git://git.webkit.org / WebKit-https.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0151cc5)
JavaScriptCore:
authorggaren <ggaren@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 1 Nov 2006 02:14:01 +0000 (02:14 +0000)
committerggaren <ggaren@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 1 Nov 2006 02:14:01 +0000 (02:14 +0000)
        Reviewed by Beth.

        Fixed http://bugs.webkit.org/show_bug.cgi?id=11477
        REGRESSION: GMail crashes in KJS::FunctionImp::callerGetter

        * kjs/function.cpp:
        (KJS::FunctionImp::argumentsGetter): Removed unnecessary braces.
        (KJS::FunctionImp::callerGetter): More logical NULL checking.

LayoutTests:

        Added test for accessing the 'caller' property from inside an event
        listener.

        * fast/events/caller-access-from-event-listener-expected.txt: Added.
        * fast/events/caller-access-from-event-listener.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@17507 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JavaScriptCore/ChangeLog patch | blob | history
JavaScriptCore/kjs/function.cpp patch | blob | history
LayoutTests/ChangeLog patch | blob | history
LayoutTests/fast/events/caller-access-from-event-listener-expected.txt [new file with mode: 0644] patch | blob
LayoutTests/fast/events/caller-access-from-event-listener.html [new file with mode: 0644] patch | blob

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 16da66e8892a1e4d85bf0e1e04db4baf598295ba..ea9d86cc49770186fe6a6835f7c9b7a8947aa489 100644 (file)
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,14 @@
+2006-10-31  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Beth.
+        
+        Fixed http://bugs.webkit.org/show_bug.cgi?id=11477
+        REGRESSION: GMail crashes in KJS::FunctionImp::callerGetter
+
+        * kjs/function.cpp:
+        (KJS::FunctionImp::argumentsGetter): Removed unnecessary braces.
+        (KJS::FunctionImp::callerGetter): More logical NULL checking.
+
 2006-10-31  Oliver Hunt  <oliver@apple.com>
 
         Reviewed by Geoff.
diff --git a/JavaScriptCore/kjs/function.cpp b/JavaScriptCore/kjs/function.cpp
index add0161882e22ce4ae8f6f97d65908bb71fa5865..c2c44558188bdf338f762aa77887dabeebff01dc 100644 (file)
--- a/JavaScriptCore/kjs/function.cpp
+++ b/JavaScriptCore/kjs/function.cpp
@@ -219,9 +219,8 @@ JSValue* FunctionImp::argumentsGetter(ExecState* exec, JSObject*, const Identifi
   FunctionImp* thisObj = static_cast<FunctionImp*>(slot.slotBase());
   Context* context = exec->m_context;
   while (context) {
-    if (context->function() == thisObj) {
+    if (context->function() == thisObj)
       return static_cast<ActivationImp*>(context->activationObject())->get(exec, propertyName);
-    }
     context = context->callingContext();
   }
   return jsNull();
@@ -229,15 +228,26 @@ JSValue* FunctionImp::argumentsGetter(ExecState* exec, JSObject*, const Identifi
 
 JSValue* FunctionImp::callerGetter(ExecState* exec, JSObject*, const Identifier&, const PropertySlot& slot)
 {
-    FunctionImp* thisObj = static_cast<FunctionImp* >(slot.slotBase());
+    FunctionImp* thisObj = static_cast<FunctionImp*>(slot.slotBase());
     Context* context = exec->m_context;
     while (context) {
-        if (context->function() == thisObj) 
-            return (context->callingContext()->function()) ? context->callingContext()->function() : jsNull();
-        
+        if (context->function() == thisObj)
+            break;
         context = context->callingContext();
     }
-    return jsNull();
+
+    if (!context)
+        return jsNull();
+    
+    Context* callingContext = context->callingContext();
+    if (!callingContext)
+        return jsNull();
+    
+    FunctionImp* callingFunction = callingContext->function();
+    if (!callingFunction)
+        return jsNull();
+
+    return callingFunction;
 }
 
 JSValue* FunctionImp::lengthGetter(ExecState*, JSObject*, const Identifier&, const PropertySlot& slot)
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3c42c7805791c3f95f872abf88c6954bf6043cc2..d79e8d0437aad664ce805c528bfd65bf31532337 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,11 @@
+2006-10-31  Geoffrey Garen  <ggaren@apple.com>
+
+        Added test for accessing the 'caller' property from inside an event
+        listener.
+
+        * fast/events/caller-access-from-event-listener-expected.txt: Added.
+        * fast/events/caller-access-from-event-listener.html: Added.
+
 2006-10-31  Geoffrey Garen  <ggaren@apple.com>
 
         Added layout test for copying password field.
diff --git a/LayoutTests/fast/events/caller-access-from-event-listener-expected.txt b/LayoutTests/fast/events/caller-access-from-event-listener-expected.txt
new file mode 100644 (file)
index 0000000..ed66307
--- /dev/null
+++ b/LayoutTests/fast/events/caller-access-from-event-listener-expected.txt
@@ -0,0 +1,4 @@
+This test verifies that WebKit doesn't crash when accessing the 'caller' property from inside an event listener.
+
+PASS: WebKit didn't crash.
+
diff --git a/LayoutTests/fast/events/caller-access-from-event-listener.html b/LayoutTests/fast/events/caller-access-from-event-listener.html
new file mode 100644 (file)
index 0000000..c5cad99
--- /dev/null
+++ b/LayoutTests/fast/events/caller-access-from-event-listener.html
@@ -0,0 +1,12 @@
+<p>This test verifies that WebKit doesn't crash when accessing the 'caller' property
+from inside an event listener.</p>
+<hr>
+<pre>PASS: WebKit didn't crash.</pre>
+<script src="../js/resources/js-test-pre.js"></script>
+<script>
+function crash() {
+    eval('crash.caller');
+}
+
+window.onload = crash;
+</script>
Mirror of the WebKit open source project from svn.webkit.org.