Changeset 31890 in webkit

Timestamp:

Apr 14, 2008 4:46:40 PM (16 years ago)

Author:

Adam Roben

Message:

Don't let the inspected page overwrite properties of JS objects in the Inspector

<​https://bugs.webkit.org/show_bug.cgi?id=16011>
<rdar://problem/5604409>

<​https://bugs.webkit.org/show_bug.cgi?id=16837>
<rdar://problem/5813850>

Reviewed by Sam Weinig and Geoff Garen.

Tests (contributed by Adam Barth and Collin Jackson):
manual-tests/inspector-wrappers

• GNUmakefile.am:
• WebCore.pro:
• WebCore.vcproj/WebCore.vcproj:
• WebCore.xcodeproj/project.pbxproj:
• WebCoreSources.bkl: Added new files to the projects.

• bindings/js/JSQuarantinedObjectWrapper.cpp: Added. (WebCore::): (WebCore::JSQuarantinedObjectWrapper::asWrapper): Converts a JSValue into a JSQuarantinedObjectWrapper, if the JSValue is in fact a JSQuarantinedObjectWrapper. (WebCore::JSQuarantinedObjectWrapper::cachedValueGetter): Callback to be used with PropertySlot. (WebCore::JSQuarantinedObjectWrapper::JSQuarantinedObjectWrapper): Hold onto the object we're wrapping and its global object. Pass the wrapped prototype up to the JSObject constructor. (WebCore::JSQuarantinedObjectWrapper::~JSQuarantinedObjectWrapper): (WebCore::JSQuarantinedObjectWrapper::unwrappedExecStateMatches): Returns true if our underlying object originated from the same global object as the passed-in ExecState. (WebCore::JSQuarantinedObjectWrapper::unwrappedExecState): (WebCore::JSQuarantinedObjectWrapper::transferExceptionToExecState): Wraps and moves an exception from our underlying ExecState to the passed-in one. (WebCore::JSQuarantinedObjectWrapper::mark): Marks ourselves and the objects we're holding references to.

(WebCore::JSQuarantinedObjectWrapper::getOwnPropertySlot):
(WebCore::JSQuarantinedObjectWrapper::put):
(WebCore::JSQuarantinedObjectWrapper::deleteProperty):
(WebCore::JSQuarantinedObjectWrapper::implementsConstruct):
(WebCore::JSQuarantinedObjectWrapper::construct):
(WebCore::JSQuarantinedObjectWrapper::implementsHasInstance):
(WebCore::JSQuarantinedObjectWrapper::hasInstance):
(WebCore::JSQuarantinedObjectWrapper::implementsCall):
(WebCore::JSQuarantinedObjectWrapper::callAsFunction):
(WebCore::JSQuarantinedObjectWrapper::getPropertyNames):
JSObject overrides. These each check the appropriate permission before
allowing the call to proceed. We wrap all outgoing values using
m_wrapOutgoingValue, and we prepare all incoming values with the
virtual prepareIncomingValue function. If an exception is raised when
calling the underlying object, we transfer the exception in wrapped
form to the passed-in ExecState.

• bindings/js/JSQuarantinedObjectWrapper.h: Added. (WebCore::JSQuarantinedObjectWrapper::unwrappedObject): (WebCore::JSQuarantinedObjectWrapper::className): We return the underlying object's class name so that we can successfully masquerade as that underlying object when, e.g., Object.prototype.toString is called on us. (WebCore::JSQuarantinedObjectWrapper::classInfo):

(WebCore::JSQuarantinedObjectWrapper::allowsGetProperty):
(WebCore::JSQuarantinedObjectWrapper::allowsSetProperty):
(WebCore::JSQuarantinedObjectWrapper::allowsDeleteProperty):
(WebCore::JSQuarantinedObjectWrapper::allowsConstruct):
(WebCore::JSQuarantinedObjectWrapper::allowsHasInstance):
(WebCore::JSQuarantinedObjectWrapper::allowsCallAsFunction):
(WebCore::JSQuarantinedObjectWrapper::allowsGetPropertyNames):
These virtual methods let subclasses define the allowed operations on
the wrapped object. By default all operations are disabled.

