source: webkit/trunk/JavaScriptCore/runtime/JSNotAnObject.h@ 72127

Last change on this file since 72127 was 72127, checked in by [email protected], 15 years ago

JavaScriptCore: https://bugs.webkit.org/show_bug.cgi?id=49606

Reviewed by Oliver Hunt.

The bug here is that we read the prototype from the RHS argument using a regular
op_get_by_id before op_instanceof has checked that this is an object implementing
HasInstance. This incorrect behaviour gives rise to further unnecessary complexity
in the code base, since we have additional logic (implemented using the
GetByIdExceptionInfo data structures on CodeBlock) to convert not an object errors
from the get_by_id into invalid parameter errors. Having fixed this bug this code
is all redundant, since in these cases the get_by_id will never have been reached.

  • bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dump):
(JSC::CodeBlock::shrinkToFit):

  • bytecode/CodeBlock.h:

(JSC::CodeBlock::addExpressionInfo):

  • bytecode/Opcode.h:
  • bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitCheckHasInstance):

  • bytecompiler/BytecodeGenerator.h:
  • bytecompiler/NodesCodegen.cpp:

(JSC::InstanceOfNode::emitBytecode):

  • interpreter/Interpreter.cpp:

(JSC::Interpreter::throwException):
(JSC::Interpreter::privateExecute):

  • jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

  • jit/JIT.h:
  • jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_check_has_instance):
(JSC::JIT::emitSlow_op_instanceof):

  • jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_check_has_instance):
(JSC::JIT::emitSlow_op_instanceof):

  • jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

  • jit/JITStubs.h:
  • runtime/ExceptionHelpers.cpp:

(JSC::createInterruptedExecutionException):
(JSC::createTerminatedExecutionException):
(JSC::createUndefinedVariableError):
(JSC::createNotAFunctionError):
(JSC::createNotAnObjectError):

  • runtime/ExceptionHelpers.h:
  • runtime/JSGlobalData.cpp:

(JSC::JSGlobalData::JSGlobalData):

  • runtime/JSGlobalData.h:
  • runtime/JSNotAnObject.cpp:

(JSC::JSNotAnObject::toPrimitive):
(JSC::JSNotAnObject::getPrimitiveNumber):
(JSC::JSNotAnObject::toBoolean):
(JSC::JSNotAnObject::toNumber):
(JSC::JSNotAnObject::toString):
(JSC::JSNotAnObject::toObject):
(JSC::JSNotAnObject::getOwnPropertySlot):
(JSC::JSNotAnObject::getOwnPropertyDescriptor):
(JSC::JSNotAnObject::put):
(JSC::JSNotAnObject::deleteProperty):
(JSC::JSNotAnObject::getOwnPropertyNames):

  • runtime/JSNotAnObject.h:

(JSC::JSNotAnObject::JSNotAnObject):

  • runtime/JSObject.h:

(JSC::JSObject::isActivationObject):

  • runtime/JSValue.cpp:

(JSC::JSValue::toObjectSlowCase):
(JSC::JSValue::synthesizeObject):
(JSC::JSValue::synthesizePrototype):

LayoutTests: Bug 49606 - instanceof should only get the prototype property if the RHS operand implements HasInstance

Reviewed by Oliver Hunt.

  • fast/js/instanceof-XMLHttpRequest-expected.txt: Copied from LayoutTests/fast/js/instanceof-operator-expected.txt.
  • fast/js/instanceof-XMLHttpRequest.html: Copied from LayoutTests/fast/js/instanceof-operator.html.
  • fast/js/script-tests/instanceof-XMLHttpRequest.js: Copied from LayoutTests/fast/js/script-tests/instanceof-operator.js.
    • renamed existing testcase; these really test XMLHttpRequest objects, rather than the instanceof operator.
  • fast/js/instanceof-operator-expected.txt:
  • fast/js/script-tests/instanceof-operator.js:
    • added test case for: javascript: ({} instanceof { get prototype(){ alert("Error!"); } })
File size: 3.6 KB
Line 
1/*
2 * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 *
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
18 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
21 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
24 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29#ifndef JSNotAnObject_h
30#define JSNotAnObject_h
31
32#include "JSObject.h"
33
34namespace JSC {
35
36 // This unholy class is used to allow us to avoid multiple exception checks
37 // in certain SquirrelFish bytecodes -- effectively it just silently consumes
38 // any operations performed on the result of a failed toObject call.
39 class JSNotAnObject : public JSObject {
40 public:
41 JSNotAnObject(ExecState* exec)
42 : JSObject(exec->globalData().notAnObjectStructure)
43 {
44 }
45
46 static PassRefPtr<Structure> createStructure(JSValue prototype)
47 {
48 return Structure::create(prototype, TypeInfo(ObjectType, StructureFlags), AnonymousSlotCount);
49 }
50
51 private:
52
53 static const unsigned StructureFlags = OverridesGetOwnPropertySlot | OverridesGetPropertyNames | JSObject::StructureFlags;
54
55 // JSValue methods
56 virtual JSValue toPrimitive(ExecState*, PreferredPrimitiveType) const;
57 virtual bool getPrimitiveNumber(ExecState*, double& number, JSValue&);
58 virtual bool toBoolean(ExecState*) const;
59 virtual double toNumber(ExecState*) const;
60 virtual UString toString(ExecState*) const;
61 virtual JSObject* toObject(ExecState*) const;
62
63 // JSObject methods
64 virtual bool getOwnPropertySlot(ExecState*, const Identifier& propertyName, PropertySlot&);
65 virtual bool getOwnPropertySlot(ExecState*, unsigned propertyName, PropertySlot&);
66 virtual bool getOwnPropertyDescriptor(ExecState*, const Identifier&, PropertyDescriptor&);
67
68 virtual void put(ExecState*, const Identifier& propertyName, JSValue, PutPropertySlot&);
69 virtual void put(ExecState*, unsigned propertyName, JSValue);
70
71 virtual bool deleteProperty(ExecState*, const Identifier& propertyName);
72 virtual bool deleteProperty(ExecState*, unsigned propertyName);
73
74 virtual void getOwnPropertyNames(ExecState*, PropertyNameArray&, EnumerationMode mode = ExcludeDontEnumProperties);
75 };
76
77} // namespace JSC
78
79#endif // JSNotAnObject_h
Note: See TracBrowser for help on using the repository browser.