame, asObject(funcVal), argv[0].jsValue(callFrame), argList);
+            // All host methods should be calling toThisObject, but this is not presently the case.
+            JSValue* thisValue = argv[0].jsValue(callFrame);
+            if (thisValue == jsNull())
+                thisValue = callFrame->globalThisValue();
+            returnValue = callData.native.function(callFrame, asObject(funcVal), thisValue, argList);
+        }
         ARG_setCallFrame(previousCallFrame);
 …
     if (baseVal == scopeChain->globalObject() && funcVal == scopeChain->globalObject()->evalFunction()) {
         JSObject* thisObject = asObject(callFrame[codeBlock->thisRegister].jsValue(callFrame));
+        JSObject* thisObject = callFrame[codeBlock->thisRegister].jsValue(callFrame)->toThisObject(callFrame);
         JSValue* exceptionValue = noValue();
         JSValue* result = machine->callEval(callFrame, thisObject, scopeChain, registerFile, registerOffset - RegisterFile::CallFrameHeaderSize - argCount, argCount, exceptionValue);

trunk/JavaScriptCore/runtime/JSCell.h

r38137	r38148
285	285	{
286	286	if (UNLIKELY(JSImmediate::isImmediate(asValue())))
287		return JSImmediate::toObject(asValue(), exec);
	287	return JSImmediate::toThisObject(asValue(), exec);
288	288	return asCell()->toThisObject(exec);
289	289	}

trunk/JavaScriptCore/runtime/JSImmediate.cpp

-              r37938
+              r38148
 namespace JSC {
+JSObject* JSImmediate::toThisObject(JSValue* v, ExecState* exec)
+{
+    ASSERT(isImmediate(v));
+    if (isNumber(v))
+        return constructNumberFromImmediateNumber(exec, v);
+    if (isBoolean(v))
+        return constructBooleanFromImmediateBoolean(exec, v);
+    if (v == jsNull())
+        return exec->globalThisValue();
+    JSNotAnObjectErrorStub* exception = createNotAnObjectErrorStub(exec, v->isNull());
+    exec->setException(exception);
+    return new (exec) JSNotAnObject(exec, exception);
+}
 JSObject* JSImmediate::toObject(JSValue* v, ExecState* exec)

trunk/JavaScriptCore/runtime/JSImmediate.h

r37938	r38148
234	234	static bool toBoolean(JSValue*);
235	235	static JSObject* toObject(JSValue, ExecState);
	236	static JSObject* toThisObject(JSValue, ExecState);
236	237	static UString toString(JSValue*);
237	238

Note: See TracChangeset for help on using the changeset viewer.