Ignore:
Timestamp:
Dec 15, 2008, 4:22:14 PM (16 years ago)
Author:
Darin Adler
Message:

JavaScriptCore:

2008-12-15 Darin Adler <Darin Adler>

Reviewed by Sam Weinig.

  • fix <rdar://problem/6427048> crash due to infinite recursion after setting window.proto = window

Replaced toGlobalObject with the more generally useful unwrappedObject and used it to
fix the cycle detection code in put(proto).

  • runtime/JSGlobalObject.cpp: Removed toGlobalObject. We now use unwrappedObject instead.
  • runtime/JSGlobalObject.h: (JSC::JSGlobalObject::isGlobalObject): Ditto.
  • runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncEval): Use unwrappedObject and isGlobalObject here rather than toGlobalObject.
  • runtime/JSObject.cpp: (JSC::JSObject::put): Rewrote prototype cycle checking loop. Use unwrappedObject in the loop now. (JSC::JSObject::unwrappedObject): Replaced toGlobalObject with this new function.
  • runtime/JSObject.h: More of the same.

WebCore:

2008-12-15 Darin Adler <Darin Adler>

Reviewed by Sam Weinig.

  • fix <rdar://problem/6427048> crash due to infinite recursion after setting window.proto = window

Test: fast/dom/Window/window-custom-prototype.html

Replaced toGlobalObject with the more generally useful unwrappedObject.

  • bindings/js/JSDOMWindowShell.cpp: (WebCore::JSDOMWindowShell::unwrappedObject): Added.
  • bindings/js/JSDOMWindowShell.h: Declared unwrappedObject.
  • bindings/js/JSQuarantinedObjectWrapper.h: (WebCore::JSQuarantinedObjectWrapper::unwrappedObject): Ditto.

LayoutTests:

2008-12-15 Darin Adler <Darin Adler>

Reviewed by Sam Weinig.

  • test for <rdar://problem/6427048> crash due to infinite recursion after setting window.proto = window
  • fast/canvas/canvas-gradient-without-path.html: Let make-js-test-wrappers update this one.
  • fast/dom/Window/resources/TEMPLATE.html: Copied from LayoutTests/fast/js/resources/TEMPLATE.html.
  • fast/dom/Window/resources/window-custom-prototype.js: Added.
  • fast/dom/Window/window-custom-prototype-expected.txt: Added.
  • fast/dom/Window/window-custom-prototype.html: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

    r38828 r39320  
    272272{
    273273    JSObject* thisObject = thisValue->toThisObject(exec);
    274     JSGlobalObject* globalObject = thisObject->toGlobalObject(exec);
    275     if (!globalObject || globalObject->evalFunction() != function)
     274    JSObject* unwrappedObject = thisObject->unwrappedObject();
     275    if (!unwrappedObject->isGlobalObject() || static_cast<JSGlobalObject*>(unwrappedObject)->evalFunction() != function)
    276276        return throwError(exec, EvalError, "The \"this\" value passed to eval must be the global object from which eval originated");
    277277
     
    291291        return throwError(exec, SyntaxError, errMsg, errLine, source.provider()->asID(), NULL);
    292292
    293     return exec->interpreter()->execute(evalNode.get(), exec, thisObject, globalObject->globalScopeChain().node(), exec->exceptionSlot());
     293    return exec->interpreter()->execute(evalNode.get(), exec, thisObject, static_cast<JSGlobalObject*>(unwrappedObject)->globalScopeChain().node(), exec->exceptionSlot());
    294294}
    295295
Note: See TracChangeset for help on using the changeset viewer.