nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/LayoutTests/js/instance-property-getter-ot...

24 lines
870 B
HTML
Raw Permalink Normal View History

Object.getOwnPropertyDescriptor() returns incomplete descriptor for instance properties https://bugs.webkit.org/show_bug.cgi?id=153817 Reviewed by Geoffrey Garen. LayoutTests/imported/w3c: Rebaseline W3C HTML test now that more checks are passing. Some checks are still failing because getter.call(undefined) / getter.call() currently throws an exception for Window properties but shouldn't. Global object property getters should not require an explicit |this|. * web-platform-tests/html/dom/interfaces-expected.txt: Source/JavaScriptCore: Extend support for Object.getOwnPropertyDescriptor() on native bindings to instance properties (e.g. Unforgeable properties or Global object properties) so that the returned descriptor has getter / setter functions, as expected. * runtime/JSObject.cpp: (JSC::JSObject::reifyAllStaticProperties): Add method that reifies all static properties, including the custom accessors. This is similar to what is done eagerly on the prototype objects in the bindings code. (JSC::JSObject::getOwnPropertyDescriptor): getOwnPropertyDescriptor() would previously fails for custom accessors that are on the instance because getDirect() does not check the static property table and those custom accessors were not reified (We only reified all properties eagerly - including custom accessors - on prototype objects. To address this issue, we now call reifyAllStaticProperties() if the call to getDirect() fails and then call getDirect() again. This fix is however insufficient for Window properties because |this| is a JSDOMWindowShell / JSProxy in this case and getDirect() / reifyAllStaticProperties() would fail as the proxy does not actually have the properties. This issue was addressed by checking if |this| is a JSProxy and then using JSProxy::target() instead of |this| for the calls to getDirect() and for the reification. * runtime/JSObject.h: * runtime/Lookup.h: (JSC::reifyStaticProperty): (JSC::reifyStaticProperties): Move most code in reifyStaticProperties() to a separate function so the code can be shared with JSObject::reifyAllStaticProperties(). reifyStaticProperties() is currently called by the bindings on the prototype objects. Source/WebCore: Update the bindings generator so that property getters / setters now make sure |this| has the right type and throw a TypeError if it does not, as per: - http://heycam.github.io/webidl/#dfn-attribute-getter (step 2.4.2) - http://heycam.github.io/webidl/#dfn-attribute-setter (step 3.5) This was an issue when doing something like: Object.getOwnPropertyDescriptor(window, "location").get.call(nonWindow) We would call toJSDOMWindow(thisValue), which would return null as thisValue is not a JSDOMWindow. We would then dereference this null pointer and crash. We now do a null check and throw a TypeError in this case, as per the Web IDL specification. The generated bindings still have some non-spec compliant behavior though: 1. The getters / setters of instance properties use slotBase instead of thisValue, which means that calling instanceA's getter on instanceB returns instanceA's property insteas of instanceB's. 2. Global object property getters should not require an explicit |this| so calling the following should work: - Object.getOwnPropertyDescriptor(window, "location").get.call() We currently throw in this case. These issues will be addressed in follow-up patches. Tests: js/getOwnPropertyDescriptor-unforgeable-attributes.html js/getOwnPropertyDescriptor-window-attributes.html js/instance-property-getter-other-instance.html * bindings/scripts/CodeGeneratorJS.pm: (GenerateImplementation): * bindings/scripts/test/JS/JSTestActiveDOMObject.cpp: (WebCore::jsTestActiveDOMObjectExcitingAttr): * bindings/scripts/test/JS/JSTestException.cpp: (WebCore::jsTestExceptionName): * bindings/scripts/test/JS/JSTestObj.cpp: (WebCore::jsTestObjConstructorTestSubObj): (WebCore::jsTestObjTestSubObjEnabledBySettingConstructor): (WebCore::jsTestObjConditionalAttr4Constructor): (WebCore::jsTestObjConditionalAttr5Constructor): (WebCore::jsTestObjConditionalAttr6Constructor): (WebCore::jsTestObjContentDocument): (WebCore::setJSTestObjTestSubObjEnabledBySettingConstructor): (WebCore::setJSTestObjConditionalAttr4Constructor): (WebCore::setJSTestObjConditionalAttr5Constructor): (WebCore::setJSTestObjConditionalAttr6Constructor): (WebCore::setJSTestObjConstructor): Deleted. (WebCore::setJSTestObjConstructorStaticStringAttr): Deleted. (WebCore::setJSTestObjConditionalAttr3): Deleted. * bindings/scripts/test/JS/JSTestTypedefs.cpp: (WebCore::jsTestTypedefsConstructorTestSubObj): LayoutTests: Add layout test coverage for calling Object.getOwnPropertyDescriptor() on instance properties (e.g. Unforgeable properties and Window properties). * http/tests/security/cross-origin-window-property-access-expected.txt: * http/tests/security/cross-origin-window-property-access.html: - Fix bug causing the onload function to not find the crossOriginWindow variable. - Update the case for accessing crossOriginWindow.location property as this is actually expected to work as per the specification: https://html.spec.whatwg.org/multipage/browsers.html#security-window * js/dom/dom-as-prototype-assignment-exception-expected.txt: * js/dom/getOwnPropertyDescriptor-expected.txt: * js/dom/script-tests/dom-as-prototype-assignment-exception.js: * js/getOwnPropertyDescriptor-unforgeable-attributes-expected.txt: Added. * js/getOwnPropertyDescriptor-unforgeable-attributes.html: Added. * js/getOwnPropertyDescriptor-window-attributes-expected.txt: Added. * js/getOwnPropertyDescriptor-window-attributes.html: Added. * js/instance-property-getter-other-instance-expected.txt: Added. * js/instance-property-getter-other-instance.html: Added. * js/resources/getOwnPropertyDescriptor.js: Canonical link: https://commits.webkit.org/171987@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196145 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2016-02-04 21:36:04 +00:00
<!DOCTYPE html>
<body onload="runTest()">
<script src="../resources/js-test-pre.js"></script>
<script>
description("Tests that calling an instance property getter on another instance works as expected");
jsTestIsAsync = true;
if (window.testRunner)
testRunner.setCanOpenWindows();
function runTest()
{
otherWindow = window.open("about:blank");
locationGetter = Object.getOwnPropertyDescriptor(otherWindow.document, "location").get;
[JSC] PropertySlot should allow passing custom setters https://bugs.webkit.org/show_bug.cgi?id=221872 Reviewed by Yusuke Suzuki. LayoutTests/imported/w3c: * web-platform-tests/WebIDL/ecmascript-binding/attributes-accessors-unique-function-objects-expected.txt: Added. * web-platform-tests/WebIDL/ecmascript-binding/attributes-accessors-unique-function-objects.html: Added. * web-platform-tests/dom/events/Event-isTrusted.any-expected.txt: * web-platform-tests/dom/events/Event-isTrusted.any.worker-expected.txt: * web-platform-tests/html/browsers/history/the-location-interface/document_location-expected.txt: * web-platform-tests/html/browsers/windows/auxiliary-browsing-contexts/opener-setter.window-expected.txt: * web-platform-tests/html/browsers/windows/embedded-opener-expected.txt: Source/JavaScriptCore: This patch: 1. Merges PropertySlot::TypeCustomAccessor into TypeCustom, allowing to pass a setter for CustomAccessor / CustomValue. Raw C++ function pointers are used to avoid creating CustomGetterSetter instances for non-reified static properties. 2. Reworks JSObject::getOwnPropertyDescriptor() for custom accessors, making it simpler, more robust, and no longer required to reify all static properties. 3. Hoists GetValueFunc / PutValueFunc declarations to JSC namespace so they can be used in header files. 4. Moves CustomAccessor's wrapper maps to JSGlobalObject (because VM outlives it) and simplifies their keys to C++ function pointers. 5. Splits JSCustomGetterSetterFunction into JSCustomGetterFunction / JSCustomSetterFunction since their signatures and [[Call]] logic are quite different. This is a nice refactor that also simplifies garbage collection and reduces memory needed for setter wrappers. 6. Removes PropertyDescriptor::setCustomDescriptor(), making PropertyDescriptor unaware of custom accessors. Also, drops CustomAccessor check from validateAndApplyPropertyDescriptor() that was incorrect (no error should be thrown if accessors are unchanged) yet unreachable because PropertyDescriptor::equalTo() ignores CustomAccessor. This change fixes a) accessor functions of unforgeable properties [1] to be persistent (in terms of referential equality) and b) cross-realm accessor functions to be of correct global object (instead of lexical). [1]: https://heycam.github.io/webidl/#dfn-unforgeable-on-an-interface * API/JSCallbackObject.h: * JavaScriptCore.xcodeproj/project.pbxproj: * Sources.txt: * runtime/JSCustomGetterFunction.cpp: Added. (JSC::JSC_DEFINE_HOST_FUNCTION): (JSC::JSCustomGetterFunction::JSCustomGetterFunction): (JSC::JSCustomGetterFunction::create): * runtime/JSCustomGetterFunction.h: Added. * runtime/JSCustomGetterSetterFunction.cpp: