- Bug 17925: Crash in KJS::JSObject::put after setting this.__proto__
- Bug 17927: Hang after attempting to create circular __proto__
* kjs/object.cpp:
(KJS::JSObject::put): Silently ignore attempts to set __proto__ to a non-object, non-null value.
Return after setting the exception when an attempt to set a cyclic __proto__ is detected so that
the cyclic value is not set.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@31145
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2008-03-18 Mark Rowe <mrowe@apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ Fix http://bugs.webkit.org/show_bug.cgi?id=17925 and http://bugs.webkit.org/show_bug.cgi?id=17927.
+ - Bug 17925: Crash in KJS::JSObject::put after setting this.__proto__
+ - Bug 17927: Hang after attempting to create circular __proto__
+
+ * kjs/object.cpp:
+ (KJS::JSObject::put): Silently ignore attempts to set __proto__ to a non-object, non-null value.
+ Return after setting the exception when an attempt to set a cyclic __proto__ is detected so that
+ the cyclic value is not set.
+
2008-03-18 Maciej Stachowiak <mjs@apple.com>
Reviewed by Oliver.
if (propertyName == exec->propertyNames().underscoreProto) {
JSObject* proto = value->getObject();
+
+ // Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla
+ if (!proto && value != jsNull())
+ return;
+
while (proto) {
- if (proto == this)
+ if (proto == this) {
throwError(exec, GeneralError, "cyclic __proto__ value");
+ return;
+ }
proto = proto->prototype() ? proto->prototype()->getObject() : 0;
}
+2008-03-18 Mark Rowe <mrowe@apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ Tests for http://bugs.webkit.org/show_bug.cgi?id=17925 and http://bugs.webkit.org/show_bug.cgi?id=17927.
+ - Bug 17925: Crash in KJS::JSObject::put after setting this.__proto__
+ - Bug 17927: Hang after attempting to create circular __proto__
+
+ * fast/js/cyclic-proto-expected.txt: Added.
+ * fast/js/cyclic-proto.html: Copied from LayoutTests/fast/js/assign.html.
+ * fast/js/non-object-proto-expected.txt: Added.
+ * fast/js/non-object-proto.html: Copied from LayoutTests/fast/js/rehash-assign.html.
+ * fast/js/resources/cyclic-proto.js: Added.
+ * fast/js/resources/non-object-proto.js: Added.
+
2008-03-18 Sam Weinig <sam@webkit.org>
Reviewed by Anders Carlsson.
--- /dev/null
+This test checks that setting a cyclic value for __proto__ throws an exception and does not alter __proto__. This was reported as bug 17927.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS x.__proto__ = x; threw exception Error: cyclic __proto__ value.
+PASS x.__proto__ is originalProto
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/cyclic-proto.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
--- /dev/null
+This test checks that setting a non-object, non-null value for __proto__ does not lead to a crash when next setting a property on the object. This was reported as bug 17925.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS x.__proto__ is originalProto
+If we got to this point then we did not crash and the test has passed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/non-object-proto.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
--- /dev/null
+description(
+'This test checks that setting a cyclic value for __proto__ throws an exception and does not alter __proto__. This was reported as <a href="http://bugs.webkit.org/show_bug.cgi?id=17927">bug 17927</a>.'
+);
+
+x = {};
+originalProto = x.__proto__;
+shouldThrow('x.__proto__ = x;');
+shouldBe("x.__proto__", "originalProto");
+
+var successfullyParsed = true;
--- /dev/null
+description(
+'This test checks that setting a non-object, non-null value for __proto__ does not lead to a crash when next setting a property on the object. This was reported as <a href="http://bugs.webkit.org/show_bug.cgi?id=17925">bug 17925</a>.'
+);
+
+x = {};
+originalProto = x.__proto__;
+x.__proto__ = 1;
+shouldBe("x.__proto__", "originalProto");
+
+x.someProperty = 1;
+debug('If we got to this point then we did not crash and the test has passed.');
+var successfullyParsed = true;
git://git.webkit.org / WebKit-https.git / commitdiff