Revision: 4634
Author: erights
Date: Wed Sep 28 04:03:16 2011
Log: Bug fixes to SES test, repair, and initialization
http://codereview.appspot.com/5089045
[email protected]
http://code.google.com/p/google-caja/source/detail?r=4634
Modified:
/trunk/src/com/google/caja/ses/repairES5.js
/trunk/src/com/google/caja/ses/startSES.js
/trunk/src/com/google/caja/ses/useHTMLLogger.js
=======================================
--- /trunk/src/com/google/caja/ses/repairES5.js Wed Aug 31 22:32:26 2011
+++ /trunk/src/com/google/caja/ses/repairES5.js Wed Sep 28 04:03:16 2011
@@ -28,7 +28,7 @@
* need to lie to the linter since it can't tell.
*
* @author Mark S. Miller
- * @requires ___global_test_function___
+ * @requires ___global_test_function___, ___global_valueOf_function___
* @requires JSON, navigator, this, eval, document
* @overrides ses, RegExp, WeakMap, Object, parseInt
*/
@@ -385,9 +385,28 @@
if (err instanceof TypeError) { return false; }
return 'valueOf() threw: ' + err;
}
- return true;
+ if (that === global) { return true; }
+ return 'valueOf() leaked as: ' + that;
}
+ /**
+ *
+ */
+ function test_GLOBAL_LEAKS_FROM_GLOBALLY_CALLED_BUILTINS() {
+ global.___global_valueOf_function___ = {}.valueOf;
+ var that = 'dummy';
+ try {
+ that = ___global_valueOf_function___();
+ } catch (err) {
+ if (err instanceof TypeError) { return false; }
+ return 'valueOf() threw: ' + err;
+ } finally {
+ delete global.___global_valueOf_function___;
+ }
+ if (that === global) { return true; }
+ return 'valueOf() leaked as: ' + that;
+ }
+
/**
* Detects https://bugs.webkit.org/show_bug.cgi?id=55736
@@ -655,7 +674,7 @@
*/
function test_NEED_TO_WRAP_FOREACH() {
if (!('freeze' in Object)) {
- // Object.freeze is still absent on released Safari and would
+ // Object.freeze is still absent on released Android and would
// cause a bogus bug detection in the following try/catch code.
return false;
}
@@ -781,10 +800,8 @@
var that = 'dummy';
[2,3].sort(function(x,y) { that = this; return x - y; });
if (that === void 0) { return false; }
- if (that !== global) {
- return 'sort called comparefn with "this" === ' + that;
- }
- return true;
+ if (that === global) { return true; }
+ return 'sort called comparefn with "this" === ' + that;
}
@@ -807,10 +824,8 @@
// wrong.
return true;
}
- if (that !== global) {
- return 'Replace called replaceValue function with "this" === ' +
that;
- }
- return true;
+ if (that === global) { return true; }
+ return 'Replace called replaceValue function with "this" === ' + that;
}
/**
@@ -1154,6 +1169,12 @@
* But I couldn't find it.
*/
function test_PROTO_NOT_FROZEN() {
+ if (!('freeze' in Object)) {
+ // Object.freeze and its ilk (including preventExtensions) are
+ // still absent on released Android and would
+ // cause a bogus bug detection in the following try/catch code.