• bindings/js/JSInspectedObjectWrapper.cpp: Added. This subclass of JSQuarantinedObjectWrapper is used to wrap objects from the inspected page being passed to the Inspector. (WebCore::wrappers): (WebCore::): (WebCore::JSInspectedObjectWrapper::wrap): Wraps the passed-in object if needed and returns the wrapper. If this object has been wrapped previously we'll return the old wrapper rather than make a new one. (WebCore::JSInspectedObjectWrapper::JSInspectedObjectWrapper): Add ourselves to the wrapper map. (WebCore::JSInspectedObjectWrapper::~JSInspectedObjectWrapper): Remove ourselves from the wrapper map. (WebCore::JSInspectedObjectWrapper::prepareIncomingValue): Ensure that any objects passed to the inspected object are either wrappers around objects from the inspected page (in which case we unwrap them so that the inspected page never sees the wrapper), or wrapped callbacks from the Inspector.
• bindings/js/JSInspectedObjectWrapper.h: Added. (WebCore::JSInspectedObjectWrapper::classInfo): (WebCore::JSInspectedObjectWrapper::allowsGetProperty): (WebCore::JSInspectedObjectWrapper::allowsSetProperty): (WebCore::JSInspectedObjectWrapper::allowsDeleteProperty): (WebCore::JSInspectedObjectWrapper::allowsConstruct): (WebCore::JSInspectedObjectWrapper::allowsHasInstance): (WebCore::JSInspectedObjectWrapper::allowsCallAsFunction): (WebCore::JSInspectedObjectWrapper::allowsGetPropertyNames): These all return true so that the Inspector can use objects from the inspected page however it needs. (WebCore::JSInspectedObjectWrapper::wrapOutgoingValue): Wrap all outgoing values as JSInspectedObjectWrappers.

• bindings/js/JSInspectorCallbackWrapper.cpp: Added. This subclass of JSQuarantinedObjectWrapper is used to wrap callbacks that the Inspector passes to the inspected page (e.g., for event listeners or client-side storage callbacks). (WebCore::wrappers): (WebCore::): (WebCore::JSInspectorCallbackWrapper::wrap): Wraps the passed-in object if needed and returns the wrapper. If this object has been wrapped previously we'll return the old wrapper rather than make a new one. (WebCore::JSInspectorCallbackWrapper::JSInspectorCallbackWrapper): Add ourselves to the wrapper map. (WebCore::JSInspectorCallbackWrapper::~JSInspectorCallbackWrapper): Remove ourselves from the wrapper map. (WebCore::JSInspectorCallbackWrapper::prepareIncomingValue): Ensure that values passed from the inspected page to an Inspector callback are wrapped in JSInspectedObjectWrappers. We also allow the inspected page to pass ourselves in (which will happen in the case of a client-side storage callback, where the callback itself is passed as the this object). In this case we unwrap ourselves so that the Inspector doesn't have to deal with the wrapper.
• bindings/js/JSInspectorCallbackWrapper.h: Added. (WebCore::JSInspectorCallbackWrapper::classInfo): (WebCore::JSInspectorCallbackWrapper::allowsCallAsFunction): This is the only allowed operation on a JSInspectorCallbackWrapper. (WebCore::JSInspectorCallbackWrapper::wrapOutgoingValue): Wrap all outgoing values as JSInspectorCallbackWrappers.

• page/InspectorController.cpp: (WebCore::getResourceDocumentNode): Wrap the Document before passing it to the Inspector. (WebCore::highlightDOMNode): Unwrap the Node that the Inspector passed to us. (WebCore::databaseTableNames): Unwrap the Database that the Inspector passed to us. (WebCore::inspectedWindow): Wrap the Window before passing it to the Inspector. (WebCore::InspectorController::focusNode): Wrap the Node before passing it to the Inspector. (WebCore::wrapCallback): Wraps the passed-in callback in a JSInspectorCallbackWrapper. (WebCore::InspectorController::addDatabaseScriptResource): Wrap the Database beore pasing it to the Inspector. (WebCore::InspectorController::windowScriptObjectAvailable): Add the new wrapCallback function to the InspectorController JS object.

• page/inspector/ElementsPanel.js: (WebInspector.ElementsPanel.reset): Wrap the contentLoaded callback.

• page/inspector/DatabaseQueryView.js: (WebInspector.DatabaseQueryView._enterKeyPressed):
• page/inspector/DatabaseTableView.js: (WebInspector.DatabaseTableView.update): Pass null instead of an empty array to executeSql since we're no longer allowed to pass any unwrapped objects to the inspected page. We now wrap all callbacks being passed to the inspected page using InspectorController.wrapCallback.

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• GNUmakefile.am (modified) (2 diffs)
• WebCore.pro (modified) (2 diffs)
• WebCore.vcproj/WebCore.vcproj (modified) (6 diffs)
• WebCore.xcodeproj/project.pbxproj (modified) (6 diffs)
• WebCoreSources.bkl (modified) (2 diffs)
• bindings/js/JSInspectedObjectWrapper.cpp (added)
• bindings/js/JSInspectedObjectWrapper.h (added)
• bindings/js/JSInspectorCallbackWrapper.cpp (added)
• bindings/js/JSInspectorCallbackWrapper.h (added)
• bindings/js/JSQuarantinedObjectWrapper.cpp (added)
• bindings/js/JSQuarantinedObjectWrapper.h (added)
• manual-tests/inspector-wrappers (added)
• manual-tests/inspector-wrappers/console-alert-document-body.html (added)
• manual-tests/inspector-wrappers/console-alert-object.html (added)
• manual-tests/inspector-wrappers/console-alert-this.html (added)
• manual-tests/inspector-wrappers/console-eval.html (added)
• manual-tests/inspector-wrappers/console-str-alert-object.html (added)
• manual-tests/inspector-wrappers/console-str-getter.html (added)
• manual-tests/inspector-wrappers/inspector-evaluate.html (added)
• manual-tests/inspector-wrappers/inspector-hasAttributes.html (added)
• manual-tests/inspector-wrappers/inspector-treeElementIdentifier.html (added)
• manual-tests/inspector-wrappers/inspector-wrappers-test-utils.js (added)
• page/InspectorController.cpp (modified) (10 diffs)
• page/inspector/DatabaseQueryView.js (modified) (1 diff)
• page/inspector/DatabaseTableView.js (modified) (1 diff)
• page/inspector/ElementsPanel.js (modified) (1 diff)

