nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/LayoutTests/js/dom/script-tests
History
Alexey Shvayka cf4239f97a Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy 
https://bugs.webkit.org/show_bug.cgi?id=226185

JSTests:

* microbenchmarks/put-slow-no-cache-array.js: Added.
* microbenchmarks/put-slow-no-cache-function.js: Added.
* microbenchmarks/put-slow-no-cache-js-proxy.js: Added.
* microbenchmarks/put-slow-no-cache-long-prototype-chain.js: Added.
* microbenchmarks/put-slow-no-cache.js: Added.
* microbenchmarks/reflect-set-with-receiver.js: Added.
* stress/custom-get-set-proto-chain-put.js:
* stress/module-namespace-access-set-fails.js: Added.
* stress/put-non-reified-static-accessor-or-custom.js: Added.
* stress/put-non-reified-static-function-or-custom.js: Added.
* stress/put-to-primitive-non-reified-static-custom.js: Added.
* stress/put-to-primitive.js: Added.
* stress/put-to-proto-chain-overrides-put.js:
Rework to always test new objects, add JSProxy coverage, and assert that receiver has own property.

* stress/typed-array-canonical-numeric-index-string-set.js: Added.

LayoutTests/imported/w3c:

* web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any-expected.txt:
* web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver-expected.txt: Added.
* web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver.html: Added.
* web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver-expected.txt:
* web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver.html:

Source/JavaScriptCore:

The API test added in r278366 revealed a flaw in JSObject::definePropertyOnReceiver()
that caused putDirectInternal() to be performed on a JSProxy instead of it's target.
Remedies that via a type check, ensuring the test and iOS apps are functional.

The issue was originally missed because the prototype chain of a global object is immutable
and none of the global object's prototypes override put(). OpaqueJSClass::prototype() sets
the [[Prototype]] directly, ignoring the IsImmutablePrototypeExoticObject type info flag.

Also, excludes an invariant from the original patch that required put() to be overriden
when implementing custom [[DefineOwnProperty]]. It is now broken by WindowProperties object.

* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::put):
* API/tests/testapiScripts/testapi.js:
* debugger/DebuggerScope.h:
* runtime/ClassInfo.h:
* runtime/ClonedArguments.h:
* runtime/CustomGetterSetter.cpp:
(JSC::callCustomSetter): Deleted.
* runtime/CustomGetterSetter.h:
* runtime/ErrorConstructor.h:
* runtime/ErrorInstance.h:
* runtime/GenericArguments.h:
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::put):
* runtime/GetterSetter.h:
* runtime/JSArray.cpp:
(JSC::JSArray::put):
* runtime/JSArray.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::put): Deleted.
* runtime/JSArrayBufferView.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSCell.cpp:
(JSC::JSCell::doPutPropertySecurityCheck): Deleted.
* runtime/JSCell.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
* runtime/JSFunction.h:
* runtime/JSGenericTypedArrayView.h:
* runtime/JSGlobalLexicalEnvironment.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::put):
* runtime/JSGlobalObject.h:
* runtime/JSLexicalEnvironment.h:
* runtime/JSModuleEnvironment.h:
* runtime/JSModuleNamespaceObject.h:
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::putInlineSlow):
(JSC::definePropertyOnReceiverSlow):
(JSC::JSObject::definePropertyOnReceiver):
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
(JSC::JSObject::doPutPropertySecurityCheck): Deleted.
(JSC::JSObject::prototypeChainMayInterceptStoreTo): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::putByIndexInline):
(JSC::JSObject::hasNonReifiedStaticProperties):
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::putDirect):
(JSC::JSObject::doPutPropertySecurityCheck): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::canPerformFastPutInlineExcludingProto):
(JSC::JSObject::putInlineForJSObject):
(JSC::JSObject::putInlineFast):
(JSC::JSObject::putDirectInternal):
* runtime/JSProxy.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::hasStaticPropertyTable const):
(JSC::TypeInfo::overridesPut const):
(JSC::TypeInfo::getOwnPropertySlotMayBeWrongAboutDontEnum const):
(JSC::TypeInfo::hasPutPropertySecurityCheck const): Deleted.
* runtime/Lookup.h:
(JSC::putEntry): Deleted.
(JSC::lookupPut): Deleted.
* runtime/PropertySlot.h:
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::put):
* runtime/ProxyObject.h:
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::context const):
(JSC::PutPropertySlot::isTaintedByOpaqueObject const):
(JSC::PutPropertySlot::setIsTaintedByOpaqueObject):
* runtime/ReflectObject.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::put):
* runtime/RegExpObject.h:
* runtime/StringObject.cpp:
(JSC::StringObject::put):
* runtime/StringObject.h:
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::StringPrototype::create):
* runtime/StringPrototype.h:
* runtime/Structure.cpp:
(JSC::Structure::validateFlags):
* runtime/Structure.h:
(JSC::Structure::hasNonReifiedStaticProperties const):
* tools/JSDollarVM.cpp:

