haikuwebkit/LayoutTests/plugins/npruntime/object-from-destroyed-plugi...

Test various operation on an NPObject whose plug-in (that lives in a subframe) has been destroyed

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".


 PASS testObject.gettingProperty threw exception ReferenceError: Trying to access object from destroyed plug-in..
PASS testObject.settingProperty = 10 threw exception ReferenceError: Trying to access object from destroyed plug-in..
PASS testObject() threw exception TypeError: testObject is not a function. (In 'testObject()', 'testObject' is an instance of ProxyRuntimeObject).
PASS new testObject(); threw exception TypeError: ProxyRuntimeObject is not a constructor (evaluating 'new testObject()').
Crash when trying to invalidate the NPRuntimeObjectMap for a plug-in in a subframe https://bugs.webkit.org/show_bug.cgi?id=75667 <rdar://problem/10389454> Reviewed by Kevin Decker. Source/WebKit2: NPRuntimeObjectMap::invalidate is called whenever a plug-in view is destroyed. If invalidate is called for an object map whose plug-in has a null frame, we'd crash. The plug-in will have a null frame if the plug-in view is destroyed because its containing frame has been removed from the document, and if the plug-in view is being destroyed asynchronously due to the plug-in itself calling JavaScript that will remove the frame (see PluginView::unprotectPluginFromDestruction). The reason NPRuntimeObjectMap::invalidate will crash when the frame is null is because we were trying to access the frame's global object, causing a null dereference. The reason we were trying to get at the frame's global object was to create a Strong handle to a JSNPObject so we could stick the object in a vector so we could later iterate over the vector elements and call invalidate() on each JSNPObject which will end up releasing the underlying NPObject. However, it turns out that we don't need to stick the JSNPObject in a vector; we can just get the underlying NPObject directly and stick that in a vector and then iterate over the NPObjects, releasing them. * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp: (WebKit::NPRuntimeObjectMap::invalidate): Tools: Add an evaluate method to the plug-in test scriptable object that can be used to evaluate a given JS string. * DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp: (PluginTest::executeScript): * DumpRenderTree/TestNetscapePlugIn/PluginTest.h: * DumpRenderTree/TestNetscapePlugIn/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp: (NPRuntimeObjectFromDestroyedPlugin::ScriptableObject::hasMethod): (NPRuntimeObjectFromDestroyedPlugin::ScriptableObject::invoke): (NPRuntimeObjectFromDestroyedPlugin::ScriptableObject::hasProperty): LayoutTests: * plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt: Added. * plugins/npruntime/object-from-destroyed-plugin-in-subframe.html: Added. Canonical link: https://commits.webkit.org/92457@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@104239 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2012-01-06 00:29:14 +00:00			`Test various operation on an NPObject whose plug-in (that lives in a subframe) has been destroyed`

			`On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".`


			`PASS testObject.gettingProperty threw exception ReferenceError: Trying to access object from destroyed plug-in..`
			`PASS testObject.settingProperty = 10 threw exception ReferenceError: Trying to access object from destroyed plug-in..`
Improve error messages in JSC https://bugs.webkit.org/show_bug.cgi?id=141869 Reviewed by Geoffrey Garen. Source/JavaScriptCore: JavaScriptCore has some unintuitive error messages associated with certain common errors. This patch changes some specific error messages to be more understandable and also creates a mechanism that will allow for easy modification of error messages in the future. The specific errors we change are not a function errors and invalid parameter errors. * CMakeLists.txt: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: * JavaScriptCore.xcodeproj/project.pbxproj: * interpreter/Interpreter.cpp: (JSC::sizeOfVarargs): * jit/JITOperations.cpp: op_throw_static_error always has a JSString as its argument. There is no need to dance around this, and we should assert that this always holds. This JSString represents the error message we want to display to the user, so there is no need to pass it into errorDescriptionForValue which will now place quotes around the string. * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::opIn): * runtime/ErrorInstance.cpp: (JSC::ErrorInstance::ErrorInstance): * runtime/ErrorInstance.h: (JSC::ErrorInstance::hasSourceAppender): (JSC::ErrorInstance::sourceAppender): (JSC::ErrorInstance::setSourceAppender): (JSC::ErrorInstance::clearSourceAppender): (JSC::ErrorInstance::setRuntimeTypeForCause): (JSC::ErrorInstance::runtimeTypeForCause): (JSC::ErrorInstance::clearRuntimeTypeForCause): (JSC::ErrorInstance::appendSourceToMessage): Deleted. (JSC::ErrorInstance::setAppendSourceToMessage): Deleted. (JSC::ErrorInstance::clearAppendSourceToMessage): Deleted. * runtime/ExceptionHelpers.cpp: (JSC::errorDescriptionForValue): (JSC::defaultApproximateSourceError): (JSC::defaultSourceAppender): (JSC::functionCallBase): (JSC::notAFunctionSourceAppender): (JSC::invalidParameterInSourceAppender): (JSC::invalidParameterInstanceofSourceAppender): (JSC::createError): (JSC::createInvalidFunctionApplyParameterError): (JSC::createInvalidInParameterError): (JSC::createInvalidInstanceofParameterError): (JSC::createNotAConstructorError): (JSC::createNotAFunctionError): (JSC::createNotAnObjectError): (JSC::createInvalidParameterError): Deleted. * runtime/ExceptionHelpers.h: * runtime/JSObject.cpp: (JSC::JSObject::hasInstance): * runtime/RuntimeType.cpp: Added. (JSC::runtimeTypeForValue): (JSC::runtimeTypeAsString): * runtime/RuntimeType.h: Added. * runtime/TypeProfilerLog.cpp: (JSC::TypeProfilerLog::processLogEntries): * runtime/TypeSet.cpp: (JSC::TypeSet::getRuntimeTypeForValue): Deleted. * runtime/TypeSet.h: * runtime/VM.cpp: (JSC::appendSourceToError): (JSC::VM::throwException): LayoutTests: * fast/dom/NodeList/nodelist-item-call-as-function-expected.txt: * fast/dom/call-a-constructor-as-a-function-expected.txt: * fast/regex/dom/cross-frame-callable-expected.txt: * fast/selectors/closest-general-expected.txt: * http/tests/security/xss-DENIED-window-index-assign-expected.txt: * js/dom/exception-thrown-from-new-expected.txt: * js/exception-for-nonobject-expected.txt: * js/exception-function-apply-expected.txt: Added. * js/exception-function-apply.html: Added. * js/exception-in-expected.txt: Added. * js/exception-in.html: Added. * js/exception-instanceof-expected.txt: Added. * js/exception-instanceof.html: Added. * js/instance-of-immediates-expected.txt: * js/script-tests/exception-function-apply.js: Added. * js/script-tests/exception-in.js: Added. * js/script-tests/exception-instanceof.js: Added. * js/typedarray-constructors-expected.txt: * platform/mac-wk2/plugins/npruntime/object-from-destroyed-plugin-expected.txt: * platform/mac-wk2/plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt: * platform/mac/css3/selectors3/xhtml/css3-modsel-15c-expected.txt: * platform/mac/css3/selectors3/xml/css3-modsel-15c-expected.txt: * plugins/npruntime/object-from-destroyed-plugin-expected.txt: * plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt: * plugins/npruntime/plugin-scriptable-object-invoke-default-expected.txt: * sputnik/Conformance/12_Statement/12.1_Block/S12.1_A4_T1-expected.txt: * sputnik/Conformance/13_Function_Definition/S13_A17_T2-expected.txt: * sputnik/Conformance/15_Native_Objects/15.1_The_Global_Object/S15.1_A2_T1-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/S15.2.4_A3-expected.txt: * svg/dom/svgpath-out-of-bounds-getPathSeg-expected.txt: Canonical link: https://commits.webkit.org/161017@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@181889 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2015-03-24 07:30:05 +00:00			`PASS testObject() threw exception TypeError: testObject is not a function. (In 'testObject()', 'testObject' is an instance of ProxyRuntimeObject).`
Fixed ASSERTION FAILED: callFrame == vm->topCallFrame in JSC::Interpreter::addStackTraceIfNecessary https://bugs.webkit.org/show_bug.cgi?id=118498 Patch by Chris Curtis <chris_curtis@apple.com> on 2013-07-18 Reviewed by Geoffrey Garen. Source/JavaScriptCore: * jit/JITStubs.cpp: (throwExceptionFromOpCall): Created new throwExceptionFromOpCall that takes in a functor that contains a function pointer (to create the errorObject) instead of a JSValue. Inside of throwExceptionFromOpCall the topCallFrame is being rolled back in order to handle the error throw. By passing the function pointer in, we can defer the creation of the error object until after topCallFrame has been rolled back. This allows the error object to be created with the appropriate top frame. DEFINE_STUB_FUNCTION(void, stack_check): DEFINE_STUB_FUNCTION(void, op_call_arityCheck): DEFINE_STUB_FUNCTION(void, op_construct_arityCheck): DEFINE_STUB_FUNCTION(EncodedJSValue, op_call_NotJSFunction): DEFINE_STUB_FUNCTION(EncodedJSValue, op_construct_NotJSConstruct): (JSC::ErrorFunctor::~ErrorFunctor): (JSC::ErrorWithExecFunctor::ErrorWithExecFunctor): (JSC::ErrorWithExecFunctor::operator()): (JSC::ErrorWithExecAndCalleeFunctor::ErrorWithExecAndCalleeFunctor): (JSC::ErrorWithExecAndCalleeFunctor::operator()): (JSC::ErrorWithExceptionFunctor::ErrorWithExceptionFunctor): (JSC::ErrorWithExceptionFunctor::operator()): (JSC::throwExceptionFromOpCall): In order to eliminate the need to duplicate code, an error functor was created for the 3 different throwExceptionFromOpCall handles. 