trunk/WebCore/ChangeLog

@@ +1 @@
+2008-04-14  Adam Roben  <aroben@apple.com>
+
+        Don't let the inspected page overwrite properties of JS objects in the
+        Inspector
+
+        <https://bugs.webkit.org/show_bug.cgi?id=16011>
+        <rdar://problem/5604409>
+
+        <https://bugs.webkit.org/show_bug.cgi?id=16837>
+        <rdar://problem/5813850>
+
+        Reviewed by Sam Weinig and Geoff Garen.
+
+        Tests (contributed by Adam Barth and Collin Jackson):
+        manual-tests/inspector-wrappers
+
+        * GNUmakefile.am:
+        * WebCore.pro:
+        * WebCore.vcproj/WebCore.vcproj:
+        * WebCore.xcodeproj/project.pbxproj:
+        * WebCoreSources.bkl:
+        Added new files to the projects.
+
+        * bindings/js/JSQuarantinedObjectWrapper.cpp: Added.
+        (WebCore::):
+        (WebCore::JSQuarantinedObjectWrapper::asWrapper): Converts a JSValue
+        into a JSQuarantinedObjectWrapper, if the JSValue is in fact a
+        JSQuarantinedObjectWrapper.
+        (WebCore::JSQuarantinedObjectWrapper::cachedValueGetter): Callback to
+        be used with PropertySlot.
+        (WebCore::JSQuarantinedObjectWrapper::JSQuarantinedObjectWrapper):
+        Hold onto the object we're wrapping and its global object. Pass the
+        wrapped prototype up to the JSObject constructor.
+        (WebCore::JSQuarantinedObjectWrapper::~JSQuarantinedObjectWrapper):
+        (WebCore::JSQuarantinedObjectWrapper::unwrappedExecStateMatches):
+        Returns true if our underlying object originated from the same global
+        object as the passed-in ExecState.
+        (WebCore::JSQuarantinedObjectWrapper::unwrappedExecState):
+        (WebCore::JSQuarantinedObjectWrapper::transferExceptionToExecState):
+        Wraps and moves an exception from our underlying ExecState to the
+        passed-in one.
+        (WebCore::JSQuarantinedObjectWrapper::mark): Marks ourselves and the
+        objects we're holding references to.
+
+        (WebCore::JSQuarantinedObjectWrapper::getOwnPropertySlot):
+        (WebCore::JSQuarantinedObjectWrapper::put):
+        (WebCore::JSQuarantinedObjectWrapper::deleteProperty):
+        (WebCore::JSQuarantinedObjectWrapper::implementsConstruct):
+        (WebCore::JSQuarantinedObjectWrapper::construct):
+        (WebCore::JSQuarantinedObjectWrapper::implementsHasInstance):
+        (WebCore::JSQuarantinedObjectWrapper::hasInstance):
+        (WebCore::JSQuarantinedObjectWrapper::implementsCall):
+        (WebCore::JSQuarantinedObjectWrapper::callAsFunction):
+        (WebCore::JSQuarantinedObjectWrapper::getPropertyNames):
+        JSObject overrides. These each check the appropriate permission before
+        allowing the call to proceed. We wrap all outgoing values using
+        m_wrapOutgoingValue, and we prepare all incoming values with the
+        virtual prepareIncomingValue function. If an exception is raised when
+        calling the underlying object, we transfer the exception in wrapped
+        form to the passed-in ExecState.
+
+        * bindings/js/JSQuarantinedObjectWrapper.h: Added.
+        (WebCore::JSQuarantinedObjectWrapper::unwrappedObject):
+        (WebCore::JSQuarantinedObjectWrapper::className): We return the
+        underlying object's class name so that we can successfully masquerade
+        as that underlying object when, e.g., Object.prototype.toString is
+        called on us.
+        (WebCore::JSQuarantinedObjectWrapper::classInfo):
+
+        (WebCore::JSQuarantinedObjectWrapper::allowsGetProperty):
+        (WebCore::JSQuarantinedObjectWrapper::allowsSetProperty):
+        (WebCore::JSQuarantinedObjectWrapper::allowsDeleteProperty):
+        (WebCore::JSQuarantinedObjectWrapper::allowsConstruct):
+        (WebCore::JSQuarantinedObjectWrapper::allowsHasInstance):
+        (WebCore::JSQuarantinedObjectWrapper::allowsCallAsFunction):
+        (WebCore::JSQuarantinedObjectWrapper::allowsGetPropertyNames):
+        These virtual methods let subclasses define the allowed operations on
+        the wrapped object. By default all operations are disabled.
+
+        * bindings/js/JSInspectedObjectWrapper.cpp: Added. This subclass of
+        JSQuarantinedObjectWrapper is used to wrap objects from the inspected
+        page being passed to the Inspector.
+        (WebCore::wrappers):
+        (WebCore::):
+        (WebCore::JSInspectedObjectWrapper::wrap): Wraps the passed-in object
+        if needed and returns the wrapper. If this object has been wrapped
+        previously we'll return the old wrapper rather than make a new one.
+        (WebCore::JSInspectedObjectWrapper::JSInspectedObjectWrapper): Add