Source/WebCore:

Tests: js/dom/script-tests/reflect-set-onto-dom.js
       imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver.html
       http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html

* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::put):
(WebCore::JSDOMWindow::doPutPropertySecurityCheck): Deleted.
* bindings/js/JSLocationCustom.cpp:
(WebCore::JSLocation::doPutPropertySecurityCheck): Deleted.
* bindings/js/JSRemoteDOMWindowCustom.cpp:
(WebCore::JSRemoteDOMWindow::put):
* bindings/scripts/CodeGeneratorJS.pm:
(GeneratePut):
(GenerateHeader):
* bindings/scripts/test/JS/*: Updated.
* bridge/objc/objc_runtime.h:
* bridge/runtime_array.h:
* bridge/runtime_object.h:

Source/WebKit:

* WebProcess/Plugins/Netscape/JSNPObject.h:

LayoutTests:

* http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt:
* http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html:
* js/dom/reflect-set-onto-dom-expected.txt:
* js/dom/script-tests/reflect-set-onto-dom.js:


Canonical link: https://commits.webkit.org/238579@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@278589 268f45cc-cd09-0410-ab3c-d52691b4dbfc
 		2021-06-08 01:53:46 +00:00
..
Object-defineProperty.js
activation-proto.js
array-float-delete.js
array-join-bug-11524.js
array-prototype-properties.js
array-sort-accessor-adds-two-elements.js
array-sort-accessor-decreases-length.js
array-sort-accessor-deletes-predecessor.js
array-sort-accessor-deletes-successor.js
array-sort-accessor-increases-length.js
array-sort-accessor-removes-two-elements.js
array-sort-accessor-sets-predecessor.js
array-sort-accessor-sets-successor.js
array-sort-accessors-on-array.js
array-sort-accessors-on-object-proto.js
array-sort-exception.js
array-sort-non-configurable-element.js
array-sort-non-configurable-proto-hole.js
array-sort-non-writeable-element.js
array-sort-non-writeable-proto-hole.js
array-sort-proxy-proto.js
array-sort-proxy.js
array-sort-short-arrays.js
array-tostring-ignore-separator.js
array-with-double-assign.js
array-with-double-push.js
assign.js
basic-weakmap.js
basic-weakset.js
bigint-canonicalization-in-structured-cloning.js
cached-eval-gc.js
constructor-attributes.js
constructor-with-return-masquerades.js
constructor.js
cross-frame-bad-time.js
cross-frame-really-bad-time-with-__proto__.js
cross-frame-really-bad-time.js
cross-frame-symbols.js
cross-global-object-inline-global-var.js
custom-constructors.js
cyclic-proto.js
cyclic-ref-toString.js
date-DST-time-cusps.js Unreviewed, reverting r270860. 2020-12-15 21:38:51 +00:00
date-big-constructor.js
date-big-setdate.js Unreviewed, reverting r270860. 2020-12-15 21:38:51 +00:00
date-big-setmonth.js
date-negative-setmonth.js
date-preserve-milliseconds.js
delete-syntax.js
dfg-byte-array-put.js
dfg-byteOffset-neuter.js
dfg-compare-final-object-to-final-object-or-other.js
dfg-cross-global-object-inline-new-array-literal-with-variables.js
dfg-cross-global-object-inline-new-array-literal.js
dfg-cross-global-object-inline-new-array-with-elements.js
dfg-cross-global-object-inline-new-array-with-size.js
dfg-cross-global-object-inline-new-array.js
dfg-cross-global-object-new-array.js
dfg-custom-getter-throw-inlined.js
dfg-custom-getter-throw.js
dfg-custom-getter.js
dfg-ensure-array-storage-on-window.js Window should behave like a legacy platform object without indexed setter 2021-06-08 01:10:23 +00:00
dfg-ensure-non-array-array-storage-on-window.js Window should behave like a legacy platform object without indexed setter 2021-06-08 01:10:23 +00:00
dfg-inline-switch-imm.js
dfg-int32-to-double-on-set-local-and-exit.js
dfg-int32-to-double-on-set-local-and-sometimes-exit.js
dfg-logical-not-final-object-or-other.js
dfg-make-rope-side-effects.js
dfg-negative-array-size.js
dfg-patchable-get-by-id-after-watchpoint.js
dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.js
dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object.js
dfg-peephole-compare-final-object-to-final-object-or-other.js
