[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
eric at webkit.org
eric at webkit.org
Thu Apr 8 01:05:08 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit bdd42058a4d2bcc776a8dde0f78f691b6dddb8ec
Author: eric at webkit.org <eric at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Jan 14 06:37:13 2010 +0000
2010-01-13 Kent Hansen <kent.hansen at nokia.com>
Reviewed by Oliver Hunt.
JSON.stringify and JSON.parse needlessly process properties in the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=33053
* runtime/JSONObject.cpp:
(JSC::Stringifier::Holder::appendNextProperty):
(JSC::Walker::walk):
2010-01-13 Kent Hansen <kent.hansen at nokia.com>
Reviewed by Oliver Hunt.
JSON.stringify and JSON.parse needlessly process properties in the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=33053
Add tests that verify that properties in the prototype chain are ignored.
* fast/js/JSON-parse-expected.txt:
* fast/js/JSON-stringify-expected.txt:
* fast/js/resources/JSON-parse.js:
* fast/js/resources/JSON-stringify.js:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53239 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index b48e7f1..1069b2f 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,14 @@
+2010-01-13 Kent Hansen <kent.hansen at nokia.com>
+
+ Reviewed by Oliver Hunt.
+
+ JSON.stringify and JSON.parse needlessly process properties in the prototype chain
+ https://bugs.webkit.org/show_bug.cgi?id=33053
+
+ * runtime/JSONObject.cpp:
+ (JSC::Stringifier::Holder::appendNextProperty):
+ (JSC::Walker::walk):
+
2010-01-13 Gavin Barraclough <barraclough at apple.com>
Reviewed by NOBODY (buildfix).
diff --git a/JavaScriptCore/runtime/JSONObject.cpp b/JavaScriptCore/runtime/JSONObject.cpp
index f28e70e..ce0dcff 100644
--- a/JavaScriptCore/runtime/JSONObject.cpp
+++ b/JavaScriptCore/runtime/JSONObject.cpp
@@ -501,7 +501,7 @@ bool Stringifier::Holder::appendNextProperty(Stringifier& stringifier, StringBui
m_propertyNames = stringifier.m_arrayReplacerPropertyNames.data();
else {
PropertyNameArray objectPropertyNames(exec);
- m_object->getPropertyNames(exec, objectPropertyNames);
+ m_object->getOwnPropertyNames(exec, objectPropertyNames);
m_propertyNames = objectPropertyNames.releaseData();
}
m_size = m_propertyNames->propertyNameVector().size();
@@ -746,7 +746,7 @@ NEVER_INLINE JSValue Walker::walk(JSValue unfiltered)
objectStack.append(object);
indexStack.append(0);
propertyStack.append(PropertyNameArray(m_exec));
- object->getPropertyNames(m_exec, propertyStack.last());
+ object->getOwnPropertyNames(m_exec, propertyStack.last());
// fallthrough
}
objectStartVisitMember:
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 1047eef..52b75bc 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-01-13 Kent Hansen <kent.hansen at nokia.com>
+
+ Reviewed by Oliver Hunt.
+
+ JSON.stringify and JSON.parse needlessly process properties in the prototype chain
+ https://bugs.webkit.org/show_bug.cgi?id=33053
+
+ Add tests that verify that properties in the prototype chain are ignored.
+
+ * fast/js/JSON-parse-expected.txt:
+ * fast/js/JSON-stringify-expected.txt:
+ * fast/js/resources/JSON-parse.js:
+ * fast/js/resources/JSON-stringify.js:
+
2010-01-13 Kenneth Russell <kbr at google.com>
Reviewed by Oliver Hunt.
diff --git a/LayoutTests/fast/js/JSON-parse-expected.txt b/LayoutTests/fast/js/JSON-parse-expected.txt
index 87d0d2a..9362954 100644
--- a/LayoutTests/fast/js/JSON-parse-expected.txt
+++ b/LayoutTests/fast/js/JSON-parse-expected.txt
@@ -67,6 +67,10 @@ function (jsonObject) {
}
PASS JSON.stringify(tests[i](nativeJSON)) is JSON.stringify(tests[i](JSON))
function (jsonObject) {
+ return jsonObject.parse('{"__proto__":5}');
+ }
+PASS JSON.stringify(tests[i](nativeJSON)) is JSON.stringify(tests[i](JSON))
+function (jsonObject) {
return jsonObject.parse('{"a":5,}');
}
PASS tests[i](nativeJSON) threw exception SyntaxError: Unable to parse JSON string.