Removed. * runtime/JSCustomGetterSetterFunction.h: Removed. * runtime/JSCustomSetterFunction.cpp: Added. (JSC::JSC_DEFINE_HOST_FUNCTION): (JSC::JSCustomSetterFunction::JSCustomSetterFunction): (JSC::JSCustomSetterFunction::create): * runtime/JSCustomSetterFunction.h: Added. * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::JSGlobalObject): (JSC::JSGlobalObject::init): (JSC::JSGlobalObject::visitChildren): * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::customGetterFunctionMap): (JSC::JSGlobalObject::customSetterFunctionMap): (JSC::JSGlobalObject::customGetterFunctionStructure const): (JSC::JSGlobalObject::customSetterFunctionStructure const): (JSC::JSGlobalObject::customGetterSetterFunctionStructure const): Deleted. * runtime/JSObject.cpp: (JSC::getCustomGetterFunction): (JSC::getCustomSetterFunction): (JSC::JSObject::getOwnPropertyDescriptor): (JSC::validateAndApplyPropertyDescriptor): (JSC::getCustomGetterSetterFunctionForGetterSetter): Deleted. * runtime/JSObject.h: (JSC::JSObject::fillCustomGetterPropertySlot): * runtime/Lookup.h: (JSC::getStaticPropertySlotFromTable): * runtime/PropertyDescriptor.cpp: (JSC::PropertyDescriptor::setAccessorDescriptor): (JSC::PropertyDescriptor::setCustomDescriptor): Deleted. * runtime/PropertyDescriptor.h: * runtime/PropertySlot.cpp: (JSC::PropertySlot::customAccessorGetter const): Deleted. * runtime/PropertySlot.h: (JSC::PropertySlot::isCustom const): (JSC::PropertySlot::customGetter const): (JSC::PropertySlot::customSetter const): (JSC::PropertySlot::setCustom): (JSC::PropertySlot::setCacheableCustom): (JSC::PropertySlot::getValue const): (JSC::PropertySlot::isCustomAccessor const): Deleted. (JSC::PropertySlot::customGetterSetter const): Deleted. (JSC::PropertySlot::setCustomGetterSetter): Deleted. * runtime/PutPropertySlot.h: * runtime/VM.cpp: (JSC::VM::VM): * runtime/VM.h: Source/WebCore: To prevent cross-origin accessor functions from different realms to have the same wrapper, return PropertySlot::TypeGetter instead. Tests: fast/dom/Window/getOwnPropertyDescriptor-other-window.html js/instance-property-getter-other-instance.html imported/w3c/web-platform-tests/dom/events/Event-isTrusted.any.js imported/w3c/web-platform-tests/html/browsers/history/the-location-interface/document_location.html * bindings/js/JSDOMWindowCustom.cpp: (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess): * bindings/js/JSLocationCustom.cpp: (WebCore::getOwnPropertySlotCommon): LayoutTests: * fast/dom/Window/getOwnPropertyDescriptor-other-window-expected.txt: * fast/dom/Window/getOwnPropertyDescriptor-other-window.html: * js/instance-property-getter-other-instance-expected.txt: * js/instance-property-getter-other-instance.html: Canonical link: https://commits.webkit.org/234118@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272885 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-02-15 23:08:52 +00:00
shouldBeTrue("locationGetter instanceof otherWindow.Function");
Object.getOwnPropertyDescriptor() returns incomplete descriptor for instance properties https://bugs.webkit.org/show_bug.cgi?id=153817 Reviewed by Geoffrey Garen. LayoutTests/imported/w3c: Rebaseline W3C HTML test now that more checks are passing. Some checks are still failing because getter.call(undefined) / getter.call() currently throws an exception for Window properties but shouldn't. Global object property getters should not require an explicit |this|. * web-platform-tests/html/dom/interfaces-expected.txt: Source/JavaScriptCore: Extend support for Object.getOwnPropertyDescriptor() on native bindings to instance properties (e.g. Unforgeable properties or Global object properties) so that the returned descriptor has getter / setter functions, as expected. * runtime/JSObject.cpp: (JSC::JSObject::reifyAllStaticProperties): Add method that reifies all static properties, including the custom accessors. This is similar to what is done eagerly on the prototype objects in the bindings code. (JSC::JSObject::getOwnPropertyDescriptor): getOwnPropertyDescriptor() would previously fails for custom accessors that are on the instance because getDirect() does not check the static property table and those custom accessors were not reified (We only reified all properties eagerly - including custom accessors - on prototype objects. To address this issue, we now call reifyAllStaticProperties() if the call to getDirect() fails and then call getDirect() again. This fix is however insufficient for Window properties because |this| is a JSDOMWindowShell / JSProxy in this case and getDirect() / reifyAllStaticProperties() would fail as the proxy