+        ourselves to the wrapper map.
+        (WebCore::JSInspectedObjectWrapper::~JSInspectedObjectWrapper): Remove
+        ourselves from the wrapper map.
+        (WebCore::JSInspectedObjectWrapper::prepareIncomingValue): Ensure that
+        any objects passed to the inspected object are either wrappers around
+        objects from the inspected page (in which case we unwrap them so that
+        the inspected page never sees the wrapper), or wrapped callbacks from
+        the Inspector.
+        * bindings/js/JSInspectedObjectWrapper.h: Added.
+        (WebCore::JSInspectedObjectWrapper::classInfo):
+        (WebCore::JSInspectedObjectWrapper::allowsGetProperty):
+        (WebCore::JSInspectedObjectWrapper::allowsSetProperty):
+        (WebCore::JSInspectedObjectWrapper::allowsDeleteProperty):
+        (WebCore::JSInspectedObjectWrapper::allowsConstruct):
+        (WebCore::JSInspectedObjectWrapper::allowsHasInstance):
+        (WebCore::JSInspectedObjectWrapper::allowsCallAsFunction):
+        (WebCore::JSInspectedObjectWrapper::allowsGetPropertyNames):
+        These all return true so that the Inspector can use objects from the
+        inspected page however it needs.
+        (WebCore::JSInspectedObjectWrapper::wrapOutgoingValue): Wrap all
+        outgoing values as JSInspectedObjectWrappers.
+
+        * bindings/js/JSInspectorCallbackWrapper.cpp: Added. This subclass of
+        JSQuarantinedObjectWrapper is used to wrap callbacks that the
+        Inspector passes to the inspected page (e.g., for event listeners or
+        client-side storage callbacks).
+        (WebCore::wrappers):
+        (WebCore::):
+        (WebCore::JSInspectorCallbackWrapper::wrap): Wraps the passed-in
+        object if needed and returns the wrapper. If this object has been
+        wrapped previously we'll return the old wrapper rather than make a new
+        one.
+        (WebCore::JSInspectorCallbackWrapper::JSInspectorCallbackWrapper): Add
+        ourselves to the wrapper map.
+        (WebCore::JSInspectorCallbackWrapper::~JSInspectorCallbackWrapper):
+        Remove ourselves from the wrapper map.
+        (WebCore::JSInspectorCallbackWrapper::prepareIncomingValue): Ensure
+        that values passed from the inspected page to an Inspector callback
+        are wrapped in JSInspectedObjectWrappers. We also allow the inspected
+        page to pass ourselves in (which will happen in the case of a
+        client-side storage callback, where the callback itself is passed as
+        the `this` object). In this case we unwrap ourselves so that the
+        Inspector doesn't have to deal with the wrapper.
+        * bindings/js/JSInspectorCallbackWrapper.h: Added.
+        (WebCore::JSInspectorCallbackWrapper::classInfo):
+        (WebCore::JSInspectorCallbackWrapper::allowsCallAsFunction):
+        This is the only allowed operation on a JSInspectorCallbackWrapper.
+        (WebCore::JSInspectorCallbackWrapper::wrapOutgoingValue): Wrap all
+        outgoing values as JSInspectorCallbackWrappers.
+
+        * page/InspectorController.cpp:
+        (WebCore::getResourceDocumentNode): Wrap the Document before passing
+        it to the Inspector.
+        (WebCore::highlightDOMNode): Unwrap the Node that the Inspector passed
+        to us.
+        (WebCore::databaseTableNames): Unwrap the Database that the Inspector
+        passed to us.
+        (WebCore::inspectedWindow): Wrap the Window before passing it to the
+        Inspector.
+        (WebCore::InspectorController::focusNode): Wrap the Node before
+        passing it to the Inspector.
+        (WebCore::wrapCallback): Wraps the passed-in callback in a
+        JSInspectorCallbackWrapper.
+        (WebCore::InspectorController::addDatabaseScriptResource): Wrap the
+        Database beore pasing it to the Inspector.
+        (WebCore::InspectorController::windowScriptObjectAvailable): Add the
+        new wrapCallback function to the InspectorController JS object.
+
+        * page/inspector/ElementsPanel.js:
+        (WebInspector.ElementsPanel.reset): Wrap the contentLoaded callback.
+
+        * page/inspector/DatabaseQueryView.js:
+        (WebInspector.DatabaseQueryView._enterKeyPressed):
+        * page/inspector/DatabaseTableView.js:
+        (WebInspector.DatabaseTableView.update):
+        Pass null instead of an empty array to executeSql since we're no
+        longer allowed to pass any unwrapped objects to the inspected page.
+        We now wrap all callbacks being passed to the inspected page using
+        InspectorController.wrapCallback.
+
 2008-04-14  Adam Roben  <aroben@apple.com>
 