@@ -436,6 +440,10 @@ function (jsonObject) {
}
PASS JSON.stringify(tests[i](nativeJSON)) is JSON.stringify(tests[i](JSON))
function (jsonObject) {
+ return jsonObject.parse('{"__proto__":{"a":5}}', log);
+ }
+PASS JSON.stringify(tests[i](nativeJSON)) is JSON.stringify(tests[i](JSON))
+function (jsonObject) {
logOrderString = "";
return jsonObject.parse("true", logOrder);
}
diff --git a/LayoutTests/fast/js/JSON-stringify-expected.txt b/LayoutTests/fast/js/JSON-stringify-expected.txt
index 32aad87..9146fb5 100644
--- a/LayoutTests/fast/js/JSON-stringify-expected.txt
+++ b/LayoutTests/fast/js/JSON-stringify-expected.txt
@@ -164,6 +164,12 @@ function (jsonObject) {
PASS tests[i](nativeJSON) is tests[i](JSON)
function (jsonObject) {
var allString = true;
+ var array = [{toString:function(){array[0]='a'; array[1]='c'; array[2]='b'; return 'a'}}];
+ return jsonObject.stringify(simpleObjectWithProto, array);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ var allString = true;
var array = [1, new Number(2), NaN, Infinity, -Infinity, new String("str")];
return jsonObject.stringify({"1":"1","2":"2","NaN":"NaN","Infinity":"Infinity","-Infinity":"-Infinity","str":"str"}, array);
}
@@ -261,6 +267,108 @@ function (jsonObject) {
}
PASS tests[i](nativeJSON) is tests[i](JSON)
function (jsonObject) {
+ var allString = true;
+ var array = ["1","2","3"];
+ return jsonObject.stringify(simpleArrayWithProto, array);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(simpleArrayWithProto, null, " ");
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(simpleArrayWithProto, null, 4);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(simpleArrayWithProto, null, "ab");
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(simpleArrayWithProto, null, 4);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(simpleObjectWithProto, null, " ");
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(simpleObjectWithProto, null, 4);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(simpleObjectWithProto, null, "ab");
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(simpleObjectWithProto, null, 4);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(simpleObjectWithProto, null, 10);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(simpleObjectWithProto, null, 11);
+ }
+PASS tests[i](nativeJSON) is tests[i].expected
+function (jsonObject) {
+ return jsonObject.stringify(simpleObjectWithProto, null, " ");
+ }
+PASS tests[i](nativeJSON) is tests[i].expected
+function (jsonObject) {
+ return jsonObject.stringify(simpleObjectWithProto, null, " ");
+ }
+PASS tests[i](nativeJSON) is tests[i].expected
+function (jsonObject) {
+ return jsonObject.stringify(complexArrayWithProto, null, " ");
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(complexArrayWithProto, null, 4);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(complexArrayWithProto, null, "ab");
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(complexArrayWithProto, null, 4);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(complexObjectWithProto, null, " ");
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(complexObjectWithProto, null, 4);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(complexObjectWithProto, null, "ab");
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(complexObjectWithProto, null, 4);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(objectWithSideEffectGetter);
+ }
+FAIL tests[i](nativeJSON) should be {"foo":1}. Was {}.
+function (jsonObject) {
+ return jsonObject.stringify(objectWithSideEffectGetterAndProto);
+ }
+FAIL tests[i](nativeJSON) should be {"foo":1}. Was {}.
+function (jsonObject) {
+ return jsonObject.stringify(arrayWithSideEffectGetter);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
+ return jsonObject.stringify(arrayWithSideEffectGetterAndProto);
+ }
+PASS tests[i](nativeJSON) is tests[i](JSON)
+function (jsonObject) {
replaceTracker = "";
jsonObject.stringify([1,2,3,,,,4,5,6], replaceFunc);
return replaceTracker;
diff --git a/LayoutTests/fast/js/resources/JSON-parse.js b/LayoutTests/fast/js/resources/JSON-parse.js
index e83cb70..b78df25 100644
--- a/LayoutTests/fast/js/resources/JSON-parse.js
+++ b/LayoutTests/fast/js/resources/JSON-parse.js
@@ -65,6 +65,9 @@ function createTests() {
return jsonObject.parse('{"a":5}');
});
result.push(function(jsonObject){
+ return jsonObject.parse('{"__proto__":5}');
+ });
+ result.push(function(jsonObject){
return jsonObject.parse('{"a":5,}');
});
result[result.length - 1].throws = true;
@@ -396,6 +399,9 @@ function createTests() {
result.push(function(jsonObject){
return jsonObject.parse(JSON.stringify(complexObject), log);
});
+ result.push(function(jsonObject){
+ return jsonObject.parse('{"__proto__":{"a":5}}', log);
+ });
var logOrderString;
function logOrder(key, value) {
logOrderString += key +":"+JSON.stringify(value);
diff --git a/LayoutTests/fast/js/resources/JSON-stringify.js b/LayoutTests/fast/js/resources/JSON-stringify.js
