-
cwzwarich@webkit.org authored
Reviewed by Oliver Hunt. Bug 24596: ASSERT in JSC::PropertySlot::slotBase @ iGoogle homepage <https://bugs.webkit.org/show_bug.cgi?id=24596> <rdar://problem/6686493> JSDOMWindow::customGetOwnPropertySlot() does an access check after calling JSGlobalObject::getOwnPropertySlot(). This causes the PropertySlot to be set twice, once to the value that is illegal to access, and then to undefined This causes an assertion failure in property access caching code. The fix is to do the access check before calling JSGlobalObject::getOwnPropertySlot(). WebCore: * bindings/js/JSDOMWindowCustom.h: (WebCore::JSDOMWindow::customGetOwnPropertySlot): LayoutTests: * http/tests/security/cross-frame-access-get-custom-property-cached-expected.txt: Added. * http/tests/security/cross-frame-access-get-custom-property-cached.html: Added. * http/tests/security/resources/cross-frame-access-get-custom-property-cached-iframe.html: Added. * http/tests/security/resources/cross-frame-access.js: (shouldBeUndefined): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@41826 268f45cc-cd09-0410-ab3c-d52691b4dbfc
cwzwarich@webkit.org authoredReviewed by Oliver Hunt. Bug 24596: ASSERT in JSC::PropertySlot::slotBase @ iGoogle homepage <https://bugs.webkit.org/show_bug.cgi?id=24596> <rdar://problem/6686493> JSDOMWindow::customGetOwnPropertySlot() does an access check after calling JSGlobalObject::getOwnPropertySlot(). This causes the PropertySlot to be set twice, once to the value that is illegal to access, and then to undefined This causes an assertion failure in property access caching code. The fix is to do the access check before calling JSGlobalObject::getOwnPropertySlot(). WebCore: * bindings/js/JSDOMWindowCustom.h: (WebCore::JSDOMWindow::customGetOwnPropertySlot): LayoutTests: * http/tests/security/cross-frame-access-get-custom-property-cached-expected.txt: Added. * http/tests/security/cross-frame-access-get-custom-property-cached.html: Added. * http/tests/security/resources/cross-frame-access-get-custom-property-cached-iframe.html: Added. * http/tests/security/resources/cross-frame-access.js: (shouldBeUndefined): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@41826 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Loading