Changeset 30871 in webkit for trunk/JavaScriptCore/kjs/nodes.cpp

Timestamp:

Mar 7, 2008, 11:46:33 AM (17 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

Reviewed by Darin Adler.

Fixed <rdar://problem/5689093> Stricter (ES4) eval semantics

The basic rule is:

• "eval(s)" is treated as an operator that gives the ES3 eval behavior.

... but only if there is no overriding declaration of "eval" in scope.

• All other invocations treat eval as a function that evaluates a script in the context of its "this" object.

... but if its "this" object is not the global object it was
originally associated with, eval throws an exception.

Because only expressions of the form "eval(s)" have access to local
scope, the compiler can now statically determine whether a function
needs local scope to be dynamic.

• kjs/nodes.h: Added FunctionCallEvalNode. It works just like FuncationCallResolveNode, except it statically indicates that the node may execute eval in the ES3 way.
• kjs/nodes.cpp:
• kjs/nodes2string.cpp:

• tests/mozilla/expected.html: This patch happens to fix a Mozilla JS test, but it's a bit of a pyrrhic victory. The test intends to test Mozilla's generic API for calling eval on any object, but, in reality, we only support calling eval on the global object.

LayoutTests:

Reviewed by Darin Adler.

Tests for <rdar://problem/5689093> Stricter (ES4) eval semantics

• fast/js/eval-cross-window-expected.txt: Added.
• fast/js/eval-cross-window.html: Added.
• fast/js/eval-keyword-vs-function-expected.txt: Added.
• fast/js/eval-keyword-vs-function.html: Added.
• fast/js/eval-overriding-expected.txt: Added.
• fast/js/eval-overriding.html: Added.

Tests to make sure not to regress security:

• http/tests/security/resources/xss-eval2.html: Added.
• http/tests/security/resources/xss-eval3.html: Added.
• http/tests/security/xss-eval-expected.txt: Added.
• http/tests/security/xss-eval.html: Added.

I removed these tests because we no longer match the behavior they
expected, and the new tests are more comprehensive:

• fast/js/window-eval-context-expected.txt: Removed.
• fast/js/window-eval-context.html: Removed.
• fast/js/window-eval-tearoff-expected.txt: Removed.
• fast/js/window-eval-tearoff.html: Removed.

File:

• trunk/JavaScriptCore/kjs/nodes.cpp (modified) (4 diffs)

trunk/JavaScriptCore/kjs/nodes.cpp

@@ -949 +949 @@
 }
 
-void FunctionCallValueNode::optimizeVariableAccess(const SymbolTable&, const LocalStorage&, NodeStack& nodeStack)
-{
-    nodeStack.append(m_args.get());
-    nodeStack.append(m_expr.get());
-}
-
-// ECMA 11.2.3
-JSValue* FunctionCallValueNode::evaluate(ExecState* exec)
-{
-    JSValue* v = m_expr->evaluate(exec);
-    KJS_CHECKEXCEPTIONVALUE
-
-    if (!v->isObject()) {
-        return throwError(exec, TypeError, "Value %s (result of expression %s) is not object.", v, m_expr.get());
-    }
-
-    JSObject* func = static_cast<JSObject*>(v);
-
-    if (!func->implementsCall()) {
-        return throwError(exec, TypeError, "Object %s (result of expression %s) does not allow calls.", v, m_expr.get());
-    }
-
-    List argList;
-    m_args->evaluateList(exec, argList);
-    KJS_CHECKEXCEPTIONVALUE
-
-    JSObject* thisObj =  exec->dynamicGlobalObject();
-
-    return func->call(exec, thisObj, argList);
-}
-
-void FunctionCallResolveNode::optimizeVariableAccess(const SymbolTable& symbolTable, const LocalStorage&, NodeStack& nodeStack)
-{
-    nodeStack.append(m_args.get());
-
-    size_t index = symbolTable.get(m_ident.ustring().rep());
-    if (index != missingSymbolMarker())
-        new (this) LocalVarFunctionCallNode(index);
-}
-
-// ECMA 11.2.3
-JSValue* FunctionCallResolveNode::inlineEvaluate(ExecState* exec)
-{
-    // Check for missed optimization opportunity.
-    ASSERT(!canSkipLookup(exec, m_ident));
-
+template <ExpressionNode::CallerType callerType> 
+inline JSValue* ExpressionNode::resolveAndCall(ExecState* exec, const Identifier& ident, ArgumentsNode* args)
+{
     const ScopeChain& chain = exec->scopeChain();
     ScopeChainIterator iter = chain.begin();
@@ -1006 +963 @@
     do {
         base = *iter;
-        if (base->getPropertySlot(exec, m_ident, slot)) {
-            JSValue* v = slot.getValue(exec, base, m_ident);
+        if (base->getPropertySlot(exec, ident, slot)) {
+            JSValue* v = slot.getValue(exec, base, ident);
             KJS_CHECKEXCEPTIONVALUE
 
