Diff
Modified: branches/safari-603-branch/LayoutTests/ChangeLog (212085 => 212086)
--- branches/safari-603-branch/LayoutTests/ChangeLog 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/LayoutTests/ChangeLog 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,20 @@
2017-02-09 Matthew Hanson <matthew_han...@apple.com>
+ Merge r212015. rdar://problem/30054759
+
+ 2017-02-09 Mark Lam <mark....@apple.com>
+
+ Constructed object's global object should be the global object of the constructor.
+ https://bugs.webkit.org/show_bug.cgi?id=167121
+ <rdar://problem/30054759>
+
+ Reviewed by Filip Pizlo and Geoffrey Garen.
+
+ * http/tests/security/xssAuditor/regress-167121-expected.txt: Added.
+ * http/tests/security/xssAuditor/regress-167121.html: Added.
+
+2017-02-09 Matthew Hanson <matthew_han...@apple.com>
+
Merge r211999. rdar://problem/29930443
2017-02-09 Brent Fulgham <bfulg...@apple.com>
Added: branches/safari-603-branch/LayoutTests/http/tests/security/xssAuditor/regress-167121-expected.txt (0 => 212086)
--- branches/safari-603-branch/LayoutTests/http/tests/security/xssAuditor/regress-167121-expected.txt (rev 0)
+++ branches/safari-603-branch/LayoutTests/http/tests/security/xssAuditor/regress-167121-expected.txt 2017-02-10 08:15:53 UTC (rev 212086)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 2: .../security/xssAuditor/regress-167121.html
+This tests that the URL of an iframe whose page triggered a full page block is not "data:,".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-603-branch/LayoutTests/http/tests/security/xssAuditor/regress-167121.html (0 => 212086)
--- branches/safari-603-branch/LayoutTests/http/tests/security/xssAuditor/regress-167121.html (rev 0)
+++ branches/safari-603-branch/LayoutTests/http/tests/security/xssAuditor/regress-167121.html 2017-02-10 08:15:53 UTC (rev 212086)
@@ -0,0 +1,51 @@
+<body>
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.testRunner)
+ testRunner.setXSSAuditorEnabled(true);
+
+window.jsTestIsAsync = true;
+
+var frame;
+var locationStr;
+
+function runTest()
+{
+ function loadDifferentURL()
+ {
+ frame._onload_ = null;
+
+ let g = function () {};
+ g.prototype = frame.contentWindow;
+
+ let a = Reflect.construct(Intl.NumberFormat, [], g);
+ try {
+ Intl.NumberFormat.prototype.__lookupGetter__("format").call(a).constructor('var str = String(location); var i = str.search("security/xssAuditor"); console.log(".../" + str.substr(i))')();
+ } catch (e) {
+ console.log("Caught: " + e);
+ }
+
+ finishJSTest();
+ }
+ frame._onload_ = loadDifferentURL;
+ frame.src = ""
+}
+
+window._onload_ = function ()
+{
+ frame = document.getElementById("frame");
+ runTest();
+}
+</script>
+</head>
+<body>
+ <script>
+ description("This tests that the URL of an iframe whose page triggered a full page block is not "data:,".");
+ </script>
+ <iframe id="frame"></iframe>
+ <script src=""
+</body>
+</html>
Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,54 @@
2017-02-09 Matthew Hanson <matthew_han...@apple.com>
+ Merge r212015. rdar://problem/30054759
+
+ 2017-02-09 Mark Lam <mark....@apple.com>
+
+ Constructed object's global object should be the global object of the constructor.
+ https://bugs.webkit.org/show_bug.cgi?id=167121
+ <rdar://problem/30054759>
+
+ Reviewed by Filip Pizlo and Geoffrey Garen.
