[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc
barraclough at apple.com
barraclough at apple.com
Wed Dec 22 15:53:31 UTC 2010
The following commit has been merged in the debian/experimental branch:
commit 74aa1c96aa39f0c13d699db4c19709e37c64d9cd
Author: barraclough at apple.com <barraclough at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Nov 16 06:05:38 2010 +0000
Bug 49577 - Function.prototype should be non-configurable
Reviewed by Sam Weinig.
JavaScriptCore:
JSC lazily allocates the prototype property of Function objects.
We check the prototype exists on 'get', but not on 'put'.
If you 'put' without having first done a 'get' you can end up with a configurable
prototype (prototype should only ever be non-configurable).
This is visible in a couple of ways:
* 'delete' on the property may succeed. (the next access will result in a new,
reset prototype object).
* the prototype may be set to a getter.
* runtime/JSFunction.cpp:
(JSC::JSFunction::getOwnPropertyNames):
Reify the prototype property before allowing an enumerate including don't enum properties.
(JSC::JSFunction::put):
Reify the prototype property before any put to it.
LayoutTests:
* fast/js/script-tests/Object-getOwnPropertyNames.js:
* fast/js/Object-getOwnPropertyNames-expected.txt:
Object.getOwnPropertyNames should enumerate the 'prototype' property on Functions.
* fast/js/function-prototype-descriptor.html: Added.
* fast/js/function-prototype-descriptor-expected.txt: Added.
* fast/js/script-tests/function-prototype-descriptor.js: Added.
Test the attributes of Functions' prototype properties.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@72063 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 37d3198..170a42b 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,5 +1,28 @@
2010-11-15 Gavin Barraclough <barraclough at apple.com>
+ Reviewed by Sam Weinig.
+
+ Bug 49577 - Function.prototype should be non-configurable
+
+ JSC lazily allocates the prototype property of Function objects.
+
+ We check the prototype exists on 'get', but not on 'put'.
+ If you 'put' without having first done a 'get' you can end up with a configurable
+ prototype (prototype should only ever be non-configurable).
+
+ This is visible in a couple of ways:
+ * 'delete' on the property may succeed. (the next access will result in a new,
+ reset prototype object).
+ * the prototype may be set to a getter.
+
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::getOwnPropertyNames):
+ Reify the prototype property before allowing an enumerate including don't enum properties.
+ (JSC::JSFunction::put):
+ Reify the prototype property before any put to it.
+
+2010-11-15 Gavin Barraclough <barraclough at apple.com>
+
Reviewed by Geoff Garen.
Bug 49488 - Only add source specific information to exceptions in Interpreter::throwException
diff --git a/JavaScriptCore/runtime/JSFunction.cpp b/JavaScriptCore/runtime/JSFunction.cpp
index 49007d6..ba89d04 100644
--- a/JavaScriptCore/runtime/JSFunction.cpp
+++ b/JavaScriptCore/runtime/JSFunction.cpp
@@ -282,6 +282,10 @@ bool JSFunction::getOwnPropertyDescriptor(ExecState* exec, const Identifier& pro
void JSFunction::getOwnPropertyNames(ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
{
if (!isHostFunction() && (mode == IncludeDontEnumProperties)) {
+ // Make sure prototype has been reified.
+ PropertySlot slot;
+ getOwnPropertySlot(exec, exec->propertyNames().prototype, slot);
+
propertyNames.add(exec->propertyNames().arguments);
propertyNames.add(exec->propertyNames().callee);
propertyNames.add(exec->propertyNames().caller);
@@ -296,6 +300,12 @@ void JSFunction::put(ExecState* exec, const Identifier& propertyName, JSValue va
Base::put(exec, propertyName, value, slot);
return;
}
+ if (propertyName == exec->propertyNames().prototype) {
+ // Make sure prototype has been reified, such that it can only be overwritten
+ // following the rules set out in ECMA-262 8.12.9.
+ PropertySlot slot;
+ getOwnPropertySlot(exec, propertyName, slot);
+ }
if (jsExecutable()->isStrictMode()) {
if (propertyName == exec->propertyNames().arguments) {
throwTypeError(exec, StrictModeArgumentsAccessError);
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b68589b..0ddcba1 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,18 @@
+2010-11-15 Gavin Barraclough <barraclough at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Bug 49577 - Function.prototype should be non-configurable
+
+ * fast/js/script-tests/Object-getOwnPropertyNames.js:
+ * fast/js/Object-getOwnPropertyNames-expected.txt:
+ Object.getOwnPropertyNames should enumerate the 'prototype' property on Functions.
+
+ * fast/js/function-prototype-descriptor.html: Added.
+ * fast/js/function-prototype-descriptor-expected.txt: Added.
+ * fast/js/script-tests/function-prototype-descriptor.js: Added.
+ Test the attributes of Functions' prototype properties.
