Merge 117928 - REGRESSION r110315: Event handler throws TypeError for an input element with name="a…

Source/WebCore/bindings/v8/V8LazyEventListener.cpp

 /*
  * Copyright (C) 2006, 2007, 2008, 2009 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 119 matching lines @@
     // We do this by using 'with' statement.
     // See chrome/fast/forms/form-action.html
     //     chrome/fast/forms/selected-index-value.html
     //     base/fast/overflow/onscroll-layer-self-destruct.html
     //
     // Don't use new lines so that lines in the modified handler
     // have the same numbers as in the original code.
     // FIXME: V8 does not allow us to programmatically create object environments so
     //        we have to do this hack! What if m_code escapes to run arbitrary script?
     //
+    // Call with 4 arguments instead of 3, pass additional null as the last parameter.
+    // By calling the function with 4 arguments, we create a setter on arguments object
+    // which would shadow property "3" on the prototype.
     String code = "(function() {" \
-        "with (arguments[2]) {" \
-        "with (arguments[1]) {" \
-        "with (arguments[0]) {";
+        "arguments[3] = function() {" \
+        "with (this[2]) {" \
+        "with (this[1]) {" \
+        "with (this[0]) {";
     code.append("return function(");
     code.append(m_eventParameterName);
     code.append(") {");
     code.append(m_code);
     // Insert '\n' otherwise //-style comments could break the handler.
-    code.append("\n};}}}})");
+    code.append("\n};}}}};");
+    code.append("return arguments[3]();})");
     v8::Handle<v8::String> codeExternalString = v8ExternalString(code);
 
     v8::Handle<v8::Script> script = V8Proxy::compileScript(codeExternalString, m_sourceURL, m_position);
     if (script.IsEmpty())
         return;
 
     // FIXME: Remove this code when we stop doing the 'with' hack above.
     v8::Local<v8::Value> value;
     {
         V8RecursionScope::MicrotaskSuppression scope;
         value = script->Run();
     }
     if (value.IsEmpty())
         return;
 
     // Call the outer function to get the inner function.
     ASSERT(value->IsFunction());
     v8::Local<v8::Function> intermediateFunction = value.As<v8::Function>();
 
     HTMLFormElement* formElement = 0;
     if (m_node && m_node->isHTMLElement())
         formElement = static_cast<HTMLElement*>(m_node)->form();
 
     v8::Handle<v8::Object> nodeWrapper = toObjectWrapper<Node>(m_node);
     v8::Handle<v8::Object> formWrapper = toObjectWrapper<HTMLFormElement>(formElement);
     v8::Handle<v8::Object> documentWrapper = toObjectWrapper<Document>(m_node ? m_node->ownerDocument() : 0);
 
-    v8::Handle<v8::Value> parameters[3] = { nodeWrapper, formWrapper, documentWrapper };
+    v8::Handle<v8::Value> parameters[4] = { nodeWrapper, formWrapper, documentWrapper, v8::Handle<v8::Value>(v8::Null()) };
 
     // FIXME: Remove this code when we stop doing the 'with' hack above.
     v8::Local<v8::Value> innerValue;
     {
         V8RecursionScope::MicrotaskSuppression scope;
         innerValue = intermediateFunction->Call(v8Context->Global(), 3, parameters);
     }
     if (innerValue.IsEmpty() || !innerValue->IsFunction())
         return;
 
@@ skipping 36 matching lines @@
     // // Since we only parse once, there's no need to keep data used for parsing around anymore.
     // m_functionName = String();
     // m_code = String();
     // m_eventParameterName = String();
     // m_sourceURL = String();
 
     setListenerObject(wrappedFunction);
 }
 
 } // namespace WebCore