Diff
Modified: trunk/LayoutTests/ChangeLog (205938 => 205939)
--- trunk/LayoutTests/ChangeLog 2016-09-14 23:51:51 UTC (rev 205938)
+++ trunk/LayoutTests/ChangeLog 2016-09-15 00:03:05 UTC (rev 205939)
@@ -1,3 +1,17 @@
+2016-09-14 Chris Dumez <[email protected]>
+
+ REGRESSION (r205670): ASSERTION FAILED: methodTable(vm)->toThis(this, exec, NotStrictMode) == this
+ https://bugs.webkit.org/show_bug.cgi?id=161982
+
+ Reviewed by Saam Barati.
+
+ Bring back JSC test coverage that got lost in r205670.
+
+ * js/object-literal-shorthand-construction-expected.txt:
+ * js/script-tests/object-literal-shorthand-construction.js:
+ * js/script-tests/sloppy-getter-setter-global-object.js:
+ * js/sloppy-getter-setter-global-object-expected.txt:
+
2016-09-14 Joseph Pecoraro <[email protected]>
test262: TypedArray constructors length should be 3 and configurable
Modified: trunk/LayoutTests/js/object-literal-shorthand-construction-expected.txt (205938 => 205939)
--- trunk/LayoutTests/js/object-literal-shorthand-construction-expected.txt 2016-09-14 23:51:51 UTC (rev 205938)
+++ trunk/LayoutTests/js/object-literal-shorthand-construction-expected.txt 2016-09-15 00:03:05 UTC (rev 205939)
@@ -61,6 +61,8 @@
PASS !!Object.getOwnPropertyDescriptor({set x(value){}}, 'x').set is true
PASS !!Object.getOwnPropertyDescriptor({set 'x'(value){}}, 'x').set is true
PASS !!Object.getOwnPropertyDescriptor({set 42(value){}}, '42').set is true
+PASS __proto__ = [] threw exception TypeError: Cannot set prototype of this object.
+PASS ({__proto__: __proto__}) instanceof Array is false
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/js/script-tests/object-literal-shorthand-construction.js (205938 => 205939)
--- trunk/LayoutTests/js/script-tests/object-literal-shorthand-construction.js 2016-09-14 23:51:51 UTC (rev 205938)
+++ trunk/LayoutTests/js/script-tests/object-literal-shorthand-construction.js 2016-09-15 00:03:05 UTC (rev 205939)
@@ -109,3 +109,6 @@
shouldBeTrue("!!Object.getOwnPropertyDescriptor({set 'x'(value){}}, 'x').set");
shouldBeTrue("!!Object.getOwnPropertyDescriptor({set 42(value){}}, '42').set");
+// __proto__ shorthand should not modify the prototype.
+shouldThrow("__proto__ = []");
+shouldBeFalse("({__proto__: __proto__}) instanceof Array");
Modified: trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js (205938 => 205939)
--- trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js 2016-09-14 23:51:51 UTC (rev 205938)
+++ trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js 2016-09-15 00:03:05 UTC (rev 205939)
@@ -32,3 +32,5 @@
var top_level_sloppy_getter = Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get;
shouldNotThrow("top_level_sloppy_getter();");
+var top_level_sloppy_setter = Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set;
+shouldThrow("top_level_sloppy_setter(['foo']);");
Modified: trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt (205938 => 205939)
--- trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt 2016-09-14 23:51:51 UTC (rev 205938)
+++ trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt 2016-09-15 00:03:05 UTC (rev 205939)
@@ -11,6 +11,7 @@
PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)() threw exception TypeError: Can't convert undefined or null to object.
PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo']) threw exception TypeError: Can't convert undefined or null to object.
PASS top_level_sloppy_getter(); did not throw exception.
+PASS top_level_sloppy_setter(['foo']); threw exception TypeError: Cannot set prototype of this object.
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/Source/_javascript_Core/ChangeLog (205938 => 205939)
--- trunk/Source/_javascript_Core/ChangeLog 2016-09-14 23:51:51 UTC (rev 205938)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-09-15 00:03:05 UTC (rev 205939)
@@ -1,3 +1,21 @@
+2016-09-14 Chris Dumez <[email protected]>
+
+ REGRESSION (r205670): ASSERTION FAILED: methodTable(vm)->toThis(this, exec, NotStrictMode) == this
+ https://bugs.webkit.org/show_bug.cgi?id=161982
+
+ Reviewed by Saam Barati.