+
+ The realm (i.e. globalObject) of any object should be the same as the constructor
+ that instantiated the object. Changed PrototypeMap::createEmptyStructure() to
+ be passed the correct globalObject to use instead of assuming it's the same one
+ as the prototype object.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::finishCreation):
+ * bytecode/InternalFunctionAllocationProfile.h:
+ (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
+ * bytecode/ObjectAllocationProfile.h:
+ (JSC::ObjectAllocationProfile::initialize):
+ * runtime/FunctionRareData.cpp:
+ (JSC::FunctionRareData::initializeObjectAllocationProfile):
+ * runtime/FunctionRareData.h:
+ (JSC::FunctionRareData::createInternalFunctionAllocationStructureFromBase):
+ * runtime/InternalFunction.cpp:
+ (JSC::InternalFunction::createSubclassStructure):
+ * runtime/IteratorOperations.cpp:
+ (JSC::createIteratorResultObjectStructure):
+ * runtime/JSBoundFunction.cpp:
+ (JSC::getBoundFunctionStructure):
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::allocateAndInitializeRareData):
+ (JSC::JSFunction::initializeRareData):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+ * runtime/JSProxy.cpp:
+ (JSC::JSProxy::setTarget):
+ * runtime/ObjectConstructor.h:
+ (JSC::constructEmptyObject):
+ * runtime/PrototypeMap.cpp:
+ (JSC::PrototypeMap::createEmptyStructure):
+ (JSC::PrototypeMap::emptyStructureForPrototypeFromBaseStructure):
+ (JSC::PrototypeMap::emptyObjectStructureForPrototype):
+ (JSC::PrototypeMap::clearEmptyObjectStructureForPrototype):
+ * runtime/PrototypeMap.h:
+
+2017-02-09 Matthew Hanson <matthew_han...@apple.com>
+
Merge r212009. rdar://problem/29939864
2017-02-09 Keith Miller <keith_mil...@apple.com>
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/CodeBlock.cpp (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/CodeBlock.cpp 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/CodeBlock.cpp 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2010, 2012-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2010, 2012-2017 Apple Inc. All rights reserved.
* Copyright (C) 2008 Cameron Zwarich <cwzwar...@uwaterloo.ca>
*
* Redistribution and use in source and binary forms, with or without
@@ -2122,7 +2122,7 @@
instructions[i + opLength - 1] = objectAllocationProfile;
objectAllocationProfile->initialize(vm,
- this, m_globalObject->objectPrototype(), inferredInlineCapacity);
+ m_globalObject.get(), this, m_globalObject->objectPrototype(), inferredInlineCapacity);
break;
}
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/InternalFunctionAllocationProfile.h (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/InternalFunctionAllocationProfile.h 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/InternalFunctionAllocationProfile.h 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -35,7 +35,7 @@
class InternalFunctionAllocationProfile {
public:
Structure* structure() { return m_structure.get(); }
- Structure* createAllocationStructureFromBase(VM&, JSCell* owner, JSObject* prototype, Structure* base);
+ Structure* createAllocationStructureFromBase(VM&, JSGlobalObject*, JSCell* owner, JSObject* prototype, Structure* base);
void clear() { m_structure.clear(); }
void visitAggregate(SlotVisitor& visitor) { visitor.append(m_structure); }
@@ -44,7 +44,7 @@
WriteBarrier<Structure> m_structure;
};
-inline Structure* InternalFunctionAllocationProfile::createAllocationStructureFromBase(VM& vm, JSCell* owner, JSObject* prototype, Structure* baseStructure)
+inline Structure* InternalFunctionAllocationProfile::createAllocationStructureFromBase(VM& vm, JSGlobalObject* globalObject, JSCell* owner, JSObject* prototype, Structure* baseStructure)
{
ASSERT(!m_structure || m_structure.get()->classInfo() != baseStructure->classInfo());
@@ -52,7 +52,7 @@
if (prototype == baseStructure->storedPrototype())
structure = baseStructure;
else
- structure = vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(prototype, baseStructure);
+ structure = vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(globalObject, prototype, baseStructure);
// Ensure that if another thread sees the structure, it will see it properly created.