index e09f748..d58b5fe 100644
--- a/LayoutTests/fast/js/resources/JSON-stringify.js
+++ b/LayoutTests/fast/js/resources/JSON-stringify.js
@@ -4,6 +4,19 @@ function createTests() {
var simpleObject = {a:"1", b:"2", c:"3"};
var complexArray = ['a', 'b', 'c',,,simpleObject, simpleArray, [simpleObject,simpleArray]];
var complexObject = {a:"1", b:"2", c:"3", d:undefined, e:null, "":12, get f(){ return simpleArray; }, array: complexArray};
+ var simpleArrayWithProto = ['d', 'e', 'f'];
+ simpleArrayWithProto.__proto__ = simpleObject;
+ var simpleObjectWithProto = {d:"4", e:"5", f:"6", __proto__:simpleObject};
+ var complexArrayWithProto = ['d', 'e', 'f',,,simpleObjectWithProto, simpleArrayWithProto, [simpleObjectWithProto,simpleArrayWithProto]];
+ complexArrayWithProto.__proto__ = simpleObjectWithProto;
+ var complexObjectWithProto = {d:"4", e:"5", f:"6", g:undefined, h:null, "":12, get i(){ return simpleArrayWithProto; }, array2: complexArrayWithProto, __proto__:complexObject};
+ var objectWithSideEffectGetter = {get b() {this.foo=1;}};
+ var objectWithSideEffectGetterAndProto = {__proto__:{foo:"bar"}, get b() {this.foo=1;}};
+ var arrayWithSideEffectGetter = [];
+ arrayWithSideEffectGetter.__defineGetter__("b", function(){this.foo=1;});
+ var arrayWithSideEffectGetterAndProto = [];
+ arrayWithSideEffectGetterAndProto.__defineGetter__("b", function(){this.foo=1;});
+ arrayWithSideEffectGetterAndProto.__proto__ = {foo:"bar"};
var result = [];
result.push(function(jsonObject){
return jsonObject.stringify(1);
@@ -143,6 +156,11 @@ function createTests() {
});
result.push(function(jsonObject){
var allString = true;
+ var array = [{toString:function(){array[0]='a'; array[1]='c'; array[2]='b'; return 'a'}}];
+ return jsonObject.stringify(simpleObjectWithProto, array);
+ });
+ result.push(function(jsonObject){
+ var allString = true;
var array = [1, new Number(2), NaN, Infinity, -Infinity, new String("str")];
return jsonObject.stringify({"1":"1","2":"2","NaN":"NaN","Infinity":"Infinity","-Infinity":"-Infinity","str":"str"}, array);
});
@@ -220,6 +238,86 @@ function createTests() {
result.push(function(jsonObject){
return jsonObject.stringify(complexObject, null, 4);
});
+ result.push(function(jsonObject){
+ var allString = true;
+ var array = ["1","2","3"];
+ return jsonObject.stringify(simpleArrayWithProto, array);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleArrayWithProto, null, " ");
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleArrayWithProto, null, 4);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleArrayWithProto, null, "ab");
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleArrayWithProto, null, 4);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleObjectWithProto, null, " ");
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleObjectWithProto, null, 4);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleObjectWithProto, null, "ab");
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleObjectWithProto, null, 4);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleObjectWithProto, null, 10);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleObjectWithProto, null, 11);
+ });
+ result[result.length - 1].expected = JSON.stringify(simpleObjectWithProto, null, 10);
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleObjectWithProto, null, " ");
+ });
+ result[result.length - 1].expected = JSON.stringify(simpleObjectWithProto, null, 10);
+ result.push(function(jsonObject){
+ return jsonObject.stringify(simpleObjectWithProto, null, " ");
+ });
+ result[result.length - 1].expected = JSON.stringify(simpleObjectWithProto, null, 10);
+ result.push(function(jsonObject){
+ return jsonObject.stringify(complexArrayWithProto, null, " ");
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(complexArrayWithProto, null, 4);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(complexArrayWithProto, null, "ab");
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(complexArrayWithProto, null, 4);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(complexObjectWithProto, null, " ");
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(complexObjectWithProto, null, 4);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(complexObjectWithProto, null, "ab");
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(complexObjectWithProto, null, 4);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(objectWithSideEffectGetter);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(objectWithSideEffectGetterAndProto);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(arrayWithSideEffectGetter);
+ });
+ result.push(function(jsonObject){
+ return jsonObject.stringify(arrayWithSideEffectGetterAndProto);
+ });
var replaceTracker;
function replaceFunc(key, value) {
replaceTracker += key + "("+(typeof key)+")" + JSON.stringify(value) + ";";
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list