[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.22-985-g3c00f00

Wed Mar 17 18:03:39 UTC 2010

The following commit has been merged in the webkit-1.1 branch:
commit 28c4f2af4d31cfd8306c28a3559a1f5bbb7045a2
Author: ap at apple.com <ap at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Feb 26 22:30:19 2010 +0000

            Reviewed by Anders Carlsson.
    
            https://bugs.webkit.org/show_bug.cgi?id=35450
            Crash when a Java array property accessor raises an exception
    
            Test: java/inaccessible-class.html. Adding with a FAIL result, because this doesn't raise
            an exception in Firefox. I don't know what the formally correct behavior is, but it's good
            to avoid crashing.
    
            * bridge/jni/jsc/JNIBridgeJSC.cpp: (JavaField::valueFromInstance): Check if the result
            is null before interpreting it as an object or array.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@55315 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index e84c691..73009bb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,20 @@
+2010-02-26  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Anders Carlsson.
+
+        https://bugs.webkit.org/show_bug.cgi?id=35450
+        Crash when a Java array property accessor raises an exception
+
+        Adding with a FAIL result, because this doesn't raise an exception in Firefox. I don't know
+        what the formally correct behavior is, but it's good to avoid crashing.
+
+        * java/SharedApplet.java:
+        (NonPublicClass):
+        (NonPublicClass.NonPublicClass):
+        (NonPublicClass..SharedApplet.getObjectOfNonPublicClass):
+        * java/inaccessible-class-expected.txt: Added.
+        * java/inaccessible-class.html: Added.
+
 2010-02-26  Gavin Barraclough  <barraclough at apple.com>
 
         Reviewed by Alexey Proskuryakov.
diff --git a/LayoutTests/java/SharedApplet.java b/LayoutTests/java/SharedApplet.java
index f66acd8..4bcd1f3 100644
--- a/LayoutTests/java/SharedApplet.java
+++ b/LayoutTests/java/SharedApplet.java
@@ -3,6 +3,12 @@ import java.lang.reflect.*;
 import java.util.*;
 import netscape.javascript.*;
 
+class NonPublicClass {
+    NonPublicClass() {
+    }
+    public Object arrayField[] = { 5 };
+}
+
 public class SharedApplet extends Applet
 {
     public String objectToString(Object obj) {
@@ -25,6 +31,10 @@ public class SharedApplet extends Applet
         return this;
     }
 
+    public NonPublicClass getObjectOfNonPublicClass() {
+        return new NonPublicClass();
+    }
+
     public Object testGetProperty(JSObject obj, String propertyName) {
         return obj.getMember(propertyName);
     }
diff --git a/LayoutTests/java/inaccessible-class-expected.txt b/LayoutTests/java/inaccessible-class-expected.txt
new file mode 100644
index 0000000..36a7d9d
--- /dev/null
+++ b/LayoutTests/java/inaccessible-class-expected.txt
@@ -0,0 +1,4 @@
+Test accessing a field of a non-public class. This may or may not need to work, but it definitely shouldn't crash.
+
+FAIL: Exception raised
+
diff --git a/LayoutTests/java/inaccessible-class.html b/LayoutTests/java/inaccessible-class.html
new file mode 100644
index 0000000..b1f6b51
--- /dev/null
+++ b/LayoutTests/java/inaccessible-class.html
@@ -0,0 +1,37 @@
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.overridePreference("WebKitJavaEnabled", "1");
+}
+</script>
+</head>
+<body>
+
+<p>Test accessing a field of a non-public class. This may or may not need to work, but it definitely
+shouldn't crash.</p>
+
+<pre id="console"></pre>
+<applet CODE="SharedApplet.class" NAME="javaTest" WIDTH=150 HEIGHT=25 MAYSCRIPT></applet>
+<script>
+function log(message)
+{
+    document.getElementById("console").innerHTML += message;
+}
+
+try {
+    var result = document.javaTest.getObjectOfNonPublicClass().arrayField[0];
+    if (result == 5)
+        log("PASS");
+    else
+        log("FAIL: result is " + result);
+} catch (ex) {
+    if (window.layoutTestController)
+        log("FAIL: Exception raised");
+    else
+        log(ex);
+}
+</script>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 77f0a36..c231b05 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2010-02-26  Alexey Proskuryakov  <ap at apple.com>
+
+        Reviewed by Anders Carlsson.
+
+        https://bugs.webkit.org/show_bug.cgi?id=35450
+        Crash when a Java array property accessor raises an exception
+
+        Test: java/inaccessible-class.html
+
+        * bridge/jni/jsc/JNIBridgeJSC.cpp: (JavaField::valueFromInstance): Check if the result
+        is null before interpreting it as an object or array.
+
 2010-02-26  Dirk Schulze  <krit at webkit.org>
 
         Reviewed by Nikolas Zimmermann.
diff --git a/WebCore/bridge/jni/jsc/JNIBridgeJSC.cpp b/WebCore/bridge/jni/jsc/JNIBridgeJSC.cpp
index bcc3274..d6aa66f 100644
--- a/WebCore/bridge/jni/jsc/JNIBridgeJSC.cpp
+++ b/WebCore/bridge/jni/jsc/JNIBridgeJSC.cpp
@@ -108,6 +108,9 @@ JSValue JavaField::valueFromInstance(ExecState* exec, const Instance* i) const
             jvalue result = dispatchValueFromInstance(exec, instance, "get", "(Ljava/lang/Object;)Ljava/lang/Object;", object_type);
             jobject anObject = result.l;
 
+            if (!anObject)
+                return jsNull();
+
             const char* arrayType = type();
             if (arrayType[0] == '[')
                 jsresult = JavaArray::convertJObjectToArray(exec, anObject, arrayType, instance->rootObject());

-- 
WebKit Debian packaging

