Reviewers: kpreid2,
Message:
Array.prototype.length no longer needs to be skipped as the relevant
bug is long dead.
Test for Opera specific bug
Test for Function constructor bug -- but description record commented
out for now.
Description:
Array.prototype.length no longer needs to be skipped as the relevant
bug is long dead.
Test for Opera specific bug
Test for Function constructor bug -- but description record commented
out for now.
Please review this at https://codereview.appspot.com/10075043/
Affected files:
M src/com/google/caja/ses/StringMap.js
M src/com/google/caja/ses/debug.js
M src/com/google/caja/ses/repairES5.js
M src/com/google/caja/ses/whitelist.js
Index: src/com/google/caja/ses/StringMap.js
===================================================================
--- src/com/google/caja/ses/StringMap.js (revision 5440)
+++ src/com/google/caja/ses/StringMap.js (working copy)
@@ -21,6 +21,7 @@
* @overrides StringMap
*/
+var ses;
var StringMap;
(function() {
@@ -41,7 +42,7 @@
}
var createNull;
- if (((ses.es5ProblemReports || {}).FREEZING_BREAKS_PROTOTYPES || {})
+ if ((((ses || {}).es5ProblemReports || {}).FREEZING_BREAKS_PROTOTYPES |
| {})
.beforeFailure) {
// Object.create(null) is broken; fall back to ES3-style
implementation
// (safe because we suffix keys anyway).
Index: src/com/google/caja/ses/debug.js
===================================================================
--- src/com/google/caja/ses/debug.js (revision 5440)
+++ src/com/google/caja/ses/debug.js (working copy)
@@ -95,7 +95,7 @@
ssts.set(err, sst);
}
// Technically redundant, but prepareStackTrace is supposed
- // to return a value, so this make it clearer that this value
+ // to return a value, so this makes it clearer that this value
// is undefined (void 0).
return void 0;
};
Index: src/com/google/caja/ses/repairES5.js
===================================================================
--- src/com/google/caja/ses/repairES5.js (revision 5440)
+++ src/com/google/caja/ses/repairES5.js (working copy)
@@ -2195,6 +2195,39 @@
!!Object.getOwnPropertyDescriptor(tte, 'caller');
}
+ /**
+ * See https://code.google.com/p/google-caja/issues/detail?id=1616
+ */
+ function test_FUNCTION_DOESNT_VERIFY_SYNTAX() {
+ try {
+ Function("/*", "*/){");
+ } catch (err) {
+ if (err instanceof SyntaxError) { return false; }
+ return 'Unexpected error: ' + err;
+ }
+ return true;
+ }
+
+ /**
+ * If you can, see Opera bug [email protected].
+ *
+ * <p>On some Operas, the Object.prototype.__proto__ property is an
+ * accessor property, but the property descriptor of that property
+ * has a setter, i.e., {@code desc.set}, which throws a TypeError
+ * when one tries to read it.
+ */
+ function test_PROTO_SETTER_UNGETTABLE() {
+ var desc =
Object.getOwnPropertyDescriptor(Object.prototype, '__proto__');
+ if (!desc) { return false; }
+ try {
+ desc.set; // yes, just reading it
+ } catch (err) {
+ if (err instanceof TypeError) { return true; }
+ return ''+err;
+ }
+ return false;
+ }
+
////////////////////// Repairs /////////////////////
//
// Each repair_NAME function exists primarily to repair the problem
@@ -3123,7 +3156,7 @@
urls: [],
sections: ['15.2.3.4'],
tests: ['15.2.3.4-0-1']
- },
+ }
];
/**
@@ -3343,7 +3376,8 @@
preSeverity: severities.SAFE_SPEC_VIOLATION,
canRepair: true,
urls: ['http://code.google.com/p/v8/issues/detail?id=2273',
-
'https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Global_Objects/Array/forEach'],
+ 'https://developer.mozilla.org/en-US/docs/JavaScript/' +
+ 'Reference/Global_Objects/Array/forEach'],
sections: ['15.4.4.18'],
tests: []
},
@@ -3818,7 +3852,7 @@
preSeverity: severities.SAFE_SPEC_VIOLATION,
canRepair: false,
urls: ['https://code.google.com/p/v8/issues/detail?id=1310',
-
'https://mail.mozilla.org/pipermail/es-discuss/2013-March/029177.html'],
+
'https://mail.mozilla.org/pipermail/es-discuss/2013-March/029177.html'],
sections: [], // Not spelled out in spec, according to Brendan Eich
(see
// es-discuss link)
tests: [] // TODO(kpreid): add to test262 once we have a section to
cite
@@ -3862,6 +3896,35 @@
// TODO(kpreid): find or file Chrome bug (has a .prototype!)
sections: ['13.2.3'],
tests: [] // TODO(kpreid): add to test262
+ },
+ /* TODO(kpreid): Turn this on once we have client controlled
+ * reactions to tests and repairs. Off for now because this is
+ * fixed outside repairES5 when source mitigations are
+ * available.
+ {
+ id: 'FUNCTION_DOESNT_VERIFY_SYNTAX',
+ description: 'Function constructor does not verify syntax',
+ test: test_FUNCTION_DOESNT_VERIFY_SYNTAX,
+ repair: void 0,
+ preSeverity: severities.NOT_ISOLATED,
+ canRepair: false,
+ urls: ['https://code.google.com/p/google-caja/issues/detail?id=1616',
+ 'http://code.google.com/p/v8/issues/detail?id=2470',
+ 'https://bugs.webkit.org/show_bug.cgi?id=106160'],
+ sections: ['15.3.2.1'],
+ tests: []
+ },
+ */
+ {
+ id: 'PROTO_SETTER_UNGETTABLE',
+ description: "Can't get Object.prototype.__proto__'s setter",
+ test: test_PROTO_SETTER_UNGETTABLE,
+ repair: void 0,
+ preSeverity: severities.UNSAFE_SPEC_VIOLATION,
+ canRepair: false,
+ urls: ['mailto:[email protected]'],
+ sections: [],
+ tests: []
}
];
Index: src/com/google/caja/ses/whitelist.js
===================================================================
--- src/com/google/caja/ses/whitelist.js (revision 5440)
+++ src/com/google/caja/ses/whitelist.js (working copy)
@@ -266,9 +266,7 @@
filter: t,
reduce: t,
reduceRight: t,
- length: 'skip' // can't be redefined on Mozilla
- // See https://bugzilla.mozilla.org/show_bug.cgi?id=591059
- // and https://bugzilla.mozilla.org/show_bug.cgi?id=598996
+ length: t
},
isArray: t
},
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