WTF::storeStoreFence();
Modified: branches/safari-603-branch/Source/_javascript_Core/bytecode/ObjectAllocationProfile.h (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/bytecode/ObjectAllocationProfile.h 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/bytecode/ObjectAllocationProfile.h 2017-02-10 08:15:53 UTC (rev 212086)
@@ -48,7 +48,7 @@
bool isNull() { return !m_structure; }
- void initialize(VM& vm, JSCell* owner, JSObject* prototype, unsigned inferredInlineCapacity)
+ void initialize(VM& vm, JSGlobalObject* globalObject, JSCell* owner, JSObject* prototype, unsigned inferredInlineCapacity)
{
ASSERT(!m_allocator);
ASSERT(!m_structure);
@@ -92,7 +92,7 @@
inlineCapacity = JSFinalObject::maxInlineCapacity();
}
- Structure* structure = vm.prototypeMap.emptyObjectStructureForPrototype(prototype, inlineCapacity);
+ Structure* structure = vm.prototypeMap.emptyObjectStructureForPrototype(globalObject, prototype, inlineCapacity);
// Ensure that if another thread sees the structure, it will see it properly created
WTF::storeStoreFence();
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/FunctionRareData.cpp (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/FunctionRareData.cpp 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/FunctionRareData.cpp 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -79,9 +79,9 @@
{
}
-void FunctionRareData::initializeObjectAllocationProfile(VM& vm, JSObject* prototype, size_t inlineCapacity)
+void FunctionRareData::initializeObjectAllocationProfile(VM& vm, JSGlobalObject* globalObject, JSObject* prototype, size_t inlineCapacity)
{
- m_objectAllocationProfile.initialize(vm, this, prototype, inlineCapacity);
+ m_objectAllocationProfile.initialize(vm, globalObject, this, prototype, inlineCapacity);
}
void FunctionRareData::clear(const char* reason)
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/FunctionRareData.h (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/FunctionRareData.h 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/FunctionRareData.h 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -79,14 +79,14 @@
void clear(const char* reason);
- void initializeObjectAllocationProfile(VM&, JSObject* prototype, size_t inlineCapacity);
+ void initializeObjectAllocationProfile(VM&, JSGlobalObject*, JSObject* prototype, size_t inlineCapacity);
bool isObjectAllocationProfileInitialized() { return !m_objectAllocationProfile.isNull(); }
Structure* internalFunctionAllocationStructure() { return m_internalFunctionAllocationProfile.structure(); }
- Structure* createInternalFunctionAllocationStructureFromBase(VM& vm, JSObject* prototype, Structure* baseStructure)
+ Structure* createInternalFunctionAllocationStructureFromBase(VM& vm, JSGlobalObject* globalObject, JSObject* prototype, Structure* baseStructure)
{
- return m_internalFunctionAllocationProfile.createAllocationStructureFromBase(vm, this, prototype, baseStructure);
+ return m_internalFunctionAllocationProfile.createAllocationStructureFromBase(vm, globalObject, this, prototype, baseStructure);
}
Structure* getBoundFunctionStructure() { return m_boundFunctionStructure.get(); }
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/InternalFunction.cpp (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/InternalFunction.cpp 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/InternalFunction.cpp 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2002 Harri Porten (por...@kde.org)
* Copyright (C) 2001 Peter Kelly (p...@post.com)
- * Copyright (C) 2004, 2007-2008, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2004, 2007-2008, 2016-2017 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -105,6 +105,7 @@
if (newTarget && newTarget != exec->jsCallee()) {
// newTarget may be an InternalFunction if we were called from Reflect.construct.
JSFunction* targetFunction = jsDynamicCast<JSFunction*>(newTarget);
+ JSGlobalObject* lexicalGlobalObject = exec->lexicalGlobalObject();
if (LIKELY(targetFunction)) {
Structure* structure = targetFunction->rareData(vm)->internalFunctionAllocationStructure();
@@ -115,7 +116,7 @@
JSValue prototypeValue = newTarget.get(exec, exec->propertyNames().prototype);
RETURN_IF_EXCEPTION(scope, nullptr);
if (JSObject* prototype = jsDynamicCast<JSObject*>(prototypeValue))
- return targetFunction->rareData(vm)->createInternalFunctionAllocationStructureFromBase(vm, prototype, baseClass);
+ return targetFunction->rareData(vm)->createInternalFunctionAllocationStructureFromBase(vm, lexicalGlobalObject, prototype, baseClass);
} else {
JSValue prototypeValue = newTarget.get(exec, exec->propertyNames().prototype);
RETURN_IF_EXCEPTION(scope, nullptr);
@@ -122,7 +123,7 @@
if (JSObject* prototype = jsDynamicCast<JSObject*>(prototypeValue)) {
// This only happens if someone Reflect.constructs our builtin constructor with another builtin constructor as the new.target.