does not actually have the properties. This issue was addressed by checking if |this| is a JSProxy and then using JSProxy::target() instead of |this| for the calls to getDirect() and for the reification. * runtime/JSObject.h: * runtime/Lookup.h: (JSC::reifyStaticProperty): (JSC::reifyStaticProperties): Move most code in reifyStaticProperties() to a separate function so the code can be shared with JSObject::reifyAllStaticProperties(). reifyStaticProperties() is currently called by the bindings on the prototype objects. Source/WebCore: Update the bindings generator so that property getters / setters now make sure |this| has the right type and throw a TypeError if it does not, as per: - http://heycam.github.io/webidl/#dfn-attribute-getter (step 2.4.2) - http://heycam.github.io/webidl/#dfn-attribute-setter (step 3.5) This was an issue when doing something like: Object.getOwnPropertyDescriptor(window, "location").get.call(nonWindow) We would call toJSDOMWindow(thisValue), which would return null as thisValue is not a JSDOMWindow. We would then dereference this null pointer and crash. We now do a null check and throw a TypeError in this case, as per the Web IDL specification. The generated bindings still have some non-spec compliant behavior though: 1. The getters / setters of instance properties use slotBase instead of thisValue, which means that calling instanceA's getter on instanceB returns instanceA's property insteas of instanceB's. 2. Global object property getters should not require an explicit |this| so calling the following should work: - Object.getOwnPropertyDescriptor(window, "location").get.call() We currently throw in this case. These issues will be addressed in follow-up patches. Tests: js/getOwnPropertyDescriptor-unforgeable-attributes.html js/getOwnPropertyDescriptor-window-attributes.html js/instance-property-getter-other-instance.html * bindings/scripts/CodeGeneratorJS.pm: (GenerateImplementation): * bindings/scripts/test/JS/JSTestActiveDOMObject.cpp: (WebCore::jsTestActiveDOMObjectExcitingAttr): * bindings/scripts/test/JS/JSTestException.cpp: (WebCore::jsTestExceptionName): * bindings/scripts/test/JS/JSTestObj.cpp: (WebCore::jsTestObjConstructorTestSubObj): (WebCore::jsTestObjTestSubObjEnabledBySettingConstructor): (WebCore::jsTestObjConditionalAttr4Constructor): (WebCore::jsTestObjConditionalAttr5Constructor): (WebCore::jsTestObjConditionalAttr6Constructor): (WebCore::jsTestObjContentDocument): (WebCore::setJSTestObjTestSubObjEnabledBySettingConstructor): (WebCore::setJSTestObjConditionalAttr4Constructor): (WebCore::setJSTestObjConditionalAttr5Constructor): (WebCore::setJSTestObjConditionalAttr6Constructor): (WebCore::setJSTestObjConstructor): Deleted. (WebCore::setJSTestObjConstructorStaticStringAttr): Deleted. (WebCore::setJSTestObjConditionalAttr3): Deleted. * bindings/scripts/test/JS/JSTestTypedefs.cpp: (WebCore::jsTestTypedefsConstructorTestSubObj): LayoutTests: Add layout test coverage for calling Object.getOwnPropertyDescriptor() on instance properties (e.g. Unforgeable properties and Window properties). * http/tests/security/cross-origin-window-property-access-expected.txt: * http/tests/security/cross-origin-window-property-access.html: - Fix bug causing the onload function to not find the crossOriginWindow variable. - Update the case for accessing crossOriginWindow.location property as this is actually expected to work as per the specification: https://html.spec.whatwg.org/multipage/browsers.html#security-window * js/dom/dom-as-prototype-assignment-exception-expected.txt: * js/dom/getOwnPropertyDescriptor-expected.txt: * js/dom/script-tests/dom-as-prototype-assignment-exception.js: * js/getOwnPropertyDescriptor-unforgeable-attributes-expected.txt: Added. * js/getOwnPropertyDescriptor-unforgeable-attributes.html: Added. * js/getOwnPropertyDescriptor-window-attributes-expected.txt: Added. * js/getOwnPropertyDescriptor-window-attributes.html: Added. * js/instance-property-getter-other-instance-expected.txt: Added. * js/instance-property-getter-other-instance.html: Added. * js/resources/getOwnPropertyDescriptor.js: Canonical link: https://commits.webkit.org/171987@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196145 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2016-02-04 21:36:04 +00:00
shouldBeEqualToString("locationGetter.call(otherWindow.document).toString()", "about:blank");
// Should return the current document's location.
shouldBeTrue("locationGetter.call(window.document) === window.document.location");
finishJSTest();
}
</script>
<script src="../resources/js-test-post.js"></script>
</body>