[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75

Thu Oct 29 20:38:26 UTC 2009

The following commit has been merged in the webkit-1.1 branch:
commit dc109163a656698561282654593ad90fb7b90c9e
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Oct 2 22:15:23 2009 +0000

    2009-10-02  Vitaly Repeshko  <vitalyr at chromium.org>
    
            Reviewed by Dimitri Glazkov.
    
            Test that having infinite recursion in XMLHttpRequest event handler does not crash.
            https://bugs.webkit.org/show_bug.cgi?id=29974
    
            * fast/xmlhttprequest/xmlhttprequest-recursive-sync-event-expected.txt: Added.
            * fast/xmlhttprequest/xmlhttprequest-recursive-sync-event.html: Added.
    2009-10-02  Vitaly Repeshko  <vitalyr at chromium.org>
    
            Reviewed by Dimitri Glazkov.
    
            [V8] Recursion guard for V8Proxy::callFunction.
            Fixes http://crbug.com/23278.
            https://bugs.webkit.org/show_bug.cgi?id=29974
    
            Test: fast/xmlhttprequest/xmlhttprequest-recursive-sync-event.html
    
            * bindings/v8/V8Proxy.cpp:
            (WebCore::V8Proxy::callFunction):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@49047 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 1d027ba..9c8d471 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2009-10-02  Vitaly Repeshko  <vitalyr at chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        Test that having infinite recursion in XMLHttpRequest event handler does not crash.
+        https://bugs.webkit.org/show_bug.cgi?id=29974
+
+        * fast/xmlhttprequest/xmlhttprequest-recursive-sync-event-expected.txt: Added.
+        * fast/xmlhttprequest/xmlhttprequest-recursive-sync-event.html: Added.
+
 2009-10-02  Victor Wang  <victorw at chromium.org>
 
         Reviewed by Adam Barth.
diff --git a/LayoutTests/fast/xmlhttprequest/xmlhttprequest-recursive-sync-event-expected.txt b/LayoutTests/fast/xmlhttprequest/xmlhttprequest-recursive-sync-event-expected.txt
new file mode 100644
index 0000000..2e7d9cd
--- /dev/null
+++ b/LayoutTests/fast/xmlhttprequest/xmlhttprequest-recursive-sync-event-expected.txt
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: line 0: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: line 0: RangeError: Maximum call stack size exceeded.
+CONSOLE MESSAGE: line 0: RangeError: Maximum call stack size exceeded.
+This tests that having infinite recursion in XMLHttpRequest event handler does not crash. 
+PASS
+
diff --git a/LayoutTests/fast/xmlhttprequest/xmlhttprequest-recursive-sync-event.html b/LayoutTests/fast/xmlhttprequest/xmlhttprequest-recursive-sync-event.html
new file mode 100644
index 0000000..a2f6508
--- /dev/null
+++ b/LayoutTests/fast/xmlhttprequest/xmlhttprequest-recursive-sync-event.html
@@ -0,0 +1,32 @@
+<html>
+<script>
+function log(s)
+{
+    var logDiv = document.getElementById("log");
+    logDiv.appendChild(document.createTextNode(s));
+    logDiv.appendChild(document.createElement("br"));
+}
+
+function test()
+{
+    if (window.layoutTestController) {
+        layoutTestController.dumpAsText();
+    }
+    var xhr = new XMLHttpRequest();
+    xhr.onreadystatechange = function() {
+        if (xhr.readyState == 4) {
+            xhr.open("GET", "recurse.html", false);
+            xhr.send(null);
+        }
+    };
+    xhr.open("GET", "recurse.html", false);
+    xhr.send(null);
+    log("PASS");
+}
+</script>
+<body onload="test()">
+This tests that having infinite recursion in XMLHttpRequest event handler does not crash.
+<br>
+<div id="log"></div>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 73c140a..4e104d1 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,16 @@
+2009-10-02  Vitaly Repeshko  <vitalyr at chromium.org>
+
+        Reviewed by Dimitri Glazkov.
+
+        [V8] Recursion guard for V8Proxy::callFunction.
+        Fixes http://crbug.com/23278.
+        https://bugs.webkit.org/show_bug.cgi?id=29974
+
+        Test: fast/xmlhttprequest/xmlhttprequest-recursive-sync-event.html
+
+        * bindings/v8/V8Proxy.cpp:
+        (WebCore::V8Proxy::callFunction):
+
 2009-10-02  Brian Weinstein  <bweinstein at apple.com>
 
         Reviewed by Jon Honeycutt.
diff --git a/WebCore/bindings/v8/V8Proxy.cpp b/WebCore/bindings/v8/V8Proxy.cpp
index 2a6dd62..c16e5d3 100644
--- a/WebCore/bindings/v8/V8Proxy.cpp
+++ b/WebCore/bindings/v8/V8Proxy.cpp
@@ -417,6 +417,17 @@ v8::Local<v8::Value> V8Proxy::callFunction(v8::Handle<v8::Function> function, v8
     {
         V8ConsoleMessage::Scope scope;
 
+        if (m_recursion >= kMaxRecursionDepth) {
+            v8::Local<v8::String> code = v8::String::New("throw new RangeError('Maximum call stack size exceeded.')");
+            if (code.IsEmpty())
+                return result;
+            v8::Local<v8::Script> script = v8::Script::Compile(code);
+            if (script.IsEmpty())
+                return result;
+            script->Run();
+            return result;
+        }
+
         // Evaluating the JavaScript could cause the frame to be deallocated,
         // so we start the keep alive timer here.
         // Frame::keepAlive method adds the ref count of the frame and sets a

-- 
WebKit Debian packaging

