[WebIDL] maplike<> and setlike<> declarations should be resilient to tampered prototypes
https://bugs.webkit.org/show_bug.cgi?id=241617
<rdar://93229569>
Reviewed by Yusuke Suzuki.
With this change, maplike<> and setlike<> declarations work as expected if methods of
Map.prototype / Set.prototype are removed, as they are suppossed to per spec [1][2].
Usage of backing Map / Set is an implementation detail of WebKit bindings and should
not be observable.
The fix mirrors all Map / Set prototype methods and "size" getter by private names,
which are inacessible to userland code, ensuring that public JSFunction* instances
are reused to avoid memory bloat.
Also, this change:
- saves creating 4 extra JSFunction* instances during init of Map / Set prototypes;
- speeds-up call forwarding by retrieving methods from prototypes with getDirect();
- aligns property order with the spec, even though there is no requirement.
[1] https://webidl.spec.whatwg.org/#es-maplike
[2] https://webidl.spec.whatwg.org/#es-setlike
- LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/Highlight-setlike-tampered-Set-prototype-expected.txt: Added.
- LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/Highlight-setlike-tampered-Set-prototype.html: Added.
- LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/HighlightRegistry-maplike-tampered-Map-prototype-expected.txt: Added.
- LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/HighlightRegistry-maplike-tampered-Map-prototype.html: Added.
- Source/JavaScriptCore/DerivedSources-output.xcfilelist:
- Source/JavaScriptCore/DerivedSources.make:
- Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
- Source/JavaScriptCore/builtins/BuiltinNames.h:
- Source/JavaScriptCore/runtime/MapPrototype.cpp:
(JSC::MapPrototype::finishCreation):
- Source/JavaScriptCore/runtime/SetPrototype.cpp:
(JSC::SetPrototype::finishCreation):
- Source/WebCore/bindings/js/JSDOMBindingInternals.js:
(forEachWrapper):
- Source/WebCore/bindings/js/JSDOMMapLike.cpp:
(WebCore::getBackingMap):
(WebCore::clearBackingMap):
(WebCore::setToBackingMap):
(WebCore::forwardFunctionCallToBackingMap):
- Source/WebCore/bindings/js/JSDOMMapLike.h:
(WebCore::forwardSizeToMapLike):
(WebCore::forwardEntriesToMapLike):
(WebCore::forwardKeysToMapLike):
(WebCore::forwardValuesToMapLike):
(WebCore::forwardClearToMapLike):
(WebCore::forwardGetToMapLike):
(WebCore::forwardHasToMapLike):
(WebCore::forwardSetToMapLike):
(WebCore::forwardDeleteToMapLike):
- Source/WebCore/bindings/js/JSDOMSetLike.cpp:
(WebCore::getBackingSet):
(WebCore::clearBackingSet):
(WebCore::addToBackingSet):
(WebCore::forwardFunctionCallToBackingSet):
- Source/WebCore/bindings/js/JSDOMSetLike.h:
(WebCore::forwardSizeToSetLike):
(WebCore::forwardEntriesToSetLike):
(WebCore::forwardKeysToSetLike):
(WebCore::forwardValuesToSetLike):
(WebCore::forwardClearToSetLike):
(WebCore::forwardHasToSetLike):
(WebCore::forwardAddToSetLike):
(WebCore::forwardDeleteToSetLike):
- Source/WebCore/bindings/js/WebCoreBuiltinNames.h:
Canonical link: https://commits.webkit.org/251607@main
