Reviewers: felix8a,
Description:
* Chrome now has a WeakMap implementation with nothing we repair.
* Firefox now allows typed array constructors to be called without
'new'.
Please review this at https://codereview.appspot.com/140680043/
Affected files (+30, -23 lines):
M tests/com/google/caja/plugin/test-scan-guest.js
Index: tests/com/google/caja/plugin/test-scan-guest.js
===================================================================
--- tests/com/google/caja/plugin/test-scan-guest.js (revision 5694)
+++ tests/com/google/caja/plugin/test-scan-guest.js (working copy)
@@ -890,28 +890,35 @@
}
}));
- argsByIdentity(WeakMap, annotate(
- freshResult(genAllCall()), function(context, thrown) {
+ // Some WeakMap shim impls are prototype based, some are closure
based; we
+ // deal with both, as well as the real thing.
+ var genWeakMapKey = genJSONValue;
+ function annotateWeakMapInstance(obj) {
+ // known harmless implementation details leak.
+ expectedUnfrozen.setByIdentity(obj, true);
+ argsByIdentity(obj['permitHostObjects___'], genMethod(G.value('x')));
+ expectedAlwaysThrow.setByIdentity(obj['permitHostObjects___'], true);
+ argsByIdentity(obj['delete___'], genMethod(genWeakMapKey));
+ argsByIdentity(obj['get___'], genMethod(genWeakMapKey));
+ argsByIdentity(obj['set___'], genMethod(genWeakMapKey, genObject));
+ argsByIdentity(obj['has___'], genMethod(genWeakMapKey));
+
+ argsByIdentity(obj['delete'], genMethod(genWeakMapKey));
+ argsByIdentity(obj.get, genMethod(genWeakMapKey));
+ argsByIdentity(obj.set, genMethod(genWeakMapKey, genObject));
+ argsByIdentity(obj.has, genMethod(genWeakMapKey));
+ return obj;
+ }
+ argsByIdentity(WeakMap, annotate(genAllCall(), function(context,
thrown) {
if (!thrown) {
- // known harmless implementation details leak. TODO abuse anyway
- argsByIdentity(context.get()['delete___'],
- argsByIdentity(context.get()['get___'],
- argsByIdentity(context.get()['has___'],
- argsByIdentity(context.get()['set___'],
- argsByIdentity(context.get()['permitHostObjects___'],
- G.none)))));
-
- argsByIdentity(context.get()['delete'], G.none); // TODO abuse
- argsByIdentity(context.get().get, G.none); // TODO abuse
- argsByIdentity(context.get().set, G.none); // TODO abuse
- argsByIdentity(context.get().has, G.none); // TODO abuse
+ annotateWeakMapInstance(context.get());
}
}));
- // some WeakMap impls are prototype based, some are closure based
- argsByIdentity(WeakMap.prototype['delete'], G.none); // TODO abuse
- argsByIdentity(WeakMap.prototype.get, G.none); // TODO abuse
- argsByIdentity(WeakMap.prototype.set, G.none); // TODO abuse
- argsByIdentity(WeakMap.prototype.has, G.none); // TODO abuse
+ obtainInstance.define(WeakMap, annotateWeakMapInstance(new WeakMap()));
+ argsByIdentity(WeakMap.prototype['delete'], genMethod(genWeakMapKey));
+ argsByIdentity(WeakMap.prototype.get, genMethod(genWeakMapKey));
+ argsByIdentity(WeakMap.prototype.set, genMethod(genWeakMapKey,
genObject));
+ argsByIdentity(WeakMap.prototype.has, genMethod(genWeakMapKey));
expectedAlwaysThrow.setByIdentity(
getSetter(window, 'location'), true);
@@ -1288,7 +1295,8 @@
expectedAlwaysThrow.mark(refArrayBufferView);
});
- var typedArrayCall = G.tuple(G.value(CONSTRUCT), G.any(
+ // PLAIN_CALL is needed on Firefox because it allows calling these
ctors
+ var typedArrayCall = G.tuple(G.value(CONSTRUCT, PLAIN_CALL), G.any(
G.tuple(genSmallInteger),
G.tuple(genInstance(Int8Array)),
G.tuple(genNumbers(2)),
@@ -1299,11 +1307,10 @@
var ref = RefAnyFrame(name);
var ctor = window[name];
- functionArgs.set(ref, doAllCalls
+ functionArgs.set(ref, freshResult(doAllCalls
? typedArrayCall
- : genNew(G.value(0)));
+ : genAllCall(G.value(0))));
obtainInstance.define(ctor, new ctor(3));
- expectedUnfrozen.mark(ref);
argsByAnyFrame(name + '.prototype.set', doAllCalls
? G.any(
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
