Skip to content
  • cwzwarich@webkit.org's avatar
    2009-03-19 Cameron Zwarich <cwzwarich@uwaterloo.ca> · 78200f54
    cwzwarich@webkit.org authored
            Reviewed by Oliver Hunt.
    
            Bug 24596: ASSERT in JSC::PropertySlot::slotBase @ iGoogle homepage
            <https://bugs.webkit.org/show_bug.cgi?id=24596>
            <rdar://problem/6686493>
    
            JSDOMWindow::customGetOwnPropertySlot() does an access check after calling
            JSGlobalObject::getOwnPropertySlot(). This causes the PropertySlot to be
            set twice, once to the value that is illegal to access, and then to undefined
            This causes an assertion failure in property access caching code.
    
            The fix is to do the access check before calling JSGlobalObject::getOwnPropertySlot().
    
            WebCore:
    
            * bindings/js/JSDOMWindowCustom.h:
            (WebCore::JSDOMWindow::customGetOwnPropertySlot):
    
            LayoutTests:
    
            * http/tests/security/cross-frame-access-get-custom-property-cached-expected.txt: Added.
            * http/tests/security/cross-frame-access-get-custom-property-cached.html: Added.
            * http/tests/security/resources/cross-frame-access-get-custom-property-cached-iframe.html: Added.
            * http/tests/security/resources/cross-frame-access.js:
            (shouldBeUndefined):
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@41826 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    78200f54