Changeset 90614 in webkit


Ignore:
Timestamp:
Jul 8, 2011 3:12:56 AM (13 years ago)
Author:
yurys@chromium.org
Message:

Web Inspector: typing undefined = 1 in console crashes browser
https://bugs.webkit.org/show_bug.cgi?id=64155

Source/WebCore:

Do not access undefined value directly when producing JSON objects as undefined
may be overriden by the inspected page.

Reviewed by Pavel Feldman.

Test: inspector/console/console-eval-undefined-override.html

  • inspector/InjectedScriptSource.js:

(.):
():

LayoutTests:

Reviewed by Pavel Feldman.

  • inspector/console/console-eval-undefined-override-expected.txt: Added.
  • inspector/console/console-eval-undefined-override.html: Added.
  • platform/chromium/inspector/console/console-eval-undefined-override-expected.txt: Added.
Location:
trunk
Files:
3 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r90613 r90614  
     12011-07-08  Yury Semikhatsky  <yurys@chromium.org>
     2
     3        Web Inspector: typing undefined = 1 in console crashes browser
     4        https://bugs.webkit.org/show_bug.cgi?id=64155
     5
     6        Reviewed by Pavel Feldman.
     7
     8        * inspector/console/console-eval-undefined-override-expected.txt: Added.
     9        * inspector/console/console-eval-undefined-override.html: Added.
     10        * platform/chromium/inspector/console/console-eval-undefined-override-expected.txt: Added.
     11
    1122011-07-08  Andrey Kosyakov  <caseq@chromium.org>
    213

  • trunk/Source/WebCore/ChangeLog

    r90603 r90614  
     12011-07-08  Yury Semikhatsky  <yurys@chromium.org>
     2
     3        Web Inspector: typing undefined = 1 in console crashes browser
     4        https://bugs.webkit.org/show_bug.cgi?id=64155
     5
     6        Do not access undefined value directly when producing JSON objects as undefined
     7        may be overriden by the inspected page.
     8
     9        Reviewed by Pavel Feldman.
     10
     11        Test: inspector/console/console-eval-undefined-override.html
     12
     13        * inspector/InjectedScriptSource.js:
     14        (.):
     15        ():
     16
    1172011-07-07  Emil A Eklund  <eae@chromium.org>
    218

  • trunk/Source/WebCore/inspector/InjectedScriptSource.js

    r89429 r90614  
    190190        if (!expressionLength) {
    191191            delete object[propertyName];
    192             return propertyName in object ? "Cound not delete property." : undefined;
     192            // Avoid explicit assignment to undefined as its value can be overriden (see crbug.com/88414).
     193            var result;
     194            if (propertyName in object)
     195                result = "Cound not delete property.";
     196            return result;
    193197        }
    194198
     
    449453    var rawType = typeof object;
    450454    var hasChildren = (rawType === "object" && object !== null && (!!Object.getOwnPropertyNames(object).length || !!object.__proto__)) || rawType === "function";
    451     var className = typeof object === "object" || typeof object === "function" ? InjectedScriptHost.internalConstructorName(object) : undefined;
     455    var className;
     456    // Avoid explicit assignment to undefined as its value can be overriden (see crbug.com/88414).
     457    if (typeof object === "object" || typeof object === "function")
     458        className = InjectedScriptHost.internalConstructorName(object);
    452459    var description = injectedScript._describe(object);
    453460    return new InjectedScript.RemoteObject(objectId, type, className, description, hasChildren);
Note: See TracChangeset for help on using the changeset viewer.