Diff
Modified: trunk/Source/WebCore/ChangeLog (153676 => 153677)
--- trunk/Source/WebCore/ChangeLog 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebCore/ChangeLog 2013-08-02 23:40:48 UTC (rev 153677)
@@ -1,3 +1,34 @@
+2013-08-02 Gavin Barraclough <[email protected]>
+
+ Remove no-arguments constructor to PropertySlot
+ https://bugs.webkit.org/show_bug.cgi?id=119460
+
+ Reviewed by Geoff Garen.
+
+ This constructor was unsafe if getValue is subsequently called,
+ and the property is a getter. Simplest to just remove it.
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::JSDOMWindow::getOwnPropertyDescriptor):
+ (WebCore::DialogHandler::returnValue):
+ * bindings/js/JSHistoryCustom.cpp:
+ (WebCore::JSHistory::getOwnPropertyDescriptorDelegate):
+ * bindings/js/JSLocationCustom.cpp:
+ (WebCore::JSLocation::getOwnPropertyDescriptorDelegate):
+ * bindings/js/JSPluginElementFunctions.cpp:
+ (WebCore::runtimeObjectCustomGetOwnPropertyDescriptor):
+ * bindings/js/JSStorageCustom.cpp:
+ (WebCore::JSStorage::deleteProperty):
+ (WebCore::JSStorage::putDelegate):
+ * bindings/scripts/CodeGeneratorJS.pm:
+ (GenerateGetOwnPropertyDescriptorBody):
+ * bridge/runtime_array.cpp:
+ (JSC::RuntimeArray::getOwnPropertyDescriptor):
+ * bridge/runtime_method.cpp:
+ (JSC::RuntimeMethod::getOwnPropertyDescriptor):
+ * bridge/runtime_object.cpp:
+ (JSC::Bindings::RuntimeObject::getOwnPropertyDescriptor):
+
2013-08-02 Andreas Kling <[email protected]>
Removing a <link> element with an empty stylesheet shouldn't trigger style recalc.
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (153676 => 153677)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2013-08-02 23:40:48 UTC (rev 153677)
@@ -352,7 +352,7 @@
}
entry = JSDOMWindowPrototype::s_info.propHashTable(exec)->entry(exec, propertyName);
if (entry && (entry->attributes() & JSC::Function) && entry->function() == jsDOMWindowPrototypeFunctionClose) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionClose, 0>);
descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
return true;
@@ -363,7 +363,7 @@
entry = JSDOMWindow::s_info.propHashTable(exec)->entry(exec, propertyName);
if (entry) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, entry->propertyGetter());
descriptor.setDescriptor(slot.getValue(exec, propertyName), entry->attributes());
return true;
@@ -375,7 +375,7 @@
// are in Moz but not IE. Since we have some of these, we have to do
// it the Moz way.
if (thisObject->impl()->frame()->tree()->scopedChild(propertyNameToAtomicString(propertyName))) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, childFrameGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
return true;
@@ -384,7 +384,7 @@
unsigned i = propertyName.asIndex();
if (i < thisObject->impl()->frame()->tree()->scopedChildCount()) {
ASSERT(i != PropertyName::NotAnIndex);
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustomIndex(thisObject, i, indexGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
return true;
@@ -395,7 +395,7 @@
if (document->isHTMLDocument()) {
AtomicStringImpl* atomicPropertyName = findAtomicString(propertyName);
if (atomicPropertyName && toHTMLDocument(document)->windowNamedItemMap().contains(atomicPropertyName)) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, namedItemGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
return true;
@@ -584,7 +584,7 @@
if (!globalObject)
return jsUndefined();
Identifier identifier(m_exec, "returnValue");
- PropertySlot slot;
+ PropertySlot slot(globalObject);
if (!JSGlobalObject::getOwnPropertySlot(globalObject, m_exec, identifier, slot))
return jsUndefined();
return slot.getValue(m_exec, identifier);
Modified: trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp (153676 => 153677)
--- trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp 2013-08-02 23:40:48 UTC (rev 153677)
@@ -107,7 +107,7 @@
// Check for the few functions that we allow, even when called cross-domain.
const HashEntry* entry = JSHistoryPrototype::s_info.propHashTable(exec)->entry(exec, propertyName);
if (entry) {
- PropertySlot slot;
+ PropertySlot slot(this);
// Allow access to back(), forward() and go() from any frame.
if (entry->attributes() & JSC::Function) {
if (entry->function() == jsHistoryPrototypeFunctionBack) {
@@ -127,7 +127,7 @@
} else {
// Allow access to toString() cross-domain, but always Object.toString.
if (propertyName == exec->propertyNames().toString) {
- PropertySlot slot;
+ PropertySlot slot(this);
slot.setCustom(this, objectToStringFunctionGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), entry->attributes());
return true;
Modified: trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp (153676 => 153677)
--- trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2013-08-02 23:40:48 UTC (rev 153677)
@@ -100,7 +100,7 @@
// Check for the few functions that we allow, even when called cross-domain.
