Ignore:
Timestamp:
Jan 11, 2008, 11:19:27 PM (17 years ago)
Author:
[email protected]
Message:

JavaScriptCore:

Reviewed by Oliver Hunt.


Fixed <rdar://problem/5665251> REGRESSION (r28880-r28886): Global
variable access (16644)


This bug was caused by var declarations shadowing built-in properties of
the global object.


To match Firefox, we've decided that var declarations will never shadow
built-in properties of the global object or its prototypes. We used to
behave more like IE, which allows shadowing, but walking that line got
us into trouble with websites that sent us down the Firefox codepath.

  • kjs/JSVariableObject.h: (KJS::JSVariableObject::symbolTableGet): New code to support calling hasProperty before the variable object is fully initialized (so you can call it during initialization).
  • kjs/nodes.cpp:. (KJS::ProgramNode::initializeSymbolTable): Always do a full hasProperty check when looking for duplicates, not getDirect, since it only checks the property map, and not hasOwnProperty, since it doesn't check prototypes. (KJS::EvalNode::processDeclarations): ditto
  • kjs/property_slot.h: (KJS::PropertySlot::ungettableGetter): Best function name evar.

WebCore:

Reviewed by Oliver Hunt.


Fixed <rdar://problem/5665251> REGRESSION (r28880-r28886): Global
variable access (16644)


Removed the ReadOnly bit from some properties, to match Firefox. Also
removed status-related setters, to allow using their names as variable
names.


  • bindings/scripts/CodeGeneratorJS.pm: Added support for properties that are one-way across domain boundaries, to match Firefox.
  • bindings/js/kjs_window.cpp: Changed ReadOnly declarations to match FF.
  • bindings/scripts/CodeGeneratorJS.pm: Don't use JSObject:: because we don't know that JSObject is our base class.
  • page/DOMWindow.idl: Replaced lots of readonly declarations with [Replaceable] declarations.
  • page/DOMWindow.h: Removed interfaces for setting status text via the DOM. (They were getting in the way of, e.g., "var status" declarations.) By default, IE 7 and FF disable these interfaces in order to defend against phishing attacks that try to spoof domain names in the statusbar.
  • page/DOMWindow.cpp:

LayoutTests:

Reviewed by Oliver Hunt.


Fixed <rdar://problem/5665251> REGRESSION (r28880-r28886): Global
variable access (16644)


Added a test. Updated other tests to match new behavior.


  • fast/js/var-declarations-shadowing-expected.txt: Added.
  • fast/js/var-declarations-shadowing.html: Added.
  • fast/dom/HTMLScriptElement/script-load-events.html: Changed this test a bit because the original design made it hard to understand why it was failing.
  • fast/dom/HTMLScriptElement/script-load-events-expected.txt:


  • fast/dom/Window/get-set-properties.html: Changed this test to expect our new behavior, which matches Firefox.
  • fast/dom/Window/get-set-properties-expected.txt:
  • fast/dom/Window/window-property-shadowing.html: Removed some cases that differed from Firefox.
  • fast/dom/Window/window-property-shadowing-expected.txt:
  • http/tests/security/cross-frame-access-put-expected.txt: This test emits more "Unsafe JavaScript attempt" messages now because property sets that used to be prohibited (somewhat accidentally) by the ReadOnly attribute are now prohibited by security checks.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/kjs/JSVariableObject.h

    r29425 r29428  
    9292        size_t index = symbolTable().get(propertyName.ustring().rep());
    9393        if (index != missingSymbolMarker()) {
     94#ifndef NDEBUG
     95            // During initialization, the variable object needs to advertise that it has certain
     96            // properties, even if they're not ready for access yet. This check verifies that
     97            // no one tries to access such a property.
     98           
     99            // In a release build, we optimize this check away and just return an invalid pointer.
     100            // There's no harm in an invalid pointer, since no one dereferences it.
     101            if (index >= d->localStorage.size()) {
     102                slot.setUngettable(this);
     103                return true;
     104            }
     105#endif
    94106            slot.setValueSlot(this, &d->localStorage[index].value);
    95107            return true;
Note: See TracChangeset for help on using the changeset viewer.