[webkit-dev] Question about Constructors in WebKit JS Bindings
Drew Wilson
atwilson at google.com
Thu Jul 2 22:12:56 PDT 2009
I had another question - I'm looking at JSWorkerConstructor code, but this
pattern exists elsewhere as well:
JSWorkerConstructor::JSWorkerConstructor(ExecState* exec)
:
DOMObject(JSWorkerConstructor::createStructure(exec->lexicalGlobalObject()->objectPrototype()))
{
putDirect(exec->propertyNames().prototype, JSWorkerPrototype::self(exec,
exec->lexicalGlobalObject()), None);
* putDirect(exec->propertyNames().length, jsNumber(exec, 1),
ReadOnly|DontDelete|DontEnum);*
}
What is the purpose of the second putDirect() call? I don't see this in
other constructors like JSXMLHttpRequestConstructor, but I do see it in
things like JSOptionConstructor and JSAudioConstructor.
At first I thought it was just some kind of copy/paste error, but now I'm
not so sure given how many files it's found in.
-atw
On Tue, Jun 23, 2009 at 5:14 PM, Adam Barth <abarth at webkit.org> wrote:
> [+sam]
>
> On Tue, Jun 23, 2009 at 5:11 PM, Drew Wilson<atwilson at google.com> wrote:
> > On Tue, Jun 23, 2009 at 4:53 PM, Maciej Stachowiak <mjs at apple.com>
> wrote:
> >> Also, there might be a subtle bug in the above code: what if
> window.Worker
> >> is first accessed from a different frame? Then the prototype of the
> Worker
> >> constructor itself will use the other frame's Object prototype as its
> >> prototype. I'm not sure if that is right. I think maybe
> JSWorkerConstructor
> >> should be passed the global object from which it is retrieved as a
> property,
> >> instead of using the lexical global object.
> >
> > Good catch. This bug seems to be in all our custom generated
> constructors.
>
> Yes. This has caused us headaches (e.g., security bugs) in the past.
>
> Adam
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20090702/70fccbe8/attachment.html>
More information about the webkit-dev
mailing list