             if (!v->isObject())
-                return throwError(exec, TypeError, "Value %s (result of expression %s) is not object.", v, m_ident);
+                return throwError(exec, TypeError, "Value %s (result of expression %s) is not object.", v, ident);
 
             JSObject* func = static_cast<JSObject*>(v);
 
             if (!func->implementsCall())
-                return throwError(exec, TypeError, "Object %s (result of expression %s) does not allow calls.", v, m_ident);
+                return throwError(exec, TypeError, "Object %s (result of expression %s) does not allow calls.", v, ident);
 
             List argList;
-            m_args->evaluateList(exec, argList);
+            args->evaluateList(exec, argList);
             KJS_CHECKEXCEPTIONVALUE
 
@@ -1032 +989 @@
                 thisObj = exec->dynamicGlobalObject();
 
+            if (callerType == EvalOperator) {
+                if (base == exec->lexicalGlobalObject() && func == exec->lexicalGlobalObject()->evalFunction()) {
+                    exec->dynamicGlobalObject()->tearOffActivation(exec);
+                    return eval(exec, exec->scopeChain(), exec->variableObject(), exec->dynamicGlobalObject(), exec->thisValue(), argList);
+                }
+            }
             return func->call(exec, thisObj, argList);
         }
@@ -1037 +1000 @@
     } while (iter != end);
 
-    return throwUndefinedVariableError(exec, m_ident);
+    return throwUndefinedVariableError(exec, ident);
+}
+
+void EvalFunctionCallNode::optimizeVariableAccess(const SymbolTable&, const LocalStorage&, NodeStack& nodeStack)
+{
+    nodeStack.append(m_args.get());
+}
+
+JSValue* EvalFunctionCallNode::evaluate(ExecState* exec)
+{
+    return resolveAndCall<EvalOperator>(exec, exec->propertyNames().eval, m_args.get());
+}
+
+void FunctionCallValueNode::optimizeVariableAccess(const SymbolTable&, const LocalStorage&, NodeStack& nodeStack)
+{
+    nodeStack.append(m_args.get());
+    nodeStack.append(m_expr.get());
+}
+
+// ECMA 11.2.3
+JSValue* FunctionCallValueNode::evaluate(ExecState* exec)
+{
+    JSValue* v = m_expr->evaluate(exec);
+    KJS_CHECKEXCEPTIONVALUE
+
+    if (!v->isObject()) {
+        return throwError(exec, TypeError, "Value %s (result of expression %s) is not object.", v, m_expr.get());
+    }
+
+    JSObject* func = static_cast<JSObject*>(v);
+
+    if (!func->implementsCall()) {
+        return throwError(exec, TypeError, "Object %s (result of expression %s) does not allow calls.", v, m_expr.get());
+    }
+
+    List argList;
+    m_args->evaluateList(exec, argList);
+    KJS_CHECKEXCEPTIONVALUE
+
+    JSObject* thisObj =  exec->dynamicGlobalObject();
+
+    return func->call(exec, thisObj, argList);
+}
+
+void FunctionCallResolveNode::optimizeVariableAccess(const SymbolTable& symbolTable, const LocalStorage&, NodeStack& nodeStack)
+{
+    nodeStack.append(m_args.get());
+
+    size_t index = symbolTable.get(m_ident.ustring().rep());
+    if (index != missingSymbolMarker())
+        new (this) LocalVarFunctionCallNode(index);
+}
+
+// ECMA 11.2.3
+JSValue* FunctionCallResolveNode::inlineEvaluate(ExecState* exec)
+{
+    // Check for missed optimization opportunity.
+    ASSERT(!canSkipLookup(exec, m_ident));
+
+    return resolveAndCall<FunctionCall>(exec, m_ident, m_args.get());
 }