Changeset 196525 in webkit for trunk/Source/JavaScriptCore/parser/Nodes.h

Timestamp:

Feb 12, 2016, 4:12:54 PM (10 years ago)

Author:

[email protected]

Message:

The parser doesn't properly protect against global variable references in builtins
​https://bugs.webkit.org/show_bug.cgi?id=154144

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

This patch fixes our global variable reference detection
algorithm that was broken. After fixing the algorithm, I
detected many places where we were incorrectly using global
variables. I've fixed all those.

• builtins/BuiltinExecutables.cpp:

(JSC::createExecutableInternal):

• builtins/NumberPrototype.js:

(toLocaleString):

• builtins/PromiseConstructor.js:

(race):
(reject):
(resolve):

• parser/Nodes.cpp:

(JSC::ProgramNode::ProgramNode):
(JSC::ModuleProgramNode::ModuleProgramNode):
(JSC::ProgramNode::setClosedVariables): Deleted.

• parser/Nodes.h:

(JSC::ScopeNode::setClosedVariables): Deleted.
(JSC::ProgramNode::closedVariables): Deleted.

• parser/Parser.cpp:

(JSC::Parser<LexerType>::parseInner):
(JSC::Parser<LexerType>::didFinishParsing):

• parser/Parser.h:

(JSC::Scope::setIsLexicalScope):
(JSC::Scope::isLexicalScope):
(JSC::Scope::closedVariableCandidates):
(JSC::Scope::declaredVariables):
(JSC::Scope::lexicalVariables):
(JSC::Scope::finalizeLexicalEnvironment):
(JSC::Parser::positionBeforeLastNewline):
(JSC::Parser::locationBeforeLastToken):
(JSC::Parser::isFunctionMetadataNode):
(JSC::parse):
(JSC::Parser::closedVariables): Deleted.

Source/WebCore:

Change JS builtins to no longer reference global variables.

No new tests because old tests cover the issues here.

• Modules/mediastream/NavigatorUserMedia.js:

(webkitGetUserMedia):

• Modules/mediastream/RTCPeerConnection.js:

(addIceCandidate):
(getStats):

• Modules/mediastream/RTCPeerConnectionInternals.js:

(setLocalOrRemoteDescription):

• Modules/plugins/QuickTimePluginReplacement.js:

(Replacement.prototype.handleEvent):

• Modules/streams/ByteLengthQueuingStrategy.js:

(initializeByteLengthQueuingStrategy):

• Modules/streams/CountQueuingStrategy.js:

(initializeCountQueuingStrategy):

• Modules/streams/ReadableStreamInternals.js:

(teeReadableStream):

• bindings/js/JSDOMGlobalObject.cpp:

(WebCore::JSDOMGlobalObject::addBuiltinGlobals):

• bindings/js/WebCoreBuiltinNames.h:

File:

• trunk/Source/JavaScriptCore/parser/Nodes.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/parser/Nodes.h

@@ -1597 +1597 @@
         void emitStatementsBytecode(BytecodeGenerator&, RegisterID* destination);
         
-        void setClosedVariables(Vector<RefPtr<UniquedStringImpl>>&&) { }
-
         void analyzeModule(ModuleAnalyzer&);
 
@@ -1624 +1622 @@
         static const bool scopeIsFunction = false;
 
-        void setClosedVariables(Vector<RefPtr<UniquedStringImpl>>&&);
-        const Vector<RefPtr<UniquedStringImpl>>& closedVariables() const { return m_closedVariables; }
-
-    private:
-        virtual void emitBytecode(BytecodeGenerator&, RegisterID* = 0) override;
-        Vector<RefPtr<UniquedStringImpl>> m_closedVariables;
+    private:
+        virtual void emitBytecode(BytecodeGenerator&, RegisterID* = 0) override;
         unsigned m_startColumn;
         unsigned m_endColumn;