JavaScriptCore:
authorandersca@apple.com <andersca@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 May 2008 00:44:40 +0000 (00:44 +0000)
committerandersca@apple.com <andersca@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 28 May 2008 00:44:40 +0000 (00:44 +0000)
2008-05-27  Anders Carlsson  <andersca@apple.com>

        Reviewed by Geoff and Maciej.

        <rdar://problem/5806428>
        https://bugs.webkit.org/show_bug.cgi?id=17925
        Crash in KJS::JSObject::put after setting this.__proto__

        Set slotIsWriteable to false for __proto__, we want setting __proto__ to go through JSObject::put instead.

        * kjs/object.h:
        (KJS::JSObject::getOwnPropertySlotForWrite):

LayoutTests:

2008-05-27  Anders Carlsson  <andersca@apple.com>

        Reviewed by Geoff and Maciej.

        <rdar://problem/5806428>
        https://bugs.webkit.org/show_bug.cgi?id=17925
        Crash in KJS::JSObject::put after setting this.__proto__

        * fast/js/resources/this-non-object-proto.js: Added.
        * fast/js/this-non-object-proto-expected.txt: Added.
        * fast/js/this-non-object-proto.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@34160 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JavaScriptCore/ChangeLog
JavaScriptCore/kjs/object.h
LayoutTests/ChangeLog
LayoutTests/fast/js/resources/this-non-object-proto.js [new file with mode: 0644]
LayoutTests/fast/js/this-non-object-proto-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/this-non-object-proto.html [new file with mode: 0644]

index 93ae9cc..9e5925a 100644 (file)
@@ -1,3 +1,16 @@
+2008-05-27  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Geoff and Maciej.
+
+        <rdar://problem/5806428> 
+        https://bugs.webkit.org/show_bug.cgi?id=17925
+        Crash in KJS::JSObject::put after setting this.__proto__
+
+        Set slotIsWriteable to false for __proto__, we want setting __proto__ to go through JSObject::put instead.
+        
+        * kjs/object.h:
+        (KJS::JSObject::getOwnPropertySlotForWrite):
+
 2008-05-27  Kevin Ollivier  <kevino@theolliviers.com>
 
         wx build fixes to catch up with SquirrelFish, etc.
index aebc4d0..90af953 100644 (file)
@@ -596,7 +596,7 @@ ALWAYS_INLINE bool JSObject::getOwnPropertySlotForWrite(ExecState* exec, const I
     // non-standard Netscape extension
     if (propertyName == exec->propertyNames().underscoreProto) {
         slot.setValueSlot(this, &_proto);
-        slotIsWriteable = true;
+        slotIsWriteable = false;
         return true;
     }
 
index ce3767d..5223d11 100644 (file)
@@ -1,3 +1,15 @@
+2008-05-27  Anders Carlsson  <andersca@apple.com>
+
+        Reviewed by Geoff and Maciej.
+
+        <rdar://problem/5806428> 
+        https://bugs.webkit.org/show_bug.cgi?id=17925
+        Crash in KJS::JSObject::put after setting this.__proto__
+
+        * fast/js/resources/this-non-object-proto.js: Added.
+        * fast/js/this-non-object-proto-expected.txt: Added.
+        * fast/js/this-non-object-proto.html: Added.
+
 2008-05-26  Maciej Stachowiak  <mjs@apple.com>
 
         Reviewed by Anders.
diff --git a/LayoutTests/fast/js/resources/this-non-object-proto.js b/LayoutTests/fast/js/resources/this-non-object-proto.js
new file mode 100644 (file)
index 0000000..d449bb4
--- /dev/null
@@ -0,0 +1,12 @@
+description(
+'This test checks that setting a non-object, non-null value for this.__proto__ does not lead to a crash when setting a property on the this object.'
+);
+
+originalProto = this.__proto__;
+this.__proto__ = 1;
+
+shouldBe("this.__proto__", "originalProto");
+
+someProperty = 1;
+debug('If we got to this point then we did not crash and the test has passed.');
+var successfullyParsed = true;
diff --git a/LayoutTests/fast/js/this-non-object-proto-expected.txt b/LayoutTests/fast/js/this-non-object-proto-expected.txt
new file mode 100644 (file)
index 0000000..804df55
--- /dev/null
@@ -0,0 +1,11 @@
+This test checks that setting a non-object, non-null value for this.__proto__ does not lead to a crash when setting a property on the this object.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS this.__proto__ is originalProto
+If we got to this point then we did not crash and the test has passed.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/this-non-object-proto.html b/LayoutTests/fast/js/this-non-object-proto.html
new file mode 100644 (file)
index 0000000..a925a1d
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/this-non-object-proto.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>