const HashEntry* entry = JSLocationPrototype::s_info.propHashTable(exec)->entry(exec, propertyName);
- PropertySlot slot;
+ PropertySlot slot(this);
if (entry && (entry->attributes() & JSC::Function)) {
if (entry->function() == jsLocationPrototypeFunctionReplace) {
slot.setCustom(this, nonCachingStaticReplaceFunctionGetter);
Modified: trunk/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp (153676 => 153677)
--- trunk/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp 2013-08-02 23:40:48 UTC (rev 153677)
@@ -129,7 +129,7 @@
return false;
if (!scriptObject->hasProperty(exec, propertyName))
return false;
- PropertySlot slot;
+ PropertySlot slot(element);
slot.setCustom(element, runtimeObjectPropertyGetter);
// While we don't know what the plugin allows, we do know that we prevent
// enumeration or deletion of properties, so we mark plugin properties
Modified: trunk/Source/WebCore/bindings/js/JSStorageCustom.cpp (153676 => 153677)
--- trunk/Source/WebCore/bindings/js/JSStorageCustom.cpp 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebCore/bindings/js/JSStorageCustom.cpp 2013-08-02 23:40:48 UTC (rev 153677)
@@ -62,7 +62,7 @@
// Only perform the custom delete if the object doesn't have a native property by this name.
// Since hasProperty() would end up calling canGetItemsForName() and be fooled, we need to check
// the native property slots manually.
- PropertySlot slot;
+ PropertySlot slot(thisObject);
if (getStaticValueSlot<JSStorage, Base>(exec, s_info.propHashTable(exec), thisObject, propertyName, slot))
return false;
@@ -104,7 +104,7 @@
// Only perform the custom put if the object doesn't have a native property by this name.
// Since hasProperty() would end up calling canGetItemsForName() and be fooled, we need to check
// the native property slots manually.
- PropertySlot slot;
+ PropertySlot slot(this);
if (getStaticValueSlot<JSStorage, Base>(exec, s_info.propHashTable(exec), this, propertyName, slot))
return false;
Modified: trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (153676 => 153677)
--- trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm 2013-08-02 23:40:48 UTC (rev 153677)
@@ -384,7 +384,7 @@
push(@getOwnPropertySlotImpl, " if (index != PropertyName::NotAnIndex && index < static_cast<$interfaceName*>(thisObject->impl())->length()) {\n");
}
if ($hasNumericIndexedGetter) {
- push(@getOwnPropertySlotImpl, " slot.setValue(thisObject->getByIndex(exec, index));\n");
+ push(@getOwnPropertySlotImpl, " slot.setValue(thisObject, thisObject->getByIndex(exec, index));\n");
} else {
push(@getOwnPropertySlotImpl, " slot.setCustomIndex(thisObject, index, indexGetter);\n");
}
@@ -459,7 +459,7 @@
if ($requiresManualLookup) {
push(@getOwnPropertyDescriptorImpl, " const ${namespaceMaybe}HashEntry* entry = ${className}Table.entry(exec, propertyName);\n");
push(@getOwnPropertyDescriptorImpl, " if (entry) {\n");
- push(@getOwnPropertyDescriptorImpl, " PropertySlot slot;\n");
+ push(@getOwnPropertyDescriptorImpl, " PropertySlot slot(thisObject);\n");
push(@getOwnPropertyDescriptorImpl, " slot.setCustom(thisObject, entry->propertyGetter());\n");
push(@getOwnPropertyDescriptorImpl, " descriptor.setDescriptor(slot.getValue(exec, propertyName), entry->attributes());\n");
push(@getOwnPropertyDescriptorImpl, " return true;\n");
@@ -482,7 +482,7 @@
push(@getOwnPropertyDescriptorImpl, " descriptor.setDescriptor(thisObject->getByIndex(exec, index), ${namespaceMaybe}DontDelete | ${namespaceMaybe}ReadOnly);\n");
}
} else {
- push(@getOwnPropertyDescriptorImpl, " ${namespaceMaybe}PropertySlot slot;\n");
+ push(@getOwnPropertyDescriptorImpl, " ${namespaceMaybe}PropertySlot slot(thisObject);\n");
push(@getOwnPropertyDescriptorImpl, " slot.setCustomIndex(thisObject, index, indexGetter);\n");
# Assume that if there's a setter, the index will be writable
if ($interface->extendedAttributes->{"CustomIndexedSetter"}) {
@@ -497,7 +497,7 @@
if ($namedGetterFunction || $interface->extendedAttributes->{"CustomNamedGetter"}) {
push(@getOwnPropertyDescriptorImpl, " if (canGetItemsForName(exec, static_cast<$interfaceName*>(thisObject->impl()), propertyName)) {\n");
- push(@getOwnPropertyDescriptorImpl, " ${namespaceMaybe}PropertySlot slot;\n");
+ push(@getOwnPropertyDescriptorImpl, " ${namespaceMaybe}PropertySlot slot(thisObject);\n");
push(@getOwnPropertyDescriptorImpl, " slot.setCustom(thisObject, nameGetter);\n");
push(@getOwnPropertyDescriptorImpl, " descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);\n");
push(@getOwnPropertyDescriptorImpl, " return true;\n");
@@ -1960,7 +1960,7 @@
push(@implContent, " if (index < static_cast<$interfaceName*>(thisObject->impl())->length()) {\n");