+
2010-11-15 Dimitri Glazkov <dglazkov at chromium.org>
Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/js/Object-getOwnPropertyNames-expected.txt b/LayoutTests/fast/js/Object-getOwnPropertyNames-expected.txt
index 82a72eb..1fc3033 100644
--- a/LayoutTests/fast/js/Object-getOwnPropertyNames-expected.txt
+++ b/LayoutTests/fast/js/Object-getOwnPropertyNames-expected.txt
@@ -11,8 +11,8 @@ PASS getSortedOwnPropertyNames({__proto__:{a:null}}) is []
PASS getSortedOwnPropertyNames({__proto__:[1,2,3]}) is []
PASS getSortedOwnPropertyNames(Object.create({}, { 'a': { 'value': 1, 'enumerable': false } })) is ['a']
PASS getSortedOwnPropertyNames(Object.create([1,2,3], { 'a': { 'value': 1, 'enumerable': false } })) is ['a']
-PASS getSortedOwnPropertyNames(new Function()) is ['arguments', 'callee', 'caller', 'length', 'name']
-PASS getSortedOwnPropertyNames((function(){var x=new Function();x.__proto__=[1,2,3];return x;})()) is ['arguments', 'callee', 'caller', 'length', 'name']
+PASS getSortedOwnPropertyNames(new Function()) is ['arguments', 'callee', 'caller', 'length', 'name', 'prototype']
+PASS getSortedOwnPropertyNames((function(){var x=new Function();x.__proto__=[1,2,3];return x;})()) is ['arguments', 'callee', 'caller', 'length', 'name', 'prototype']
PASS getSortedOwnPropertyNames(new String('')) is ['length']
PASS getSortedOwnPropertyNames(new String('a')) is ['0', 'length']
PASS getSortedOwnPropertyNames(new String('abc')) is ['0', '1', '2', 'length']
diff --git a/LayoutTests/fast/js/function-prototype-descriptor-expected.txt b/LayoutTests/fast/js/function-prototype-descriptor-expected.txt
new file mode 100644
index 0000000..1489fcd
--- /dev/null
+++ b/LayoutTests/fast/js/function-prototype-descriptor-expected.txt
@@ -0,0 +1,19 @@
+Test for function.prototype's property descriptor.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS descriptor['writable'] is true
+PASS descriptor['enumerable'] is true
+PASS descriptor['configurable'] is false
+PASS descriptor['writable'] is true
+PASS descriptor['enumerable'] is true
+PASS descriptor['configurable'] is false
+PASS Object.defineProperty(c, 'prototype', { get: function(){} }) threw exception TypeError: Attempting to change access mechanism for an unconfigurable property..
+PASS descriptor['writable'] is true
+PASS descriptor['enumerable'] is true
+PASS descriptor['configurable'] is false
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/function-prototype-descriptor.html b/LayoutTests/fast/js/function-prototype-descriptor.html
new file mode 100644
index 0000000..0cea7bc
--- /dev/null
+++ b/LayoutTests/fast/js/function-prototype-descriptor.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="script-tests/function-prototype-descriptor.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/script-tests/Object-getOwnPropertyNames.js b/LayoutTests/fast/js/script-tests/Object-getOwnPropertyNames.js
index 1ccb10b..3eed548 100644
--- a/LayoutTests/fast/js/script-tests/Object-getOwnPropertyNames.js
+++ b/LayoutTests/fast/js/script-tests/Object-getOwnPropertyNames.js
@@ -12,8 +12,8 @@ var expectedPropertyNamesSet = {
"Object.create({}, { 'a': { 'value': 1, 'enumerable': false } })": "['a']",
"Object.create([1,2,3], { 'a': { 'value': 1, 'enumerable': false } })": "['a']",
// Function objects
- "new Function()": "['arguments', 'callee', 'caller', 'length', 'name']",
- "(function(){var x=new Function();x.__proto__=[1,2,3];return x;})()": "['arguments', 'callee', 'caller', 'length', 'name']",
+ "new Function()": "['arguments', 'callee', 'caller', 'length', 'name', 'prototype']",
+ "(function(){var x=new Function();x.__proto__=[1,2,3];return x;})()": "['arguments', 'callee', 'caller', 'length', 'name', 'prototype']",
// String objects
"new String('')": "['length']",
"new String('a')": "['0', 'length']",
diff --git a/LayoutTests/fast/js/script-tests/function-prototype-descriptor.js b/LayoutTests/fast/js/script-tests/function-prototype-descriptor.js
new file mode 100644
index 0000000..349f590
--- /dev/null
+++ b/LayoutTests/fast/js/script-tests/function-prototype-descriptor.js
@@ -0,0 +1,28 @@
+description(
+'Test for function.prototype\'s property descriptor.'
+);
+
+function test(func)
+{
+ // test function.prototype has the correct attributes - writable, enumerable, non-configurable.
+ descriptor = Object.getOwnPropertyDescriptor(func, 'prototype');
+ shouldBe("descriptor['writable']", "true")
+ shouldBe("descriptor['enumerable']", "true")
+ shouldBe("descriptor['configurable']", "false")
+}
+
+// Test prototype's attributes are correct.
+function a() {}
+test(a);
+
+// Test prototype's attributes are correct, if assigned without first having being accessed.
+function b() {}
+b.prototype = {};
+test(b);
+
+// Given that prototype is non-configurable, defineProperty should not be able to assign a getter to it.
+function c() {}
+shouldThrow("Object.defineProperty(c, 'prototype', { get: function(){} })");
+test(c);
+
+var successfullyParsed = true;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list