+ return false;
+ }
var x = Object.preventExtensions({});
if (x.__proto__ === void 0 && !('__proto__' in x)) { return false; }
var y = {};
@@ -1259,6 +1280,22 @@
};
}
+ function repair_FUNCTION_PROTOTYPE_DESCRIPTOR_LIES() {
+ var unsafeDefProp = Object.defineProperty;
+ function repairedDefineProperty(base, name, desc) {
+ if (typeof base === 'function' &&
+ name === 'prototype' &&
+ 'value' in desc) {
+ try {
+ base.prototype = desc.value;
+ } catch (x) {
+ logger.warn('prototype fixup failed');
+ }
+ }
+ return unsafeDefProp(base, name, desc);
+ }
+ defProp(Object, 'defineProperty', { value: repairedDefineProperty });
+ }
function patchMissingProp(base, name, missingFunc) {
if (!(name in base)) {
@@ -1375,8 +1412,13 @@
if (baseToString !== '[object ' + classString + ']') {
throw new TypeError('unexpected: ' + baseToString);
}
- if (getPrototypeOf(proto) !== Object.prototype) {
- throw new TypeError('unexpected inheritance: ' + classString);
+ var grandProto = getPrototypeOf(proto);
+ var grandBaseToString = objToString.call(grandProto);
+ if (grandBaseToString === '[object ' + classString + ']') {
+ throw new TypeError('malformed inheritance: ' + classString);
+ }
+ if (grandProto !== Object.prototype) {
+ logger.log('unexpected inheritance: ' + classString);
}
function mutableProtoPatcher(name) {
if (!hop.call(proto, name)) { return; }
@@ -1858,7 +1900,7 @@
canRepair: false,
urls: [],
sections: ['15.2.3.4'],
- tests: []
+ tests: ['15.2.3.4-0-1']
}
];
@@ -1874,7 +1916,7 @@
canRepair: false,
urls: ['https://bugs.webkit.org/show_bug.cgi?id=64250'],
sections: ['10.2.1.2', '10.2.1.2.6'],
- tests: []
+ tests: ['10.4.3-1-8gs']
},
{
description: 'Global object leaks from anonymous function calls',
@@ -1884,7 +1926,7 @@
canRepair: false,
urls: [],
sections: ['10.4.3'],
- tests: []
+ tests: ['S10.4.3_A1']
},
{
description: 'Global object leaks from built-in methods',
@@ -1900,6 +1942,16 @@
sections: ['15.2.4.4'],
tests: ['S15.2.4.4_A14']
},
+ {
+ description: 'Global object leaks from globally called built-in
methods',
+ test: test_GLOBAL_LEAKS_FROM_GLOBALLY_CALLED_BUILTINS,
+ repair: void 0,
+ preSeverity: severities.NOT_ISOLATED,
+ canRepair: false,
+ urls: [],
+ sections: ['10.2.1.2', '10.2.1.2.6', '15.2.4.4'],
+ tests: ['S15.2.4.4_A15']
+ },
{
description: 'Object.freeze is missing',
test: test_MISSING_FREEZE_ETC,
@@ -1908,7 +1960,7 @@
canRepair: false, // repair for development, not safety
urls: ['https://bugs.webkit.org/show_bug.cgi?id=55736'],
sections: ['15.2.3.9'],
- tests: []
+ tests: ['15.2.3.9-0-1']
},
{
description: 'Phantom callee on strict functions',
@@ -1918,7 +1970,7 @@
canRepair: true,
urls: ['https://bugs.webkit.org/show_bug.cgi?id=55537'],
sections: ['15.2.3.4'],
- tests: []
+ tests: ['S15.2.3.4_A1_T1']
},
{
description: 'Strict delete returned false rather than throwing',
@@ -1930,7 +1982,7 @@
'685432/strict-delete-sometimes-returns-false-' +
'rather-than-throwing'],
sections: ['11.4.1'],
- tests: []
+ tests: ['S11.4.1_A5']
},
{
description: 'Non-deletable RegExp statics are a' +
@@ -1945,8 +1997,8 @@
'https://connect.microsoft.com/IE/feedback/details/' +
'685439/non-deletable-regexp-statics-are-a-global-' +