trunk/WebCore/GNUmakefile.am

@@ -488 +488 @@
         WebCore/bindings/js/JSHistoryCustom.cpp \
         WebCore/bindings/js/JSImageConstructor.cpp \
+        WebCore/bindings/js/JSInspectedObjectWrapper.cpp \
+        WebCore/bindings/js/JSInspectorCallbackWrapper.cpp \
         WebCore/bindings/js/JSLocationCustom.cpp \
         WebCore/bindings/js/JSEventTargetNode.cpp \
@@ -514 +516 @@
         WebCore/bindings/js/JSNodeIteratorCustom.cpp \
         WebCore/bindings/js/JSNodeListCustom.cpp \
+        WebCore/bindings/js/JSQuarantinedObjectWrapper.cpp \
         WebCore/bindings/js/JSRGBColor.cpp \
         WebCore/bindings/js/JSPluginArrayCustom.cpp \

trunk/WebCore/WebCore.pro

@@ -436 +436 @@
     bindings/js/JSHTMLSelectElementCustom.cpp \
     bindings/js/JSImageConstructor.cpp \
+    bindings/js/JSInspectedObjectWrapper.cpp \
+    bindings/js/JSInspectorCallbackWrapper.cpp \
     bindings/js/JSLocationCustom.cpp \
     bindings/js/JSNamedNodeMapCustom.cpp \
@@ -445 +447 @@
     bindings/js/JSNodeIteratorCustom.cpp \
     bindings/js/JSNodeListCustom.cpp \
+    bindings/js/JSQuarantinedObjectWrapper.cpp \
     bindings/js/JSRGBColor.cpp \
     bindings/js/JSStyleSheetCustom.cpp \

trunk/WebCore/WebCore.vcproj/WebCore.vcproj

@@ -3522 +3522 @@
                                 </File>
                                 <File
+                                        RelativePath="..\page\inspector\Database.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\DatabaseQueryView.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\DatabasesPanel.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\DatabaseTableView.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\ElementsPanel.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\FontView.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\ImageView.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\inspector.css"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\inspector.html"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\inspector.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\MetricsSidebarPane.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\Panel.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\PropertiesSection.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\PropertiesSidebarPane.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\Resource.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\ResourceCategory.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\ResourcesPanel.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\ResourceView.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\SidebarPane.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\SidebarTreeElement.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\SourceView.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\StylesSidebarPane.js"
+                                        >
+                                </File>
+                                <File
                                         RelativePath="..\page\inspector\TextPrompt.js"
                                         >
                                 </File>
                                 <File
-                                        RelativePath="..\page\inspector\Database.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\DatabasesPanel.js"
+                                        RelativePath="..\page\inspector\treeoutline.js"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\page\inspector\utilities.js"
                                         >
                                 </File>
                                 <File
                                         RelativePath="..\page\inspector\View.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\DatabaseTableView.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\DatabaseQueryView.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\ElementsPanel.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\FontView.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\ImageView.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\inspector.css"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\inspector.html"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\inspector.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\MetricsSidebarPane.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\Panel.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\PropertiesSection.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\PropertiesSidebarPane.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\Resource.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\ResourceCategory.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\ResourcesPanel.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\ResourceView.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\SidebarPane.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\SidebarTreeElement.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\SourceView.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\StylesSidebarPane.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\treeoutline.js"
-                                        >
-                                </File>
-                                <File
-                                        RelativePath="..\page\inspector\utilities.js"
                                         >
                                 </File>
@@ -13295 +13295 @@
                                 </File>
                                 <File
+                                        RelativePath="..\bindings\js\JSInspectedObjectWrapper.cpp"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\bindings\js\JSInspectedObjectWrapper.h"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\bindings\js\JSInspectorCallbackWrapper.cpp"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\bindings\js\JSInspectorCallbackWrapper.h"
+                                        >
+                                </File>
+                                <File
                                         RelativePath="..\bindings\js\JSLocationCustom.cpp"
                                         >
@@ -13348 +13364 @@
                                 <File
                                         RelativePath="..\bindings\js\JSPluginCustom.cpp"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\bindings\js\JSQuarantinedObjectWrapper.cpp"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\bindings\js\JSQuarantinedObjectWrapper.h"
                                         >
                                 </File>
@@ -14751 +14775 @@
                                 >
                                 <File
-                                    RelativePath="..\svg\animation\SMILTime.cpp"
-                                    >
-                                </File>
-                                <File
-                                    RelativePath="..\svg\animation\SMILTime.h"
-                                    >
-                                </File>
-                                <File
-                                    RelativePath="..\svg\animation\SMILTimeContainer.cpp"
-                                    >
-                                </File>
-                                <File
-                                    RelativePath="..\svg\animation\SMILTimeContainer.h"
-                                    >
-                                </File>
-                                <File
-                                    RelativePath="..\svg\animation\SVGSMILElement.cpp"
-                                    >
-                                </File>
-                                <File
-                                    RelativePath="..\svg\animation\SVGSMILElement.h"
-                                    >
-                                </File>
-            </Filter>
+                                        RelativePath="..\svg\animation\SMILTime.cpp"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\svg\animation\SMILTime.h"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\svg\animation\SMILTimeContainer.cpp"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\svg\animation\SMILTimeContainer.h"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\svg\animation\SVGSMILElement.cpp"
+                                        >
+                                </File>
+                                <File
+                                        RelativePath="..\svg\animation\SVGSMILElement.h"
+                                        >
+                                </File>
+                        </Filter>
                         <Filter
                                 Name="graphics"
@@ -15840 +15864 @@
                         </File>
                         <File
+                                RelativePath="..\storage\SessionStorage.cpp"
+                                >
+                        </File>
+                        <File
+                                RelativePath="..\storage\SessionStorage.h"
+                                >
+                        </File>
+                        <File
                                 RelativePath="..\storage\SQLCallback.h"
                                 >
@@ -15925 +15957 @@
                         <File
                                 RelativePath="..\storage\StorageMap.h"
-                                >
-                        </File>
-                        <File
-                                RelativePath="..\storage\SessionStorage.cpp"
-                                >
-                        </File>
-                        <File
-                                RelativePath="..\storage\SessionStorage.h"
                                 >
                         </File>