}
if ($hasNumericIndexedGetter) {
- push(@implContent, " slot.setValue(thisObject->getByIndex(exec, index));\n");
+ push(@implContent, " slot.setValue(thisObject, thisObject->getByIndex(exec, index));\n");
} else {
push(@implContent, " slot.setCustomIndex(thisObject, index, thisObject->indexGetter);\n");
}
Modified: trunk/Source/WebCore/bridge/runtime_array.cpp (153676 => 153677)
--- trunk/Source/WebCore/bridge/runtime_array.cpp 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebCore/bridge/runtime_array.cpp 2013-08-02 23:40:48 UTC (rev 153677)
@@ -107,7 +107,7 @@
{
RuntimeArray* thisObject = jsCast<RuntimeArray*>(object);
if (propertyName == exec->propertyNames().length) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, lengthGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
return true;
@@ -116,7 +116,7 @@
unsigned index = propertyName.asIndex();
if (index < thisObject->getLength()) {
ASSERT(index != PropertyName::NotAnIndex);
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustomIndex(thisObject, index, indexGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete | DontEnum);
return true;
Modified: trunk/Source/WebCore/bridge/runtime_method.cpp (153676 => 153677)
--- trunk/Source/WebCore/bridge/runtime_method.cpp 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebCore/bridge/runtime_method.cpp 2013-08-02 23:40:48 UTC (rev 153677)
@@ -76,7 +76,7 @@
{
RuntimeMethod* thisObject = jsCast<RuntimeMethod*>(object);
if (propertyName == exec->propertyNames().length) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, lengthGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
return true;
Modified: trunk/Source/WebCore/bridge/runtime_object.cpp (153676 => 153677)
--- trunk/Source/WebCore/bridge/runtime_object.cpp 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebCore/bridge/runtime_object.cpp 2013-08-02 23:40:48 UTC (rev 153677)
@@ -178,7 +178,7 @@
// See if the instance has a field with the specified name.
Field *aField = aClass->fieldNamed(propertyName, instance.get());
if (aField) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, fieldGetter);
instance->end();
descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete);
@@ -187,7 +187,7 @@
// Now check if a method with specified name exists, if so return a function object for
// that method.
if (aClass->methodNamed(propertyName, instance.get())) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, methodGetter);
instance->end();
descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete | ReadOnly);
@@ -197,7 +197,7 @@
// Try a fallback object.
if (!aClass->fallbackObject(exec, instance.get(), propertyName).isUndefined()) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, fallbackObjectGetter);
instance->end();
descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete | ReadOnly | DontEnum);
Modified: trunk/Source/WebKit2/ChangeLog (153676 => 153677)
--- trunk/Source/WebKit2/ChangeLog 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebKit2/ChangeLog 2013-08-02 23:40:48 UTC (rev 153677)
@@ -1,3 +1,16 @@
+2013-08-02 Gavin Barraclough <[email protected]>
+
+ Remove no-arguments constructor to PropertySlot
+ https://bugs.webkit.org/show_bug.cgi?id=119460
+
+ Reviewed by Geoff Garen.
+
+ This constructor was unsafe if getValue is subsequently called,
+ and the property is a getter. Simplest to just remove it.
+
+ * WebProcess/Plugins/Netscape/JSNPObject.cpp:
+ (WebKit::JSNPObject::getOwnPropertyDescriptor):
+
2013-08-02 Ruth Fong <[email protected]>
[Forms: color] WebColorPickerMac deconstructor shouldn't assert a variable
Modified: trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp (153676 => 153677)
--- trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp 2013-08-02 23:23:49 UTC (rev 153676)
+++ trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp 2013-08-02 23:40:48 UTC (rev 153677)
@@ -307,7 +307,7 @@
// First, check if the NPObject has a property with this name.
if (thisObject->m_npObject->_class->hasProperty && thisObject->m_npObject->_class->hasProperty(thisObject->m_npObject, npIdentifier)) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, propertyGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete);
return true;
@@ -315,7 +315,7 @@
// Second, check if the NPObject has a method with this name.
if (thisObject->m_npObject->_class->hasMethod && thisObject->m_npObject->_class->hasMethod(thisObject->m_npObject, npIdentifier)) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
slot.setCustom(thisObject, methodGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete | ReadOnly);
return true;
