Changeset 205670 in webkit for trunk/Source/JavaScriptCore/jsc.cpp

Timestamp:

Sep 8, 2016, 3:30:26 PM (9 years ago)

Author:

Chris Dumez

Message:

Align proto getter / setter behavior with other browsers
​https://bugs.webkit.org/show_bug.cgi?id=161455

Reviewed by Saam Barati.

Source/JavaScriptCore:

Drop allowsAccessFrom from the methodTable and delegate cross-origin
checking to the DOM bindings for SetPrototypeOf / GetPrototypeOf.
This is more consistent with other operations (e.g. GetOwnProperty).

• jsc.cpp:
• runtime/JSGlobalObject.cpp:
• runtime/JSGlobalObject.h:
• runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):
(JSC::globalFuncBuiltinLog): Deleted.

• runtime/JSGlobalObjectFunctions.h:
• runtime/JSObject.cpp:

(JSC::JSObject::setPrototypeWithCycleCheck):
Remove check added in r197648. This check was added to match
the latest EcmaScript spec:

• ​https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)

This check allowed for Prototype chain cycles if the prototype
chain includes objects that do not use the ordinary object definitions
for GetPrototypeOf and SetPrototypeOf.
The issue is that the rest of our code base does not properly handle
such cycles and we can end up in infinite loops. This became obvious
because this patch updates Window / Location so that they no longer
use the default GetPrototypeOf / SetPrototypeOf. If I do not
remove this check, I get an infinite loop in
Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
called from JSObject::setPrototypeDirect(), when running the following
layout test:

• html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html

I filed ​https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
issue.

• runtime/JSObject.h:

(JSC::JSObject::getArrayLength): Deleted.

• runtime/JSProxy.cpp:

(JSC::JSProxy::setPrototype):
(JSC::JSProxy::getPrototype):

• runtime/JSProxy.h:
• runtime/ObjectConstructor.cpp:

(JSC::objectConstructorGetPrototypeOf):
(JSC::objectConstructorSetPrototypeOf):
(JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
(JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.

• runtime/ObjectConstructor.h:
• runtime/ReflectObject.cpp:

(JSC::reflectObjectGetPrototypeOf):
(JSC::reflectObjectSetPrototypeOf):

Source/WebCore:

Align cross-origin proto getter / setter behavior with other
browsers and the specification:

SetPrototypeOf should throw a TypeError:

• ​https://html.spec.whatwg.org/#windowproxy-setprototypeof
• ​https://html.spec.whatwg.org/#location-setprototypeof
• ​https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)

GetPrototypeOf should return null cross-origin:

• ​https://html.spec.whatwg.org/#windowproxy-getprototypeof
• ​https://html.spec.whatwg.org/#location-getprototypeof

Test: js/dom/setPrototypeOf-location-window.html

• bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::JSDOMWindowBase): Deleted.

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::setPrototype):
(WebCore::JSDOMWindow::getPrototype):
(WebCore::JSDOMWindow::preventExtensions):

• bindings/js/JSLocationCustom.cpp:

(WebCore::JSLocation::setPrototype):
(WebCore::JSLocation::getPrototype):

• bindings/js/JSWorkerGlobalScopeBase.cpp:

(WebCore::JSWorkerGlobalScopeBase::supportsRichSourceInfo): Deleted.

• bindings/js/JSWorkerGlobalScopeBase.h:
• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):

• bindings/scripts/IDLAttributes.txt:
• page/DOMWindow.idl:
• page/Location.idl:

LayoutTests:

Add layout test coverage and update a few existing test to reflect
behavior change.

• fast/dom/Window/script-tests/window-custom-prototype.js: Removed.
• fast/dom/Window/window-custom-prototype-crash-expected.txt:
• fast/dom/Window/window-custom-prototype-expected.txt: Removed.
• fast/dom/Window/window-custom-prototype.html: Removed.
• http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
• http/tests/security/cross-frame-access-object-getPrototypeOf.html:
• http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
• http/tests/security/cross-frame-access-object-setPrototypeOf.html:
• http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html:
• http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-method-with-iframe-proto.html:
• http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html:
• http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html:
• js/dom/setPrototypeOf-location-window-expected.txt: Added.
• js/dom/setPrototypeOf-location-window.html: Added.

File:

• trunk/Source/JavaScriptCore/jsc.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/jsc.cpp

@@ -910 +910 @@
 
 const ClassInfo GlobalObject::s_info = { "global", &JSGlobalObject::s_info, nullptr, CREATE_METHOD_TABLE(GlobalObject) };
-const GlobalObjectMethodTable GlobalObject::s_globalObjectMethodTable = { &allowsAccessFrom, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, 0, &shouldInterruptScriptBeforeTimeout, &moduleLoaderResolve, &moduleLoaderFetch, nullptr, nullptr, nullptr, nullptr };
+const GlobalObjectMethodTable GlobalObject::s_globalObjectMethodTable = { &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, 0, &shouldInterruptScriptBeforeTimeout, &moduleLoaderResolve, &moduleLoaderFetch, nullptr, nullptr, nullptr, nullptr };