trunk/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -3827 +3827 @@
                 C02B14C30D81E02A00D8A970 /* JavaScriptDebugServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C02B14C00D81E02A00D8A970 /* JavaScriptDebugServer.cpp */; };
                 C02B14C40D81E02A00D8A970 /* JavaScriptDebugServer.h in Headers */ = {isa = PBXBuildFile; fileRef = C02B14C10D81E02A00D8A970 /* JavaScriptDebugServer.h */; };
+                C091588A0DB4209200E55AF4 /* JSInspectedObjectWrapper.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C09158840DB4209200E55AF4 /* JSInspectedObjectWrapper.cpp */; };
+                C091588B0DB4209200E55AF4 /* JSInspectedObjectWrapper.h in Headers */ = {isa = PBXBuildFile; fileRef = C09158850DB4209200E55AF4 /* JSInspectedObjectWrapper.h */; };
+                C091588C0DB4209200E55AF4 /* JSInspectorCallbackWrapper.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C09158860DB4209200E55AF4 /* JSInspectorCallbackWrapper.cpp */; };
+                C091588D0DB4209200E55AF4 /* JSInspectorCallbackWrapper.h in Headers */ = {isa = PBXBuildFile; fileRef = C09158870DB4209200E55AF4 /* JSInspectorCallbackWrapper.h */; };
+                C091588E0DB4209200E55AF4 /* JSQuarantinedObjectWrapper.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C09158880DB4209200E55AF4 /* JSQuarantinedObjectWrapper.cpp */; };
+                C091588F0DB4209200E55AF4 /* JSQuarantinedObjectWrapper.h in Headers */ = {isa = PBXBuildFile; fileRef = C09158890DB4209200E55AF4 /* JSQuarantinedObjectWrapper.h */; };
                 C6D74AD509AA282E000B0A52 /* ModifySelectionListLevel.h in Headers */ = {isa = PBXBuildFile; fileRef = C6D74AD309AA282E000B0A52 /* ModifySelectionListLevel.h */; };
                 C6D74AE409AA290A000B0A52 /* ModifySelectionListLevel.cpp in Sources */ = {isa = PBXBuildFile; fileRef = C6D74AE309AA290A000B0A52 /* ModifySelectionListLevel.cpp */; };
@@ -8095 +8101 @@
                 C02B14C00D81E02A00D8A970 /* JavaScriptDebugServer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JavaScriptDebugServer.cpp; sourceTree = "<group>"; };
                 C02B14C10D81E02A00D8A970 /* JavaScriptDebugServer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JavaScriptDebugServer.h; sourceTree = "<group>"; };
+                C09158840DB4209200E55AF4 /* JSInspectedObjectWrapper.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSInspectedObjectWrapper.cpp; sourceTree = "<group>"; };
+                C09158850DB4209200E55AF4 /* JSInspectedObjectWrapper.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSInspectedObjectWrapper.h; sourceTree = "<group>"; };
+                C09158860DB4209200E55AF4 /* JSInspectorCallbackWrapper.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSInspectorCallbackWrapper.cpp; sourceTree = "<group>"; };
+                C09158870DB4209200E55AF4 /* JSInspectorCallbackWrapper.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSInspectorCallbackWrapper.h; sourceTree = "<group>"; };
+                C09158880DB4209200E55AF4 /* JSQuarantinedObjectWrapper.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSQuarantinedObjectWrapper.cpp; sourceTree = "<group>"; };
+                C09158890DB4209200E55AF4 /* JSQuarantinedObjectWrapper.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSQuarantinedObjectWrapper.h; sourceTree = "<group>"; };
                 C6D74AD309AA282E000B0A52 /* ModifySelectionListLevel.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ModifySelectionListLevel.h; sourceTree = "<group>"; };
                 C6D74AE309AA290A000B0A52 /* ModifySelectionListLevel.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ModifySelectionListLevel.cpp; sourceTree = "<group>"; };
@@ -11927 +11939 @@
                                 A826E8AD0A1A8F2300CD1BB6 /* JSHTMLOptionElementConstructor.cpp */,
                                 A826E8AC0A1A8F2300CD1BB6 /* JSHTMLOptionElementConstructor.h */,
+                                C09158840DB4209200E55AF4 /* JSInspectedObjectWrapper.cpp */,
+                                C09158850DB4209200E55AF4 /* JSInspectedObjectWrapper.h */,
+                                C09158860DB4209200E55AF4 /* JSInspectorCallbackWrapper.cpp */,
+                                C09158870DB4209200E55AF4 /* JSInspectorCallbackWrapper.h */,
                                 BC6C49F10D7DBA0500FFA558 /* JSImageConstructor.cpp */,
                                 BC6C49F20D7DBA0500FFA558 /* JSImageConstructor.h */,
@@ -11933 +11949 @@
                                 BCB7735E0C17853D00132BA4 /* JSNodeFilterCondition.cpp */,
                                 BCB7735F0C17853D00132BA4 /* JSNodeFilterCondition.h */,
+                                C09158880DB4209200E55AF4 /* JSQuarantinedObjectWrapper.cpp */,
+                                C09158890DB4209200E55AF4 /* JSQuarantinedObjectWrapper.h */,
                                 BC3452410D7E00EA0016574A /* JSRGBColor.cpp */,
                                 BC3452420D7E00EA0016574A /* JSRGBColor.h */,
@@ -14810 +14828 @@
                                 3744570F0DB05FA500AE0992 /* SVGGlyphMap.h in Headers */,
                                 BCB4F8900DB28DD60039139B /* RenderImageGeneratedContent.h in Headers */,
+                                C091588B0DB4209200E55AF4 /* JSInspectedObjectWrapper.h in Headers */,
+                                C091588D0DB4209200E55AF4 /* JSInspectorCallbackWrapper.h in Headers */,
+                                C091588F0DB4209200E55AF4 /* JSQuarantinedObjectWrapper.h in Headers */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;
@@ -16498 +16519 @@
                                 E4AFD00F0DAF335500F5F55C /* SVGSMILElement.cpp in Sources */,
                                 BCB4F8930DB28E530039139B /* RenderImageGeneratedContent.cpp in Sources */,
+                                C091588A0DB4209200E55AF4 /* JSInspectedObjectWrapper.cpp in Sources */,
+                                C091588C0DB4209200E55AF4 /* JSInspectorCallbackWrapper.cpp in Sources */,
+                                C091588E0DB4209200E55AF4 /* JSQuarantinedObjectWrapper.cpp in Sources */,
                         );
                         runOnlyForDeploymentPostprocessing = 0;