// Thus, we don't care about the cost of looking up the structure from our hash table every time.
- return vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(prototype, baseClass);
+ return vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(lexicalGlobalObject, prototype, baseClass);
}
}
}
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/IteratorOperations.cpp (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/IteratorOperations.cpp 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/IteratorOperations.cpp 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2015 Yusuke Suzuki <utatane....@gmail.com>.
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -141,7 +141,7 @@
Structure* createIteratorResultObjectStructure(VM& vm, JSGlobalObject& globalObject)
{
- Structure* iteratorResultStructure = vm.prototypeMap.emptyObjectStructureForPrototype(globalObject.objectPrototype(), JSFinalObject::defaultInlineCapacity());
+ Structure* iteratorResultStructure = vm.prototypeMap.emptyObjectStructureForPrototype(&globalObject, globalObject.objectPrototype(), JSFinalObject::defaultInlineCapacity());
PropertyOffset offset;
iteratorResultStructure = Structure::addPropertyTransition(vm, iteratorResultStructure, vm.propertyNames->done, 0, offset);
RELEASE_ASSERT(offset == donePropertyOffset);
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSBoundFunction.cpp (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSBoundFunction.cpp 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSBoundFunction.cpp 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2011, 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -145,7 +145,7 @@
// currently. Whoever works on caching structure changes for prototype transistions should consider this problem as well.
// See: https://bugs.webkit.org/show_bug.cgi?id=152738
if (prototype.isObject() && prototype.getObject()->globalObject() == globalObject) {
- result = vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(prototype.getObject(), result);
+ result = vm.prototypeMap.emptyStructureForPrototypeFromBaseStructure(globalObject, prototype.getObject(), result);
ASSERT_WITH_SECURITY_IMPLICATION(result->globalObject() == globalObject);
} else
result = Structure::create(vm, globalObject, prototype, result->typeInfo(), result->classInfo());
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSFunction.cpp (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSFunction.cpp 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSFunction.cpp 2017-02-10 08:15:53 UTC (rev 212086)
@@ -134,10 +134,11 @@
ASSERT(!m_rareData);
VM& vm = exec->vm();
JSObject* prototype = jsDynamicCast<JSObject*>(get(exec, vm.propertyNames->prototype));
+ JSGlobalObject* globalObject = this->globalObject(vm);
if (!prototype)
- prototype = globalObject(vm)->objectPrototype();
+ prototype = globalObject->objectPrototype();
FunctionRareData* rareData = FunctionRareData::create(vm);
- rareData->initializeObjectAllocationProfile(vm, prototype, inlineCapacity);
+ rareData->initializeObjectAllocationProfile(vm, globalObject, prototype, inlineCapacity);
// A DFG compilation thread may be trying to read the rare data
// We want to ensure that it sees it properly allocated
@@ -152,9 +153,10 @@
ASSERT(!!m_rareData);
VM& vm = exec->vm();
JSObject* prototype = jsDynamicCast<JSObject*>(get(exec, vm.propertyNames->prototype));
+ JSGlobalObject* globalObject = this->globalObject(vm);
if (!prototype)
- prototype = globalObject(vm)->objectPrototype();
- m_rareData->initializeObjectAllocationProfile(vm, prototype, inlineCapacity);
+ prototype = globalObject->objectPrototype();
+ m_rareData->initializeObjectAllocationProfile(vm, globalObject, prototype, inlineCapacity);
return m_rareData.get();
}
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSGlobalObject.cpp (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2009, 2014-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2009, 2014-2017 Apple Inc. All rights reserved.
