commit ab8f8bc4200be1db9bdcf553e5af0e51831f5bef
author weinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Sep 25 00:07:29 2008 +0000
committer weinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Sep 25 00:07:29 2008 +0000
tree 06a36ef58965931dfea4f5578d01b20d703993ae
parent 0cb3dffa70c4938317e9c9798f6fc939a68a593f

JavaScriptCore:

2008-09-24  Sam Weinig  <sam@webkit.org>

        Reviewed by Darin Adler.

        Fix for https://bugs.webkit.org/show_bug.cgi?id=21080
        <rdar://problem/6243534>
        Crash below Function.apply when using a runtime array as the argument list

        Test: plugins/bindings-array-apply-crash.html

        * kjs/FunctionPrototype.cpp:
        (JSC::functionProtoFuncApply): Revert to the slow case if the object inherits from 
        JSArray (via ClassInfo) but is not a JSArray.

WebKitTools:

2008-09-24  Sam Weinig  <sam@webkit.org>

        Reviewed by Darin Adler.

        Fix for https://bugs.webkit.org/show_bug.cgi?id=21080
        <rdar://problem/6243534>
        Crash below Function.apply when using a runtime array as the argument list

        Add method to ObjCController to return a runtime array.

        * DumpRenderTree/mac/ObjCController.m:
        (+[ObjCController isSelectorExcludedFromWebScript:]):
        (+[ObjCController webScriptNameForSelector:]):
        (-[ObjCController testArray]):

LayoutTests:

2008-09-24  Sam Weinig  <sam@webkit.org>

        Reviewed by Darin Adler.

        Test for https://bugs.webkit.org/show_bug.cgi?id=21080
        <rdar://problem/6243534>
        Crash below Function.apply when using a runtime array as the argument list

        * platform/mac/plugins/bindings-array-apply-crash-expected.txt: Added.
        * platform/mac/plugins/bindings-array-apply-crash.html: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@36875 268f45cc-cd09-0410-ab3c-d52691b4dbfc