[webkit-changes] [97709] trunk

[barraclough]

Title: [97709] trunk

Revision

97709

Author

barraclo...@apple.com

Date

2011-10-17 20:26:02 -0700 (Mon, 17 Oct 2011)

Log Message

Source/_javascript_Core: Rename deregister* to unregister*
https://bugs.webkit.org/show_bug.cgi?id=70272

Patch by Ryosuke Niwa <rn...@webkit.org> on 2011-10-17
Reviewed by Darin Adler.

Renamed deregisterWeakMap to unregisterWeakMap.

* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::unregisterWeakMap):

LayoutTests: Poisoning of strict caller/arguments inappropriately poisoning "in"
https://bugs.webkit.org/show_bug.cgi?id=63398

Reviewed by Sam Weinig.

* fast/js/basic-strict-mode-expected.txt:
* fast/js/script-tests/basic-strict-mode.js:
    - added tests.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/js/basic-strict-mode-expected.txt
• trunk/LayoutTests/fast/js/script-tests/basic-strict-mode.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/jit/JITStubs.cpp
• trunk/Source/_javascript_Core/runtime/JSObject.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (97708 => 97709)

--- trunk/LayoutTests/ChangeLog	2011-10-18 03:23:26 UTC (rev 97708)
+++ trunk/LayoutTests/ChangeLog	2011-10-18 03:26:02 UTC (rev 97709)
@@ -1,3 +1,14 @@
+2011-10-17  Gavin Barraclough  <barraclo...@apple.com>
+
+        Poisoning of strict caller/arguments inappropriately poisoning "in"
+        https://bugs.webkit.org/show_bug.cgi?id=63398
+
+        Reviewed by Sam Weinig.
+
+        * fast/js/basic-strict-mode-expected.txt:
+        * fast/js/script-tests/basic-strict-mode.js:
+            - added tests.
+
 2011-10-17  Ojan Vafai  <o...@chromium.org>
 
         Unreviewed, rolling out r97662.

Modified: trunk/LayoutTests/fast/js/basic-strict-mode-expected.txt (97708 => 97709)

--- trunk/LayoutTests/fast/js/basic-strict-mode-expected.txt	2011-10-18 03:23:26 UTC (rev 97708)
+++ trunk/LayoutTests/fast/js/basic-strict-mode-expected.txt	2011-10-18 03:26:02 UTC (rev 97709)
@@ -66,6 +66,10 @@
 PASS (function f(arg){'use strict'; f.caller; })() threw exception TypeError: Cannot access caller property of a strict mode function.
 PASS (function f(arg){'use strict'; f.arguments=5; })() threw exception TypeError: Cannot access arguments property of a strict mode function.
 PASS (function f(arg){'use strict'; f.caller=5; })() threw exception TypeError: Cannot access caller property of a strict mode function.
+PASS "caller" in function(){"use strict"} is true
+PASS (function(){"use strict";}).hasOwnProperty("caller") is true
+PASS "arguments" in function(){"use strict"} is true
+PASS (function(){"use strict";}).hasOwnProperty("arguments") is true
 PASS 'use strict'; (function (){with(1){};}) threw exception SyntaxError: 'with' statements are not valid in strict mode.
 PASS (function(){'use strict'; (function (){with(1){};})}) threw exception SyntaxError: 'with' statements are not valid in strict mode.
 PASS 'use strict'; (function (){var a; delete a;}) threw exception SyntaxError: Cannot delete unqualified property 'a' in strict mode.

Modified: trunk/LayoutTests/fast/js/script-tests/basic-strict-mode.js (97708 => 97709)

--- trunk/LayoutTests/fast/js/script-tests/basic-strict-mode.js	2011-10-18 03:23:26 UTC (rev 97708)
+++ trunk/LayoutTests/fast/js/script-tests/basic-strict-mode.js	2011-10-18 03:26:02 UTC (rev 97709)
@@ -74,6 +74,11 @@
 shouldThrow("(function f(arg){'use strict'; f.caller; })()");
 shouldThrow("(function f(arg){'use strict'; f.arguments=5; })()");
 shouldThrow("(function f(arg){'use strict'; f.caller=5; })()");
+// arguments/caller poisoning should be visible but not throw with 'in' & 'hasOwnProperty'.
+shouldBeTrue('"caller" in function(){"use strict"}');
+shouldBeTrue('(function(){"use strict";}).hasOwnProperty("caller")');
+shouldBeTrue('"arguments" in function(){"use strict"}');
+shouldBeTrue('(function(){"use strict";}).hasOwnProperty("arguments")');
 shouldBeSyntaxError("'use strict'; (function (){with(1){};})");
 shouldBeSyntaxError("'use strict'; (function (){var a; delete a;})");
 shouldBeSyntaxError("'use strict'; var a; (function (){ delete a;})");