trunk/WebCore/WebCoreSources.bkl

@@ -75 +75 @@
         bindings/js/JSHTMLSelectElementCustom.cpp
         bindings/js/JSImageConstructor.cpp
+        bindings/js/JSInspectedObjectWrapper.cpp
+        bindings/js/JSInspectorCallbackWrapper.cpp
         bindings/js/JSLocationCustom.cpp
         bindings/js/JSMimeTypeArrayCustom.cpp
@@ -87 +89 @@
         bindings/js/JSPluginCustom.cpp
         bindings/js/JSPluginArrayCustom.cpp
+        bindings/js/JSQuarantinedObjectWrapper.cpp
         bindings/js/JSRGBColor.cpp
         bindings/js/JSSQLResultSetRowListCustom.cpp

trunk/WebCore/page/InspectorController.cpp

@@ -46 +46 @@
 #include "InspectorClient.h"
 #include "JSDOMWindow.h"
+#include "JSInspectedObjectWrapper.h"
+#include "JSInspectorCallbackWrapper.h"
 #include "JSNode.h"
 #include "JSRange.h"
@@ -69 +71 @@
 #include "JSDatabase.h"
 #endif
+
+using namespace KJS;
 
 namespace WebCore {
@@ -417 +421 @@
         return undefined;
 
+    ExecState* exec = toJSDOMWindowWrapper(resource->frame.get())->window()->globalExec();
+
     KJS::JSLock lock;
-    JSValueRef documentValue = toRef(toJS(toJSDOMWindowWrapper(frame)->window()->globalExec(), document));
+    JSValueRef documentValue = toRef(JSInspectedObjectWrapper::wrap(exec, toJS(exec, document)));
     return documentValue;
 }
@@ -430 +436 @@
         return undefined;
 