* Copyright (C) 2008 Cameron Zwarich (cwzwar...@uwaterloo.ca)
*
* Redistribution and use in source and binary forms, with or without
@@ -456,7 +456,7 @@
protoAccessor->setSetter(vm, this, JSFunction::create(vm, this, 0, makeString("set ", vm.propertyNames->underscoreProto.string()), globalFuncProtoSetter));
m_objectPrototype->putDirectNonIndexAccessor(vm, vm.propertyNames->underscoreProto, protoAccessor, Accessor | DontEnum);
m_functionPrototype->structure()->setPrototypeWithoutTransition(vm, m_objectPrototype.get());
- m_objectStructureForObjectConstructor.set(vm, this, vm.prototypeMap.emptyObjectStructureForPrototype(m_objectPrototype.get(), JSFinalObject::defaultInlineCapacity()));
+ m_objectStructureForObjectConstructor.set(vm, this, vm.prototypeMap.emptyObjectStructureForPrototype(this, m_objectPrototype.get(), JSFinalObject::defaultInlineCapacity()));
JSFunction* thrower = JSFunction::create(vm, this, 0, String(), globalFuncThrowTypeErrorArgumentsCalleeAndCaller);
GetterSetter* getterSetter = GetterSetter::create(vm, this);
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/JSProxy.cpp (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/JSProxy.cpp 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/JSProxy.cpp 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2012, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2012, 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -47,6 +47,8 @@
void JSProxy::setTarget(VM& vm, JSGlobalObject* globalObject)
{
ASSERT_ARG(globalObject, globalObject);
+ JSGlobalObject* previousGlobalObject = jsCast<JSGlobalObject*>(m_target.get());
+
m_target.set(vm, this, globalObject);
setPrototypeDirect(vm, globalObject->getPrototypeDirect());
@@ -54,11 +56,15 @@
if (!prototypeMap.isPrototype(this))
return;
+ // previousGlobalObject cannot be null because in order for this JSProxy to be used as a prototype
+ // of an object, we must have previously called setTarget() and associated it with a JSGlobalObject.
+ RELEASE_ASSERT(previousGlobalObject);
+
// This is slow but constant time. We think it's very rare for a proxy
// to be a prototype, and reasonably rare to retarget a proxy,
// so slow constant time is OK.
for (size_t i = 0; i <= JSFinalObject::maxInlineCapacity(); ++i)
- prototypeMap.clearEmptyObjectStructureForPrototype(this, i);
+ prototypeMap.clearEmptyObjectStructureForPrototype(previousGlobalObject, this, i);
}
String JSProxy::className(const JSObject* object)
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/ObjectConstructor.h (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/ObjectConstructor.h 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/ObjectConstructor.h 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,6 +1,6 @@
/*
* Copyright (C) 1999-2000 Harri Porten (por...@kde.org)
- * Copyright (C) 2008, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2016-2017 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -71,8 +71,7 @@
{
JSGlobalObject* globalObject = exec->lexicalGlobalObject();
PrototypeMap& prototypeMap = globalObject->vm().prototypeMap;
- Structure* structure = prototypeMap.emptyObjectStructureForPrototype(
- prototype, inlineCapacity);
+ Structure* structure = prototypeMap.emptyObjectStructureForPrototype(globalObject, prototype, inlineCapacity);
return constructEmptyObject(exec, structure);
}
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/PrototypeMap.cpp (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/PrototypeMap.cpp 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/PrototypeMap.cpp 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -54,9 +54,9 @@
// used as a prototype.
}
-inline Structure* PrototypeMap::createEmptyStructure(JSObject* prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
+inline Structure* PrototypeMap::createEmptyStructure(JSGlobalObject* globalObject, JSObject* prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
{
- auto key = std::make_pair(prototype, std::make_pair(inlineCapacity, classInfo));
+ auto key = std::make_pair(prototype, std::make_pair(inlineCapacity, std::make_pair(classInfo, globalObject)));
if (Structure* structure = m_structures.get(key)) {
ASSERT(isPrototype(prototype));
return structure;
@@ -64,12 +64,12 @@
addPrototype(prototype);
Structure* structure = Structure::create(
- prototype->globalObject()->vm(), prototype->globalObject(), prototype, typeInfo, classInfo, indexingType, inlineCapacity);
+ globalObject->vm(), globalObject, prototype, typeInfo, classInfo, indexingType, inlineCapacity);
m_structures.set(key, Weak<Structure>(structure));
return structure;
}
-Structure* PrototypeMap::emptyStructureForPrototypeFromBaseStructure(JSObject* prototype, Structure* baseStructure)
+Structure* PrototypeMap::emptyStructureForPrototypeFromBaseStructure(JSGlobalObject* globalObject, JSObject* prototype, Structure* baseStructure)
{
// We currently do not have inline capacity static analysis for subclasses and all internal function constructors have a default inline capacity of 0.
