Changeset 38148 in webkit for trunk/JavaScriptCore/VM


Ignore:
Timestamp:
Nov 5, 2008, 7:26:30 PM (17 years ago)
Author:
[email protected]
Message:

JavaScriptCore:

2008-11-05 Gavin Barraclough <[email protected]>

Reviewed by Maciej Stachowiak.

https://bugs.webkit.org/show_bug.cgi?id=22094

Fix for bug where the callee incorrectly recieves the caller's lexical
global object as this, rather than its own. Implementation closely
follows the spec, passing jsNull, checking in the callee and replacing
with the global object where necessary.

  • VM/CTI.cpp: (JSC::CTI::compileOpCall):
  • VM/Machine.cpp: (JSC::Machine::cti_op_call_NotJSFunction): (JSC::Machine::cti_op_call_eval):
  • runtime/JSCell.h: (JSC::JSValue::toThisObject):
  • runtime/JSImmediate.cpp: (JSC::JSImmediate::toThisObject):
  • runtime/JSImmediate.h:

LayoutTests:

2008-11-05 Gavin Barraclough <[email protected]>

Reviewed by Maciej Stachowiak.

Previosly the test 'cross-site-this' checked that the second level deep method called
across frames recieved the correct this pointer, when no base object is provided.


Test updated so that it check that the code in the child frame, and both the first
and second functions called in the parent frame recieve the correct this values.

  • fast/frames/cross-site-this.html:
  • fast/frames/resources/cross-site-this-helper.html:
Location:
trunk/JavaScriptCore/VM
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/VM/CTI.cpp

    r38012 r38148  
    629629    if (opcodeID != op_construct) {
    630630        int thisVal = instruction[3].u.operand;
    631         if (thisVal == missingThisObjectMarker()) {
    632             // FIXME: should this be loaded dynamically off m_callFrame?
    633             m_jit.movl_i32m(asInteger(m_callFrame->globalThisValue()), firstArg * sizeof(Register), X86::edi);
    634         } else {
     631        if (thisVal == missingThisObjectMarker())
     632            m_jit.movl_i32m(asInteger(jsNull()), firstArg * sizeof(Register), X86::edi);
     633        else {
    635634            emitGetArg(thisVal, X86::eax);
    636635            emitPutResult(firstArg);

  • trunk/JavaScriptCore/VM/Machine.cpp

    r38137 r38148  
    48194819        {
    48204820            SamplingTool::HostCallRecord callRecord(CTI_SAMPLER);
    4821             returnValue = callData.native.function(callFrame, asObject(funcVal), argv[0].jsValue(callFrame), argList);
     4821
     4822            // All host methods should be calling toThisObject, but this is not presently the case.
     4823            JSValue* thisValue = argv[0].jsValue(callFrame);
     4824            if (thisValue == jsNull())
     4825                thisValue = callFrame->globalThisValue();
     4826
     4827            returnValue = callData.native.function(callFrame, asObject(funcVal), thisValue, argList);
    48224828        }
    48234829        ARG_setCallFrame(previousCallFrame);
     
    56455651
    56465652    if (baseVal == scopeChain->globalObject() && funcVal == scopeChain->globalObject()->evalFunction()) {
    5647         JSObject* thisObject = asObject(callFrame[codeBlock->thisRegister].jsValue(callFrame));
     5653        JSObject* thisObject = callFrame[codeBlock->thisRegister].jsValue(callFrame)->toThisObject(callFrame);
    56485654        JSValue* exceptionValue = noValue();
    56495655        JSValue* result = machine->callEval(callFrame, thisObject, scopeChain, registerFile, registerOffset - RegisterFile::CallFrameHeaderSize - argCount, argCount, exceptionValue);
Note: See TracChangeset for help on using the changeset viewer.