'communication-channel'],
- sections: [],
- tests: []
+ sections: ['11.4.1'],
+ tests: ['S11.4.1_A5']
},
{
description: 'RegExp.exec leaks match globally',
@@ -1964,13 +2016,13 @@
{
description: 'A function.prototype\'s descriptor lies',
test: test_FUNCTION_PROTOTYPE_DESCRIPTOR_LIES,
- repair: void 0,
+ repair: repair_FUNCTION_PROTOTYPE_DESCRIPTOR_LIES,
preSeverity: severities.UNSAFE_SPEC_VIOLATION,
- canRepair: false,
+ canRepair: true,
urls: ['http://code.google.com/p/v8/issues/detail?id=1530',
'http://code.google.com/p/v8/issues/detail?id=1570'],
sections: ['15.2.3.3', '15.2.3.6', '15.3.5.2'],
- tests: []
+ tests: ['S15.3.3.1_A4']
},
{
description: 'Function.prototype.bind is missing',
@@ -1981,7 +2033,7 @@
urls: ['https://bugs.webkit.org/show_bug.cgi?id=26382',
'https://bugs.webkit.org/show_bug.cgi?id=42371'],
sections: ['15.3.4.5'],
- tests: []
+ tests: ['S15.3.4.5_A3']
},
{
description: 'Function.prototype.bind calls .apply rather than
[[Call]]',
@@ -1992,7 +2044,7 @@
urls: ['http://code.google.com/p/v8/issues/detail?id=892',
'http://code.google.com/p/v8/issues/detail?id=828'],
sections: ['15.3.4.5.1'],
- tests: []
+ tests: ['S15.3.4.5_A4']
},
{
description: 'Function.prototype.bind does not curry construction',
@@ -2002,7 +2054,7 @@
canRepair: false,
urls: ['https://bugs.webkit.org/show_bug.cgi?id=26382#c29'],
sections: ['15.3.4.5.2'],
- tests: []
+ tests: ['S15.3.4.5_A5']
},
{
description: 'Date.prototype is a global communication channel',
@@ -2051,9 +2103,10 @@
preSeverity: severities.UNSAFE_SPEC_VIOLATION,
canRepair: true,
urls: ['http://code.google.com/p/chromium/issues/detail?id=94666',
+ 'http://code.google.com/p/v8/issues/detail?id=1651',
'http://code.google.com/p/google-caja/issues/detail?id=1401'],
- sections: [],
- tests: []
+ sections: ['15.2.3.6'],
+ tests: ['S15.2.3.6_A1']
},
{
description: 'Accessor properties inherit as own properties',
@@ -2062,8 +2115,8 @@
preSeverity: severities.UNSAFE_SPEC_VIOLATION,
canRepair: true,
urls: ['https://bugzilla.mozilla.org/show_bug.cgi?id=637994'],
- sections: ['8.6.1'],
- tests: []
+ sections: ['8.6.1', '15.2.3.6'],
+ tests: ['S15.2.3.6_A2']
},
{
description: 'Array sort leaks global',
@@ -2097,7 +2150,7 @@
urls: ['https://connect.microsoft.com/IE/feedback/details/' +
'685436/getownpropertydescriptor-on-strict-caller-throws'],
sections: ['15.2.3.3', '13.2', '13.2.3'],
- tests: []
+ tests: ['S13.2_A6_T1']
},
{
description: 'strict_function.hasOwnProperty("caller") throws',
@@ -2107,7 +2160,7 @@
canRepair: true,
urls: ['https://bugs.webkit.org/show_bug.cgi?id=63398#c3'],
sections: ['15.2.4.5', '13.2', '13.2.3'],
- tests: []
+ tests: ['S13.2_A7_T1']
},
{
description: 'Cannot "in" caller on strict function',
@@ -2117,7 +2170,7 @@
canRepair: false,
urls: ['https://bugs.webkit.org/show_bug.cgi?id=63398'],
sections: ['11.8.7', '13.2', '13.2.3'],
- tests: []
+ tests: ['S13.2_A8_T1']
},
{
description: 'Cannot "in" arguments on strict function',
@@ -2127,7 +2180,7 @@
canRepair: false,
urls: ['https://bugs.webkit.org/show_bug.cgi?id=63398'],
sections: ['11.8.7', '13.2', '13.2.3'],
- tests: []
+ tests: ['S13.2_A8_T2']
},
{