-    Node* node = toNode(toJS(arguments[0]));
+    JSQuarantinedObjectWrapper* wrapper = JSQuarantinedObjectWrapper::asWrapper(toJS(arguments[0]));
+    if (!wrapper)
+        return undefined;
+    Node* node = toNode(wrapper->unwrappedObject());
     if (!node)
         return undefined;
@@ -571 +580 @@
         return JSValueMakeUndefined(ctx);
 
-    Database* database = toDatabase(toJS(arguments[0]));
+    JSQuarantinedObjectWrapper* wrapper = JSQuarantinedObjectWrapper::asWrapper(toJS(arguments[0]));
+    if (!wrapper)
+        return JSValueMakeUndefined(ctx);
+
+    Database* database = toDatabase(wrapper->unwrappedObject());
     if (!database)
         return JSValueMakeUndefined(ctx);
@@ -622 +635 @@
         return JSValueMakeUndefined(ctx);
 
-    return toRef(toJS(toJS(ctx), controller->inspectedPage()->mainFrame()));
+    JSDOMWindow* inspectedWindow = toJSDOMWindow(controller->inspectedPage()->mainFrame());
+    JSLock lock;
+    return toRef(JSInspectedObjectWrapper::wrap(inspectedWindow->globalExec(), inspectedWindow));
 }
 
@@ -687 +702 @@
 }
 
+static JSValueRef wrapCallback(JSContextRef ctx, JSObjectRef /*function*/, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
+{
+    InspectorController* controller = reinterpret_cast<InspectorController*>(JSObjectGetPrivate(thisObject));
+    if (!controller)
+        return JSValueMakeUndefined(ctx);
+
+    if (argumentCount < 1)
+        return JSValueMakeUndefined(ctx);
+
+    JSLock lock;
+    return toRef(JSInspectorCallbackWrapper::wrap(toJS(ctx), toJS(arguments[0])));
+}
+
 #pragma mark -
 #pragma mark InspectorController Class
@@ -786 +814 @@
         return;
 
+    ExecState* exec = toJSDOMWindow(frame)->globalExec();
+
     JSValueRef arg0;
 
     {
         KJS::JSLock lock;
-        arg0 = toRef(toJS(toJSDOMWindow(frame)->globalExec(), m_nodeToFocus.get()));
+        arg0 = toRef(JSInspectedObjectWrapper::wrap(exec, toJS(exec, m_nodeToFocus.get())));
     }
 
@@ -910 +940 @@
         { "platform", platform, kJSPropertyAttributeNone },
         { "moveByUnrestricted", moveByUnrestricted, kJSPropertyAttributeNone },
+        { "wrapCallback", wrapCallback, kJSPropertyAttributeNone },
         { 0, 0, 0 }
     };
@@ -1425 +1456 @@
         return 0;
 
+    ExecState* exec = toJSDOMWindow(frame)->globalExec();
+
     JSValueRef database;
 
     {
         KJS::JSLock lock;
-        database = toRef(toJS(toJSDOMWindow(frame)->globalExec(), resource->database.get()));
+        database = toRef(JSInspectedObjectWrapper::wrap(exec, toJS(exec, resource->database.get())));
     }
 

trunk/WebCore/page/inspector/DatabaseQueryView.js

@@ -143 +143 @@
         function queryTransaction(tx)
         {
-            tx.executeSql(query, [], this._queryFinished.bind(this, query), this._queryError.bind(this, query));
-        }
-
-        this.database.database.transaction(queryTransaction.bind(this), this._queryError.bind(this, query));
+            tx.executeSql(query, null, InspectorController.wrapCallback(this._queryFinished.bind(this, query)), InspectorController.wrapCallback(this._queryError.bind(this, query)));
+        }
+
+        this.database.database.transaction(InspectorController.wrapCallback(queryTransaction.bind(this)), InspectorController.wrapCallback(this._queryError.bind(this, query)));
     },
 

trunk/WebCore/page/inspector/DatabaseTableView.js

@@ -46 +46 @@
         function queryTransaction(tx)
         {
-            tx.executeSql("SELECT * FROM " + this.tableName, [], this._queryFinished.bind(this), this._queryError.bind(this));
+            tx.executeSql("SELECT * FROM " + this.tableName, null, InspectorController.wrapCallback(this._queryFinished.bind(this)), InspectorController.wrapCallback(this._queryError.bind(this)));
         }
 
-        this.database.database.transaction(queryTransaction.bind(this), this._queryError.bind(this));
+        this.database.database.transaction(InspectorController.wrapCallback(queryTransaction.bind(this)), InspectorController.wrapCallback(this._queryError.bind(this)));
     },
 

trunk/WebCore/page/inspector/ElementsPanel.js

@@ -139 +139 @@
 
             var elementsPanel = this;
-            function contentLoaded()
+            var contentLoaded = InspectorController.wrapCallback(function()
             {
                 // This function will be called in the inspected page's context.
                 elementsPanel._domContentLoaded = true;
-            }
+            });
 
             function checkContentLoaded()