Modified: trunk/Source/_javascript_Core/ChangeLog (97708 => 97709)

--- trunk/Source/_javascript_Core/ChangeLog	2011-10-18 03:23:26 UTC (rev 97708)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-10-18 03:26:02 UTC (rev 97709)
@@ -12,6 +12,25 @@
 
 2011-10-17  Gavin Barraclough  <barraclo...@apple.com>
 
+        Poisoning of strict caller/arguments inappropriately poisoning "in"
+        https://bugs.webkit.org/show_bug.cgi?id=63398
+
+        Reviewed by Sam Weinig.
+
+        The problem here is that the has[Own]Property methods get the slot rather than
+        the descriptor, and getting the slot may cause the property to be eagerly accessed.
+
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+            - We don't expect hasProperty to ever throw. If it does, it won't get caught
+              (since it is after the exception check), so ASSERT to guard against this.
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::hasProperty):
+        (JSC::JSObject::hasOwnProperty):
+            - These methods should not check for the presence of the descriptor; never get the value.
+
+2011-10-17  Gavin Barraclough  <barraclo...@apple.com>
+
         Exception ordering in String.prototype.replace
         https://bugs.webkit.org/show_bug.cgi?id=70290
 

Modified: trunk/Source/_javascript_Core/jit/JITStubs.cpp (97708 => 97709)

--- trunk/Source/_javascript_Core/jit/JITStubs.cpp	2011-10-18 03:23:26 UTC (rev 97708)
+++ trunk/Source/_javascript_Core/jit/JITStubs.cpp	2011-10-18 03:26:02 UTC (rev 97709)
@@ -3607,7 +3607,9 @@
 
     Identifier property(callFrame, propName.toString(callFrame));
     CHECK_FOR_EXCEPTION();
-    return JSValue::encode(jsBoolean(baseObj->hasProperty(callFrame, property)));
+    bool result = baseObj->hasProperty(callFrame, property);
+    ASSERT(!callFrame->hadException());
+    return JSValue::encode(jsBoolean(result));
 }
 
 DEFINE_STUB_FUNCTION(JSObject*, op_push_new_scope)

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (97708 => 97709)

--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2011-10-18 03:23:26 UTC (rev 97708)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2011-10-18 03:26:02 UTC (rev 97709)
@@ -243,14 +243,14 @@
 
 bool JSObject::hasProperty(ExecState* exec, const Identifier& propertyName) const
 {
-    PropertySlot slot;
-    return const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
+    PropertyDescriptor descriptor;
+    return const_cast<JSObject*>(this)->getPropertyDescriptor(exec, propertyName, descriptor);
 }
 
 bool JSObject::hasProperty(ExecState* exec, unsigned propertyName) const
 {
-    PropertySlot slot;
-    return const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
+    PropertyDescriptor descriptor;
+    return const_cast<JSObject*>(this)->getPropertyDescriptor(exec, Identifier::from(exec, propertyName), descriptor);
 }
 
 bool JSObject::deletePropertyVirtual(ExecState* exec, const Identifier& propertyName)
@@ -286,8 +286,8 @@
 
 bool JSObject::hasOwnProperty(ExecState* exec, const Identifier& propertyName) const
 {
-    PropertySlot slot;
-    return const_cast<JSObject*>(this)->getOwnPropertySlotVirtual(exec, propertyName, slot);
+    PropertyDescriptor descriptor;
+    return const_cast<JSObject*>(this)->getOwnPropertyDescriptor(exec, propertyName, descriptor);
 }
 
 bool JSObject::deletePropertyVirtual(ExecState* exec, unsigned propertyName)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes