nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/Source/WebCore/bridge
History
Alexey Shvayka cf4239f97a Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy 
https://bugs.webkit.org/show_bug.cgi?id=226185

JSTests:

* microbenchmarks/put-slow-no-cache-array.js: Added.
* microbenchmarks/put-slow-no-cache-function.js: Added.
* microbenchmarks/put-slow-no-cache-js-proxy.js: Added.
* microbenchmarks/put-slow-no-cache-long-prototype-chain.js: Added.
* microbenchmarks/put-slow-no-cache.js: Added.
* microbenchmarks/reflect-set-with-receiver.js: Added.
* stress/custom-get-set-proto-chain-put.js:
* stress/module-namespace-access-set-fails.js: Added.
* stress/put-non-reified-static-accessor-or-custom.js: Added.
* stress/put-non-reified-static-function-or-custom.js: Added.
* stress/put-to-primitive-non-reified-static-custom.js: Added.
* stress/put-to-primitive.js: Added.
* stress/put-to-proto-chain-overrides-put.js:
Rework to always test new objects, add JSProxy coverage, and assert that receiver has own property.

* stress/typed-array-canonical-numeric-index-string-set.js: Added.

LayoutTests/imported/w3c:

* web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any-expected.txt:
* web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver-expected.txt: Added.
* web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver.html: Added.
* web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver-expected.txt:
* web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver.html:

Source/JavaScriptCore:

The API test added in r278366 revealed a flaw in JSObject::definePropertyOnReceiver()
that caused putDirectInternal() to be performed on a JSProxy instead of it's target.
Remedies that via a type check, ensuring the test and iOS apps are functional.

The issue was originally missed because the prototype chain of a global object is immutable
and none of the global object's prototypes override put(). OpaqueJSClass::prototype() sets
the [[Prototype]] directly, ignoring the IsImmutablePrototypeExoticObject type info flag.

Also, excludes an invariant from the original patch that required put() to be overriden
when implementing custom [[DefineOwnProperty]]. It is now broken by WindowProperties object.

* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::put):
* API/tests/testapiScripts/testapi.js:
* debugger/DebuggerScope.h:
* runtime/ClassInfo.h:
* runtime/ClonedArguments.h:
* runtime/CustomGetterSetter.cpp:
(JSC::callCustomSetter): Deleted.
* runtime/CustomGetterSetter.h:
* runtime/ErrorConstructor.h:
* runtime/ErrorInstance.h:
* runtime/GenericArguments.h:
* runtime/GenericArgumentsInlines.h:
(JSC::GenericArguments<Type>::put):
* runtime/GetterSetter.h:
* runtime/JSArray.cpp:
(JSC::JSArray::put):
* runtime/JSArray.h:
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::put): Deleted.
* runtime/JSArrayBufferView.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSCell.cpp:
(JSC::JSCell::doPutPropertySecurityCheck): Deleted.
* runtime/JSCell.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
* runtime/JSFunction.h:
* runtime/JSGenericTypedArrayView.h:
* runtime/JSGlobalLexicalEnvironment.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::put):
* runtime/JSGlobalObject.h:
* runtime/JSLexicalEnvironment.h:
* runtime/JSModuleEnvironment.h:
* runtime/JSModuleNamespaceObject.h:
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::putInlineSlow):
(JSC::definePropertyOnReceiverSlow):
(JSC::JSObject::definePropertyOnReceiver):
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
(JSC::JSObject::doPutPropertySecurityCheck): Deleted.
(JSC::JSObject::prototypeChainMayInterceptStoreTo): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::putByIndexInline):
(JSC::JSObject::hasNonReifiedStaticProperties):
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::putDirect):
(JSC::JSObject::doPutPropertySecurityCheck): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::canPerformFastPutInlineExcludingProto):
(JSC::JSObject::putInlineForJSObject):
(JSC::JSObject::putInlineFast):
(JSC::JSObject::putDirectInternal):
* runtime/JSProxy.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::hasStaticPropertyTable const):
(JSC::TypeInfo::overridesPut const):
(JSC::TypeInfo::getOwnPropertySlotMayBeWrongAboutDontEnum const):
(JSC::TypeInfo::hasPutPropertySecurityCheck const): Deleted.
* runtime/Lookup.h:
(JSC::putEntry): Deleted.
(JSC::lookupPut): Deleted.
* runtime/PropertySlot.h:
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::put):
* runtime/ProxyObject.h:
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::context const):
(JSC::PutPropertySlot::isTaintedByOpaqueObject const):
(JSC::PutPropertySlot::setIsTaintedByOpaqueObject):
* runtime/ReflectObject.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::put):
* runtime/RegExpObject.h:
* runtime/StringObject.cpp:
(JSC::StringObject::put):
* runtime/StringObject.h:
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::StringPrototype::create):
* runtime/StringPrototype.h:
* runtime/Structure.cpp:
(JSC::Structure::validateFlags):
* runtime/Structure.h:
(JSC::Structure::hasNonReifiedStaticProperties const):
* tools/JSDollarVM.cpp:

Source/WebCore:

Tests: js/dom/script-tests/reflect-set-onto-dom.js
       imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver.html
       http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html

* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::put):
(WebCore::JSDOMWindow::doPutPropertySecurityCheck): Deleted.
* bindings/js/JSLocationCustom.cpp:
(WebCore::JSLocation::doPutPropertySecurityCheck): Deleted.
* bindings/js/JSRemoteDOMWindowCustom.cpp:
(WebCore::JSRemoteDOMWindow::put):
* bindings/scripts/CodeGeneratorJS.pm:
(GeneratePut):
(GenerateHeader):
* bindings/scripts/test/JS/*: Updated.
* bridge/objc/objc_runtime.h:
* bridge/runtime_array.h:
* bridge/runtime_object.h:

Source/WebKit:

* WebProcess/Plugins/Netscape/JSNPObject.h:

LayoutTests:

* http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt:
* http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html:
* js/dom/reflect-set-onto-dom-expected.txt:
* js/dom/script-tests/reflect-set-onto-dom.js:


Canonical link: https://commits.webkit.org/238579@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@278589 268f45cc-cd09-0410-ab3c-d52691b4dbfc
 		2021-06-08 01:53:46 +00:00
..
c
jsc Refactor sorted array mapping machinery in LocaleToScriptMapping.cpp for reuse elsewhere 2021-04-20 14:48:06 +00:00
objc Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy 2021-06-08 01:53:46 +00:00
Bridge.h
IdentifierRep.cpp
IdentifierRep.h
NP_jsobject.cpp
NP_jsobject.h
make_testbindings
npruntime.cpp
npruntime_impl.h
npruntime_internal.h
npruntime_priv.h
runtime_array.cpp Remove WTF::Optional synonym for std::optional, using that class template directly instead 2021-05-30 16:11:40 +00:00
runtime_array.h Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy 2021-06-08 01:53:46 +00:00
runtime_method.cpp
runtime_method.h
runtime_object.cpp [JSC] Remove defaultValue() from the method table 2021-04-27 20:56:19 +00:00
runtime_object.h Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy 2021-06-08 01:53:46 +00:00
runtime_root.cpp
runtime_root.h
test.js
testC.js
testM.js
testbindings.cpp
testbindings.mm Use adoptNS() as soon as we [[ObjcClass alloc] init] to avoid leaks 2021-02-22 21:59:00 +00:00