Ignore:
Timestamp:
May 28, 2010, 11:16:25 PM (15 years ago)
Author:
[email protected]
Message:

2010-05-28 Jedrzej Nowacki <[email protected]>

Reviewed by Geoffrey Garen.

Fix the JSObjectSetPrototype function.

A cycle in a prototype chain can cause an application hang or
even crash.
A check for a prototype chain cycles was added to
the JSObjectSetPrototype.

JSObjectSetPrototype doesn't check for cycle in prototype chain.
https://bugs.webkit.org/show_bug.cgi?id=39360

  • API/JSObjectRef.cpp: (JSObjectSetPrototype):
  • API/tests/testapi.c: (assertTrue): (checkForCycleInPrototypeChain): (main):
  • runtime/JSObject.cpp: (JSC::JSObject::put):
  • runtime/JSObject.h: (JSC::JSObject::setPrototypeWithCycleCheck):
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/API/JSObjectRef.cpp

    r59941 r60390  
    237237    JSValue jsValue = toJS(exec, value);
    238238
    239     jsObject->setPrototype(jsValue.isObject() ? jsValue : jsNull());
     239    jsObject->setPrototypeWithCycleCheck(jsValue.isObject() ? jsValue : jsNull());
    240240}
    241241
Note: See TracChangeset for help on using the changeset viewer.