description: 'Strict "caller" not poisoned',
@@ -2137,7 +2190,7 @@
canRepair: false,
urls: [],
sections: ['13.2'],
- tests: []
+ tests: ['S13.2.3_A1']
},
{
description: 'Strict "arguments" not poisoned',
@@ -2147,7 +2200,7 @@
canRepair: false,
urls: [],
sections: ['13.2'],
- tests: []
+ tests: ['S13.2.3_A1']
},
{
description: 'Built in functions leak "caller"',
@@ -2161,7 +2214,7 @@
'http://wiki.ecmascript.org/doku.php?id=' +
'conventions:make_non-standard_properties_configurable'],
sections: [],
- tests: []
+ tests: ['Sbp_A10_T1']
},
{
description: 'Built in functions leak "arguments"',
@@ -2175,7 +2228,7 @@
'http://wiki.ecmascript.org/doku.php?id=' +
'conventions:make_non-standard_properties_configurable'],
sections: [],
- tests: []
+ tests: ['Sbp_A10_T2']
},
{
description: 'Bound functions leak "caller"',
@@ -2186,7 +2239,7 @@
urls: ['http://code.google.com/p/v8/issues/detail?id=893',
'https://bugs.webkit.org/show_bug.cgi?id=63398'],
sections: ['15.3.4.5'],
- tests: ['S15.3.4.5_A1']
+ tests: ['S13.2.3_A1', 'S15.3.4.5_A1']
},
{
description: 'Bound functions leak "arguments"',
@@ -2197,7 +2250,7 @@
urls: ['http://code.google.com/p/v8/issues/detail?id=893',
'https://bugs.webkit.org/show_bug.cgi?id=63398'],
sections: ['15.3.4.5'],
- tests: ['S15.3.4.5_A2']
+ tests: ['S13.2.3_A1', 'S15.3.4.5_A2']
},
{
description: 'JSON.parse confused by "__proto__"',
@@ -2218,7 +2271,7 @@
canRepair: false,
urls: ['https://bugs.webkit.org/show_bug.cgi?id=65832'],
sections: ['8.6.2'],
- tests: []
+ tests: ['S8.6.2_A8']
},
{
description: 'Strict eval function leaks variable definitions',
@@ -2228,7 +2281,7 @@
canRepair: false,
urls: ['http://code.google.com/p/v8/issues/detail?id=1624'],
sections: ['10.4.2.1'],
- tests: []
+ tests: ['S10.4.2.1_A1']
},
{
description: 'parseInt still parsing octal',
@@ -2238,7 +2291,7 @@
canRepair: true,
urls: ['http://code.google.com/p/v8/issues/detail?id=1645'],
sections: ['15.1.2.2'],
- tests: []
+ tests: ['S15.1.2.2_A5.1_T1']
}
];
=======================================
--- /trunk/src/com/google/caja/ses/startSES.js Wed Aug 31 22:32:26 2011
+++ /trunk/src/com/google/caja/ses/startSES.js Wed Sep 28 04:03:16 2011
@@ -806,7 +806,7 @@
function getPermit(base, name) {
var permit = whiteTable.get(base);
if (permit) {
- if (permit[name]) { return permit[name]; }
+ if (hop.call(permit, name)) { return permit[name]; }
}
while (true) {
base = Object.getPrototypeOf(base);
=======================================
--- /trunk/src/com/google/caja/ses/useHTMLLogger.js Wed Aug 31 22:32:26 2011
+++ /trunk/src/com/google/caja/ses/useHTMLLogger.js Wed Sep 28 04:03:16 2011
@@ -175,8 +175,13 @@
var linkElement = appendNew(linksBlock, 'p');
if (i === 0) { appendText(linkElement, 'See '); }
var link = appendNew(linkElement, 'a');
+
+ // TODO(erights): Only until we have a good way to index
+ // directly into hg.ecmascript.org
+ var site = test.charAt(0) === 'S' ?
+ '+site%3Acode.google.com' : '+site%3Aes5conform.svn.codeplex.com';
link.href = 'http://www.google.com/search?btnI=&q=' +
- encodeURIComponent(test) + '+site%3Acode.google.com';
+ encodeURIComponent(test) + site;
link.target = '_blank';
appendText(link, 'Test ' + test);
});