IndexingType indexingType = baseStructure->indexingType();
@@ -76,17 +76,17 @@
if (prototype->structure()->anyObjectInChainMayInterceptIndexedAccesses() && hasIndexedProperties(indexingType))
indexingType = (indexingType & ~IndexingShapeMask) | SlowPutArrayStorageShape;
- return createEmptyStructure(prototype, baseStructure->typeInfo(), baseStructure->classInfo(), indexingType, 0);
+ return createEmptyStructure(globalObject, prototype, baseStructure->typeInfo(), baseStructure->classInfo(), indexingType, 0);
}
-Structure* PrototypeMap::emptyObjectStructureForPrototype(JSObject* prototype, unsigned inlineCapacity)
+Structure* PrototypeMap::emptyObjectStructureForPrototype(JSGlobalObject* globalObject, JSObject* prototype, unsigned inlineCapacity)
{
- return createEmptyStructure(prototype, JSFinalObject::typeInfo(), JSFinalObject::info(), JSFinalObject::defaultIndexingType, inlineCapacity);
+ return createEmptyStructure(globalObject, prototype, JSFinalObject::typeInfo(), JSFinalObject::info(), JSFinalObject::defaultIndexingType, inlineCapacity);
}
-void PrototypeMap::clearEmptyObjectStructureForPrototype(JSObject* object, unsigned inlineCapacity)
+void PrototypeMap::clearEmptyObjectStructureForPrototype(JSGlobalObject* globalObject, JSObject* object, unsigned inlineCapacity)
{
- m_structures.remove(std::make_pair(object, std::make_pair(inlineCapacity, JSFinalObject::info())));
+ m_structures.remove(std::make_pair(object, std::make_pair(inlineCapacity, std::make_pair(JSFinalObject::info(), globalObject))));
}
} // namespace JSC
Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/PrototypeMap.h (212085 => 212086)
--- branches/safari-603-branch/Source/_javascript_Core/runtime/PrototypeMap.h 2017-02-10 08:15:47 UTC (rev 212085)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/PrototypeMap.h 2017-02-10 08:15:53 UTC (rev 212086)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -32,6 +32,7 @@
namespace JSC {
+class JSGlobalObject;
class JSObject;
class Structure;
class VM;
@@ -45,17 +46,18 @@
{
}
- JS_EXPORT_PRIVATE Structure* emptyObjectStructureForPrototype(JSObject*, unsigned inlineCapacity);
- JS_EXPORT_PRIVATE Structure* emptyStructureForPrototypeFromBaseStructure(JSObject*, Structure*);
- void clearEmptyObjectStructureForPrototype(JSObject*, unsigned inlineCapacity);
+ JS_EXPORT_PRIVATE Structure* emptyObjectStructureForPrototype(JSGlobalObject*, JSObject*, unsigned inlineCapacity);
+ JS_EXPORT_PRIVATE Structure* emptyStructureForPrototypeFromBaseStructure(JSGlobalObject*, JSObject*, Structure*);
+ void clearEmptyObjectStructureForPrototype(JSGlobalObject*, JSObject*, unsigned inlineCapacity);
JS_EXPORT_PRIVATE void addPrototype(JSObject*);
inline TriState isPrototype(JSObject*) const; // Returns a conservative estimate.
private:
- Structure* createEmptyStructure(JSObject* prototype, const TypeInfo&, const ClassInfo*, IndexingType, unsigned inlineCapacity);
+ Structure* createEmptyStructure(JSGlobalObject*, JSObject* prototype, const TypeInfo&, const ClassInfo*, IndexingType, unsigned inlineCapacity);
WeakGCMap<JSObject*, JSObject> m_prototypes;
- typedef WeakGCMap<std::pair<JSObject*, std::pair<unsigned, const ClassInfo*>>, Structure> StructureMap;
+ // FIXME: make the key a struct.
+ typedef WeakGCMap<std::pair<JSObject*, std::pair<unsigned, std::pair<const ClassInfo*, JSGlobalObject*>>>, Structure> StructureMap;
StructureMap m_structures;
};
