Ignore:
Timestamp:
Dec 15, 2008, 4:22:14 PM (16 years ago)
Author:
Darin Adler
Message:

JavaScriptCore:

2008-12-15 Darin Adler <Darin Adler>

Reviewed by Sam Weinig.

  • fix <rdar://problem/6427048> crash due to infinite recursion after setting window.proto = window

Replaced toGlobalObject with the more generally useful unwrappedObject and used it to
fix the cycle detection code in put(proto).

  • runtime/JSGlobalObject.cpp: Removed toGlobalObject. We now use unwrappedObject instead.
  • runtime/JSGlobalObject.h: (JSC::JSGlobalObject::isGlobalObject): Ditto.
  • runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncEval): Use unwrappedObject and isGlobalObject here rather than toGlobalObject.
  • runtime/JSObject.cpp: (JSC::JSObject::put): Rewrote prototype cycle checking loop. Use unwrappedObject in the loop now. (JSC::JSObject::unwrappedObject): Replaced toGlobalObject with this new function.
  • runtime/JSObject.h: More of the same.

WebCore:

2008-12-15 Darin Adler <Darin Adler>

Reviewed by Sam Weinig.

  • fix <rdar://problem/6427048> crash due to infinite recursion after setting window.proto = window

Test: fast/dom/Window/window-custom-prototype.html

Replaced toGlobalObject with the more generally useful unwrappedObject.

  • bindings/js/JSDOMWindowShell.cpp: (WebCore::JSDOMWindowShell::unwrappedObject): Added.
  • bindings/js/JSDOMWindowShell.h: Declared unwrappedObject.
  • bindings/js/JSQuarantinedObjectWrapper.h: (WebCore::JSQuarantinedObjectWrapper::unwrappedObject): Ditto.

LayoutTests:

2008-12-15 Darin Adler <Darin Adler>

Reviewed by Sam Weinig.

  • test for <rdar://problem/6427048> crash due to infinite recursion after setting window.proto = window
  • fast/canvas/canvas-gradient-without-path.html: Let make-js-test-wrappers update this one.
  • fast/dom/Window/resources/TEMPLATE.html: Copied from LayoutTests/fast/js/resources/TEMPLATE.html.
  • fast/dom/Window/resources/window-custom-prototype.js: Added.
  • fast/dom/Window/window-custom-prototype-expected.txt: Added.
  • fast/dom/Window/window-custom-prototype.html: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/runtime/JSObject.cpp

    r38440 r39320  
    105105
    106106    if (propertyName == exec->propertyNames().underscoreProto) {
    107         JSObject* proto = value->getObject();
    108 
    109107        // Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla.
    110         if (!proto && !value->isNull())
     108        if (!value->isObject() && !value->isNull())
    111109            return;
    112        
    113         while (proto) {
    114             if (proto == this) {
     110
     111        JSValue* nextPrototypeValue = value;
     112        while (nextPrototypeValue && nextPrototypeValue->isObject()) {
     113            JSObject* nextPrototype = asObject(nextPrototypeValue)->unwrappedObject();
     114            if (nextPrototype == this) {
    115115                throwError(exec, GeneralError, "cyclic __proto__ value");
    116116                return;
    117117            }
    118             proto = proto->prototype() ? proto->prototype()->getObject() : 0;
    119         }
    120        
     118            nextPrototypeValue = nextPrototype->prototype();
     119        }
     120
    121121        setPrototype(value);
    122122        return;
    123123    }
    124    
     124
    125125    // Check if there are any setters or getters in the prototype chain
    126126    JSValue* prototype;
     
    459459}
    460460
    461 JSGlobalObject* JSObject::toGlobalObject(ExecState*) const
    462 {
    463     return 0;
     461JSObject* JSObject::unwrappedObject()
     462{
     463    return this;
    464464}
    465465
Note: See TracChangeset for help on using the changeset viewer.