dfg-proto-stub-watchpoint-fire.js
dfg-put-by-id-allocate-storage-polymorphic.js
dfg-put-by-id-allocate-storage.js
dfg-put-by-id-reallocate-storage-polymorphic.js
dfg-put-by-id-reallocate-storage.js
dfg-put-by-val-setter-then-get-by-val.js
dfg-put-to-readonly-property.js
dfg-rshift-by-zero-eliminate-valuetoint32.js
dfg-store-unexpected-value-into-argument-and-osr-exit.js
dfg-strcat-over-objects-then-exit-on-it.js
dfg-strict-mode-arguments-get-beyond-length.js
dfg-typed-array-neuter.js
document-all-class-extends.js
document-all-is-callable-builtins.js
document-all-strict-eq.js
document-all-triggers-masquerades-watchpoint.js
document-all-typeof-is-function-fold.js
document-all-typeof-is-object-fold.js
document-all-watchpoint-covers-eliminated-compare-eq.js
dom-as-prototype-assignment-exception.js
dummy.js
end-in-string-escape.js
enter-dictionary-indexing-mode-with-blank-indexing-type.js
eval-cache-scoped-lookup.js
eval-contained-syntax-error.js
exception-line-number.js
exception-registerfile-shrink.js
exception-sequencing-binops.js
function-bind.js
function-name.js
function-names.js
get-by-pname-only-prototype-properties.js
global-constructors-deletable.js
global-function-resolve.js
immediate-constant-instead-of-cell.js
implicit-call-with-global-reentry.js
imul.js
inc-bracket-assign-subscript.js
inc-const-valueOf.js
indexed-setter-on-global-object.js Window should behave like a legacy platform object without indexed setter 2021-06-08 01:10:23 +00:00
inline-arguments-tear-off.js
instanceof-XMLHttpRequest.js
jit-set-profiling-access-type-only-for-get-by-id-self.js
js-correct-exception-handler.js
lastModified.js
lazy-create-arguments-from-get-by-val.js
line-column-numbers.js
method-check.js
native-error-prototype.js
neq-null-crash.js
nested-object-gc.js
non-object-proto.js
normal-character-escapes-in-string-literals.js
null-char-in-string.js
number-tofixed.js Increase NumberToStringBuffer to account for negative number 2021-05-27 21:34:06 +00:00
number-toprecision.js
object-extra-comma.js
object-prototype-constructor.js
object-prototype-properties.js
object-prototype-toLocaleString.js
post-inc-assign-overwrites.js
post-message-numeric-property.js
postfix-syntax.js
prefix-syntax.js
promise-rejection-might-stack-overflow.js
prototype-chain-caching-with-impure-get-own-property-slot-traps-llint.js
prototype-chain-caching-with-impure-get-own-property-slot-traps.js
put-direct-index-beyond-vector-length-resize.js
put-to-base-global-checked.js
random-array-gc-stress.js
recursion-limit-equal.js
reflect-set-onto-dom.js Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy 2021-06-08 01:53:46 +00:00
regexp-bol-with-multiline.js
regexp-bol.js
regexp-extended-characters-crash.js
regexp-lastindex.js
regexp-look-ahead-empty.js
regexp-look-ahead.js
regexp-match-reify-before-putbyval.js
regexp-non-capturing-groups.js
regexp-non-greedy-parentheses.js
regexp-overflow.js
regexp-range-out-of-order.js
regexp-ranges-and-escaped-hyphens.js
regexp-stack-overflow.js
regexp-unicode-handling.js
regexp-unicode-overflow.js
regress-157246.js
removing-Cf-characters.js
reserved-words-as-property.js
script-start-end-locations.js
select-options-add.js
stack-at-creation-for-error-objects.js
stack-trace.js [JSC] Add @ in Error.stack if URL exists 2021-02-01 11:04:22 +00:00
strict-readonly-statics.js
string-match.js
string-prototype-properties.js
string-prototype-scopes-in-workers.js
string-prototype-scopes.js
string-replace-2.js
string-replace-3.js
string-replacement-outofmemory.js
string-split-conformance.js
string-split-double-empty.js
string-split-ignore-case.js
switch-behaviour.js
throw-exception-in-global-setter.js
toInt32UInt32.js
toString-exception.js
toString-overrides.js
toString-stack-overflow.js
transition-cache-dictionary-crash.js
typed-array-access.js
typed-array-set-different-types.js
typeof-syntax.js
unshift-multi.js
vardecl-preserve-arguments.js
weakmap-gc-unobservable-dom-nodes.js
webcore-string-comparison.js
with-scope-gc.js