+
+ Update JSProxy::setPrototype() to return false unconditionally instead
+ of forwarding the call to its target. We used to forward to the target
+ and then the JSDOMWindow's [[SetPrototypeOf]] would return false.
+ However, the JSC tests use a different GlobalObject and forwarding
+ the setPrototypeOf() call to the GlobalObject lead to hitting an
+ assertion. This patch aligns the behavior of the GlobalObject used by
+ the JSC tests with JSDOMWindow.
+
+ * runtime/JSProxy.cpp:
+ (JSC::JSProxy::setPrototype):
+
2016-09-14 Michael Saboff <[email protected]>
YARR doesn't check for invalid flags for literal regular expressions
Modified: trunk/Source/_javascript_Core/runtime/JSProxy.cpp (205938 => 205939)
--- trunk/Source/_javascript_Core/runtime/JSProxy.cpp 2016-09-14 23:51:51 UTC (rev 205938)
+++ trunk/Source/_javascript_Core/runtime/JSProxy.cpp 2016-09-15 00:03:05 UTC (rev 205939)
@@ -145,10 +145,14 @@
thisObject->target()->methodTable(exec->vm())->getOwnPropertyNames(thisObject->target(), exec, propertyNames, mode);
}
-bool JSProxy::setPrototype(JSObject* object, ExecState* exec, JSValue value, bool shouldThrowIfCantSet)
+bool JSProxy::setPrototype(JSObject*, ExecState* exec, JSValue, bool shouldThrowIfCantSet)
{
- JSProxy* thisObject = jsCast<JSProxy*>(object);
- return thisObject->target()->methodTable(exec->vm())->setPrototype(thisObject->target(), exec, value, shouldThrowIfCantSet);
+ auto scope = DECLARE_THROW_SCOPE(exec->vm());
+
+ if (shouldThrowIfCantSet)
+ throwTypeError(exec, scope, ASCIILiteral("Cannot set prototype of this object"));
+
+ return false;
}
JSValue JSProxy::getPrototype(JSObject* object, ExecState* exec)
Modified: trunk/Source/WebCore/ChangeLog (205938 => 205939)
--- trunk/Source/WebCore/ChangeLog 2016-09-14 23:51:51 UTC (rev 205938)
+++ trunk/Source/WebCore/ChangeLog 2016-09-15 00:03:05 UTC (rev 205939)
@@ -1,3 +1,20 @@
+2016-09-14 Chris Dumez <[email protected]>
+
+ REGRESSION (r205670): ASSERTION FAILED: methodTable(vm)->toThis(this, exec, NotStrictMode) == this
+ https://bugs.webkit.org/show_bug.cgi?id=161982
+
+ Reviewed by Saam Barati.
+
+ We no longer need a custom [[SetPrototypeOf]] anymore as JSProxy::setPrototypeOf()
+ no longer forwards the call to its target.
+
+ No new layout tests because the behavior only changes in the context of the JSC
+ tests (which were updated in this patch).
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::JSDOMWindow::setPrototype): Deleted.
+ * page/DOMWindow.idl:
+
2016-09-14 Wenson Hsieh <[email protected]>
Media controls behave strangely when changing media sources
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (205938 => 205939)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2016-09-14 23:51:51 UTC (rev 205938)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2016-09-15 00:03:05 UTC (rev 205939)
@@ -357,16 +357,6 @@
return Base::defineOwnProperty(thisObject, exec, propertyName, descriptor, shouldThrow);
}
-bool JSDOMWindow::setPrototype(JSObject*, ExecState* exec, JSValue, bool shouldThrowIfCantSet)
-{
- auto scope = DECLARE_THROW_SCOPE(exec->vm());
-
- if (shouldThrowIfCantSet)
- throwTypeError(exec, scope, ASCIILiteral("Cannot set prototype of this object"));
-
- return false;
-}
-
JSValue JSDOMWindow::getPrototype(JSObject* object, ExecState* exec)
{
JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
Modified: trunk/Source/WebCore/page/DOMWindow.idl (205938 => 205939)
--- trunk/Source/WebCore/page/DOMWindow.idl 2016-09-14 23:51:51 UTC (rev 205938)
+++ trunk/Source/WebCore/page/DOMWindow.idl 2016-09-15 00:03:05 UTC (rev 205939)
@@ -33,7 +33,6 @@
CustomPreventExtensions,
CustomProxyToJSObject,
CustomPutFunction,
- CustomSetPrototype,
ExportMacro=WEBCORE_EXPORT,
ImplicitThis,
InterfaceName=Window,