1. The exception needs to be created, and the function pointer takes 1 parameter(callFrame->callerFrame()). 2. The exception needs to be created, and the function pointer takes 2 parameters (callFrame->callerFrame(), callFrame.calleeAsValue()). 3. The exception is already created. In this case, At the time when the error functor is called, vm.exception is returned. llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/ExceptionHelpers.cpp: (JSC::errorDescriptionForValue): (JSC::createError): (JSC::createInvalidParameterError): (JSC::createNotAConstructorError): (JSC::createNotAFunctionError): (JSC::createNotAnObjectError): * runtime/ExceptionHelpers.h: The function toString() was being used to stringify an object for an exception message. If the user wrote a toString() for that object, then the system would continue to evaluate that code. A new helper function was created to prevent the system to continue execution and exception creation from that execution. LayoutTests: New Tests to see if JSC evaluates user code after exception creation * fast/js/not-a-constructor-to-string-expected.txt: Added. * fast/js/not-a-constructor-to-string.html: Added. * fast/js/not-a-function-to-string-expected.txt: Added. * fast/js/not-a-function-to-string.html: Added. Modified test output of the object that was being evaluated at the time of the error. Only the error message has changed. * fast/dom/MutationObserver/mutation-record-constructor-expected.txt: * fast/dom/NodeList/nodelist-item-call-as-function-expected.txt: * fast/dom/Range/getClientRects-expected.txt: * fast/dom/SelectorAPI/dumpNodeList-almost-strict-expected.txt: * fast/dom/SelectorAPI/dumpNodeList-expected.txt: * fast/dom/call-a-constructor-as-a-function-expected.txt: * fast/dom/setPrimitiveValue-exceptions-expected.txt: * fast/events/window-onerror-exception-in-attr-expected.txt: * fast/forms/select-namedItem-expected.txt: * fast/js/arguments-expected.txt: * fast/js/array-prototype-properties-expected.txt: * fast/js/basic-strict-mode-expected.txt: * fast/js/date-toisostring-expected.txt: * fast/js/delete-getters-setters-expected.txt: * fast/js/dfg-check-structure-elimination-for-non-cell-expected.txt: * fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object-expected.txt: * fast/js/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object-expected.txt: * fast/js/dfg-inline-arguments-use-from-all-the-places-broken-expected.txt: * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object-expected.txt: * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object-expected.txt: * fast/js/exception-expression-offset-expected.txt: * fast/js/exception-for-nonobject-expected.txt: * fast/js/exception-thrown-from-new-expected.txt: * fast/js/function-bind-expected.txt: * fast/js/instance-of-immediates-expected.txt: * fast/js/object-prototype-properties-expected.txt: * fast/regex/cross-frame-callable-expected.txt: * fast/xsl/transform-xhr-doc-expected.txt: * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-document-write-expected.txt: * http/tests/security/aboutBlank/xss-DENIED-navigate-opener-javascript-url-expected.txt: * http/tests/security/aboutBlank/xss-DENIED-set-opener-expected.txt: * http/tests/security/document-all-expected.txt: * http/tests/security/srcdoc-in-sandbox-cannot-access-parent-expected.txt: * http/tests/security/window-named-proto-expected.txt: * inspector/console/console-exception-stack-traces-expected.txt: * platform/efl/css3/selectors3/xhtml/css3-modsel-15c-expected.txt: * platform/efl/css3/selectors3/xml/css3-modsel-15c-expected.txt: * platform/efl/fast/events/updateLayoutForHitTest-expected.txt: * platform/efl/tables/mozilla_expected_failures/bugs/bug92868_1-expected.txt: * platform/gtk/css3/selectors3/xhtml/css3-modsel-15c-expected.txt: * platform/gtk/css3/selectors3/xml/css3-modsel-15c-expected.txt: * platform/gtk/fast/events/updateLayoutForHitTest-expected.txt: * platform/gtk/svg/custom/createelement-expected.txt: * platform/gtk/tables/mozilla_expected_failures/bugs/bug92868_1-expected.txt: * platform/mac-wk2/editing/spelling/markers-expected.txt: * platform/mac-wk2/plugins/npruntime/object-from-destroyed-plugin-expected.txt: Added. * platform/mac-wk2/plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt: Added. * platform/mac/css3/selectors3/xhtml/css3-modsel-15c-expected.txt: * platform/mac/css3/selectors3/xml/css3-modsel-15c-expected.txt: * platform/mac/fast/events/updateLayoutForHitTest-expected.txt: * platform/mac/tables/mozilla_expected_failures/bugs/bug92868_1-expected.txt: * platform/qt/css3/selectors3/xhtml/css3-modsel-15c-expected.txt: * platform/qt/css3/selectors3/xml/css3-modsel-15c-expected.txt: * platform/qt/svg/custom/createelement-expected.txt: * platform/qt/tables/mozilla_expected_failures/bugs/bug92868_1-expected.txt: * platform/win/fast/dom/call-a-constructor-as-a-function-expected.txt: * plugins/npruntime/object-from-destroyed-plugin-expected.txt: * plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt: * plugins/npruntime/plugin-scriptable-object-invoke-default-expected.txt: * sputnik/Conformance/08_Types/8.6_The_Object_Type/8.6.2_Internal_Properties_and_Methods/S8.6.2_A7-expected.txt: * sputnik/Conformance/13_Function_Definition/S13_A17_T2-expected.txt: * sputnik/Conformance/15_Native_Objects/15.1_The_Global_Object/S15.1_A1_T1-expected.txt: * sputnik/Conformance/15_Native_Objects/15.1_The_Global_Object/S15.1_A1_T2-expected.txt: * sputnik/Conformance/15_Native_Objects/15.1_The_Global_Object/S15.1_A2_T1-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.2_Object.prototype.toString/S15.2.4.2_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.3_Object.prototype.toLocaleString/S15.2.4.3_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.4_Object.prototype.valueOf/S15.2.4.4_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.5_Object.prototype.hasOwnProperty/S15.2.4.5_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.6_Object.prototype.isPrototypeOf/S15.2.4.6_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/15.2.4.7_Object.prototype.propertyIsEnumerable/S15.2.4.7_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/S15.2.4_A3-expected.txt: * sputnik/Conformance/15_Native_Objects/15.2_Object/15.2.4/S15.2.4_A4-expected.txt: * sputnik/Conformance/15_Native_Objects/15.3_Function/15.3.4/15.3.4.2_Function.prototype.toString/S15.3.4.2_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.3_Function/15.3.4/S15.3.4_A5-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.17_String.prototype.toLocaleLowerCase/S15.5.4.17_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A7-expected.txt: * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A7-expected.txt: * svg/custom/createelement-expected.txt: * svg/custom/use-nested-missing-target-removed-expected.txt: * svg/dom/svgpath-out-of-bounds-getPathSeg-expected.txt: Canonical link: https://commits.webkit.org/136732@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@152871 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2013-07-18 23:24:13 +00:00			`PASS new testObject(); threw exception TypeError: ProxyRuntimeObject is not a constructor (evaluating 'new testObject()').`
Crash when trying to invalidate the NPRuntimeObjectMap for a plug-in in a subframe https://bugs.webkit.org/show_bug.cgi?id=75667 <rdar://problem/10389454> Reviewed by Kevin Decker. Source/WebKit2: NPRuntimeObjectMap::invalidate is called whenever a plug-in view is destroyed. If invalidate is called for an object map whose plug-in has a null frame, we'd crash. The plug-in will have a null frame if the plug-in view is destroyed because its containing frame has been removed from the document, and if the plug-in view is being destroyed asynchronously due to the plug-in itself calling JavaScript that will remove the frame (see PluginView::unprotectPluginFromDestruction). The reason NPRuntimeObjectMap::invalidate will crash when the frame is null is because we were trying to access the frame's global object, causing a null dereference. The reason we were trying to get at the frame's global object was to create a Strong handle to a JSNPObject so we could stick the object in a vector so we could later iterate over the vector elements and call invalidate() on each JSNPObject which will end up releasing the underlying NPObject. However, it turns out that we don't need to stick the JSNPObject in a vector; we can just get the underlying NPObject directly and stick that in a vector and then iterate over the NPObjects, releasing them. * WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp: (WebKit::NPRuntimeObjectMap::invalidate): Tools: Add an evaluate method to the plug-in test scriptable object that can be used to evaluate a given JS string. * DumpRenderTree/TestNetscapePlugIn/PluginTest.cpp: (PluginTest::executeScript): * DumpRenderTree/TestNetscapePlugIn/PluginTest.h: * DumpRenderTree/TestNetscapePlugIn/Tests/NPRuntimeObjectFromDestroyedPlugin.cpp: (NPRuntimeObjectFromDestroyedPlugin::ScriptableObject::hasMethod): (NPRuntimeObjectFromDestroyedPlugin::ScriptableObject::invoke): (NPRuntimeObjectFromDestroyedPlugin::ScriptableObject::hasProperty): LayoutTests: * plugins/npruntime/object-from-destroyed-plugin-in-subframe-expected.txt: Added. * plugins/npruntime/object-from-destroyed-plugin-in-subframe.html: Added. Canonical link: https://commits.webkit.org/92457@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@104239 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2012-01-06 00:29:14 +00:00