<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - toJSDOMWindow() does not handle objects that descend from the JS DOM Window"
href="https://bugs.webkit.org/show_bug.cgi?id=146785">146785</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>toJSDOMWindow() does not handle objects that descend from the JS DOM Window
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>528+ (Nightly build)
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>mark.s.dittmer@gmail.com
</td>
</tr></table>
<p>
<div>
<pre>toJSDOMWindow() expects to be passed JSValue that is a JSDOMWindow, but it is invoked in contexts where the value may be some other Javascript object that hs the JS DOM Window in its prototype chain.
To reproduce, attempt to run the following line of Javascript:
Object.create(window).location;
The ensuing crash can be traced back to oJSDOMWindow() returning 0 (or NULL) in a context where it shouldn't because the JS DOM Window object can be readily looked up by walking the prototype chain of the Object.create-ed object.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>