[webkit-reviews] review denied: [Bug 86991] REGRESSION r110315: [V8] Event handler throws TypeError for an input element with name="arguments" : [Attachment 143142] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon May 21 17:33:14 PDT 2012
Erik Arvidsson <arv at chromium.org> has denied review:
Bug 86991: REGRESSION r110315: [V8] Event handler throws TypeError for an input
element with name="arguments"
https://bugs.webkit.org/show_bug.cgi?id=86991
Attachment 143142: Patch
https://bugs.webkit.org/attachment.cgi?id=143142&action=review
------- Additional Comments from Erik Arvidsson <arv at chromium.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=143142&action=review
> Source/WebCore/bindings/v8/V8LazyEventListener.cpp:150
> + code.append("\n};}}}}).call(arguments);})");
This should not use call here since someone might have replaced
Function.prototype.call. See Vyacheslav Egorov latest code:
// call with 4 arguments instead of 3, pass additional null as last parameter
(function () {
// by calling this function with 4 arguments we created a setter on arguments
object
// which would shadow property "3" on the prototype.
arguments[3] = function () {
with (this[2]) { with (this[1]) { with (this[0]) {
return function (<evt_name>) { <listener body> };
} } }
};
return arguments[3]();
});
More information about the webkit-reviews
mailing list