Ignore:
Timestamp:
Feb 12, 2016, 4:12:54 PM (9 years ago)
Author:
[email protected]
Message:

The parser doesn't properly protect against global variable references in builtins
https://bugs.webkit.org/show_bug.cgi?id=154144

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

This patch fixes our global variable reference detection
algorithm that was broken. After fixing the algorithm, I
detected many places where we were incorrectly using global
variables. I've fixed all those.

  • builtins/BuiltinExecutables.cpp:

(JSC::createExecutableInternal):

  • builtins/NumberPrototype.js:

(toLocaleString):

  • builtins/PromiseConstructor.js:

(race):
(reject):
(resolve):

  • parser/Nodes.cpp:

(JSC::ProgramNode::ProgramNode):
(JSC::ModuleProgramNode::ModuleProgramNode):
(JSC::ProgramNode::setClosedVariables): Deleted.

  • parser/Nodes.h:

(JSC::ScopeNode::setClosedVariables): Deleted.
(JSC::ProgramNode::closedVariables): Deleted.

  • parser/Parser.cpp:

(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::didFinishParsing):

  • parser/Parser.h:

(JSC::Scope::setIsLexicalScope):
(JSC::Scope::isLexicalScope):
(JSC::Scope::closedVariableCandidates):
(JSC::Scope::declaredVariables):
(JSC::Scope::lexicalVariables):
(JSC::Scope::finalizeLexicalEnvironment):
(JSC::Parser::positionBeforeLastNewline):
(JSC::Parser::locationBeforeLastToken):
(JSC::Parser::isFunctionMetadataNode):
(JSC::parse):
(JSC::Parser::closedVariables): Deleted.

Source/WebCore:

Change JS builtins to no longer reference global variables.

No new tests because old tests cover the issues here.

  • Modules/mediastream/NavigatorUserMedia.js:

(webkitGetUserMedia):

  • Modules/mediastream/RTCPeerConnection.js:

(addIceCandidate):
(getStats):

  • Modules/mediastream/RTCPeerConnectionInternals.js:

(setLocalOrRemoteDescription):

  • Modules/plugins/QuickTimePluginReplacement.js:

(Replacement.prototype.handleEvent):

  • Modules/streams/ByteLengthQueuingStrategy.js:

(initializeByteLengthQueuingStrategy):

  • Modules/streams/CountQueuingStrategy.js:

(initializeCountQueuingStrategy):

  • Modules/streams/ReadableStreamInternals.js:

(teeReadableStream):

  • bindings/js/JSDOMGlobalObject.cpp:

(WebCore::JSDOMGlobalObject::addBuiltinGlobals):

  • bindings/js/WebCoreBuiltinNames.h:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/parser/Nodes.cpp

    r194496 r196525  
    122122    , m_endColumn(endColumn)
    123123{
    124 }
    125 
    126 void ProgramNode::setClosedVariables(Vector<RefPtr<UniquedStringImpl>>&& closedVariables)
    127 {
    128     m_closedVariables = WTFMove(closedVariables);
    129124}
    130125
Note: See TracChangeset for help on using the changeset viewer.