- Revision
- 206359
- Author
- [email protected]
- Date
- 2016-09-24 23:37:04 -0700 (Sat, 24 Sep 2016)
Log Message
REGRESSION (r206221): [USER] com.apple.WebKit.WebContent.Development at com.apple._javascript_Core: vmEntryToJavaScript + 299
https://bugs.webkit.org/show_bug.cgi?id=162536
<rdar://problem/28415971>
Reviewed by Gavin Barraclough.
Source/_javascript_Core:
Drop API on PropertySlot for setting a cacheable custom getter/setter
given that this is not supported yet and will lead to crashes if used.
* runtime/PropertySlot.h:
(JSC::PropertySlot::isCacheableCustom):
(JSC::PropertySlot::isCacheableCustomAccessor): Deleted.
(JSC::PropertySlot::setCacheableCustomGetterSetter): Deleted.
Source/WebCore:
Stop marking cross-origin Window/Location objects properties as cacheable
given that we do not support yet caching of such properties. This is because
they are using the new CustomAccesstor PropertySlot type, which is not handled
yet by Repatch.cpp. Performance is anyway not critical for cross-origin
Window / Location properties.
Test: http/tests/security/cross-origin-window-property-caching-crash.html
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
* bindings/js/JSLocationCustom.cpp:
(WebCore::JSLocation::getOwnPropertySlotDelegate):
LayoutTests:
Add layout test coverage.
* http/tests/security/cross-origin-window-property-caching-crash-expected.txt: Added.
* http/tests/security/cross-origin-window-property-caching-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (206358 => 206359)
--- trunk/LayoutTests/ChangeLog 2016-09-25 05:08:56 UTC (rev 206358)
+++ trunk/LayoutTests/ChangeLog 2016-09-25 06:37:04 UTC (rev 206359)
@@ -1,5 +1,18 @@
2016-09-24 Chris Dumez <[email protected]>
+ REGRESSION (r206221): [USER] com.apple.WebKit.WebContent.Development at com.apple._javascript_Core: vmEntryToJavaScript + 299
+ https://bugs.webkit.org/show_bug.cgi?id=162536
+ <rdar://problem/28415971>
+
+ Reviewed by Gavin Barraclough.
+
+ Add layout test coverage.
+
+ * http/tests/security/cross-origin-window-property-caching-crash-expected.txt: Added.
+ * http/tests/security/cross-origin-window-property-caching-crash.html: Added.
+
+2016-09-24 Chris Dumez <[email protected]>
+
REGRESSION (r205524): Crash under WTF::numGraphemeClusters()
https://bugs.webkit.org/show_bug.cgi?id=162534
<rdar://problem/28463828>
Added: trunk/LayoutTests/http/tests/security/cross-origin-window-property-caching-crash-expected.txt (0 => 206359)
--- trunk/LayoutTests/http/tests/security/cross-origin-window-property-caching-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-window-property-caching-crash-expected.txt 2016-09-25 06:37:04 UTC (rev 206359)
@@ -0,0 +1,6 @@
+Test that we do not crash when repeatedly accessing properties of a cross-origin Window.
+
+This test passes if it does not crash
+
+
+PASS
Added: trunk/LayoutTests/http/tests/security/cross-origin-window-property-caching-crash.html (0 => 206359)
--- trunk/LayoutTests/http/tests/security/cross-origin-window-property-caching-crash.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/cross-origin-window-property-caching-crash.html 2016-09-25 06:37:04 UTC (rev 206359)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>Test that we do not crash when repeatedly accessing properties of a cross-origin Window.</p>
+<p>This test passes if it does not crash</p>
+<iframe src=""
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+_onload_ = function() {
+ var i = 0;
+ var iterations = 100000;
+ var crossOriginWindow = frames[0];
+ for (var i = 0; i < iterations; i++) {
+ i += crossOriginWindow.closed;
+ }
+ if (i == iterations)
+ document.body.appendChild(document.createTextNode("PASS"));
+ else
+ document.body.appendChild(document.createTextNode("FAIL"));
+}
+</script>
+</body>
+</html>
Modified: trunk/Source/_javascript_Core/ChangeLog (206358 => 206359)
--- trunk/Source/_javascript_Core/ChangeLog 2016-09-25 05:08:56 UTC (rev 206358)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-09-25 06:37:04 UTC (rev 206359)
@@ -1,3 +1,19 @@
+2016-09-24 Chris Dumez <[email protected]>
+
+ REGRESSION (r206221): [USER] com.apple.WebKit.WebContent.Development at com.apple._javascript_Core: vmEntryToJavaScript + 299
+ https://bugs.webkit.org/show_bug.cgi?id=162536
+ <rdar://problem/28415971>
+
+ Reviewed by Gavin Barraclough.
+
+ Drop API on PropertySlot for setting a cacheable custom getter/setter
+ given that this is not supported yet and will lead to crashes if used.
+
+ * runtime/PropertySlot.h:
+ (JSC::PropertySlot::isCacheableCustom):
+ (JSC::PropertySlot::isCacheableCustomAccessor): Deleted.
+ (JSC::PropertySlot::setCacheableCustomGetterSetter): Deleted.
+
2016-09-23 Filip Pizlo <[email protected]>
Need a store-load fence between setting cell state and visiting the object in SlotVisitor
Modified: trunk/Source/_javascript_Core/runtime/PropertySlot.h (206358 => 206359)
--- trunk/Source/_javascript_Core/runtime/PropertySlot.h 2016-09-25 05:08:56 UTC (rev 206358)
+++ trunk/Source/_javascript_Core/runtime/PropertySlot.h 2016-09-25 06:37:04 UTC (rev 206359)
@@ -112,7 +112,6 @@
bool isCacheableValue() const { return isCacheable() && isValue(); }
bool isCacheableGetter() const { return isCacheable() && isAccessor(); }
bool isCacheableCustom() const { return isCacheable() && isCustom(); }
- bool isCacheableCustomAccessor() const { return isCacheable() && isCustomAccessor(); }
void setIsTaintedByOpaqueObject() { m_isTaintedByOpaqueObject = true; }
bool isTaintedByOpaqueObject() const { return m_isTaintedByOpaqueObject; }
@@ -241,20 +240,6 @@
m_offset = invalidOffset;
}
- void setCacheableCustomGetterSetter(JSObject* slotBase, unsigned attributes, CustomGetterSetter* getterSetter)
- {
- ASSERT(attributes == attributesForStructure(attributes));
-
- ASSERT(getterSetter);
- m_data.customAccessor.getterSetter = getterSetter;
- m_attributes = attributes;
-
- ASSERT(slotBase);
- m_slotBase = slotBase;
- m_propertyType = TypeCustomAccessor;
- m_offset = !invalidOffset;
- }
-
void setGetterSlot(JSObject* slotBase, unsigned attributes, GetterSetter* getterSetter)
{
ASSERT(attributes == attributesForStructure(attributes));
Modified: trunk/Source/WebCore/ChangeLog (206358 => 206359)
--- trunk/Source/WebCore/ChangeLog 2016-09-25 05:08:56 UTC (rev 206358)
+++ trunk/Source/WebCore/ChangeLog 2016-09-25 06:37:04 UTC (rev 206359)
@@ -1,5 +1,26 @@
2016-09-24 Chris Dumez <[email protected]>
+ REGRESSION (r206221): [USER] com.apple.WebKit.WebContent.Development at com.apple._javascript_Core: vmEntryToJavaScript + 299
+ https://bugs.webkit.org/show_bug.cgi?id=162536
+ <rdar://problem/28415971>
+
+ Reviewed by Gavin Barraclough.
+
+ Stop marking cross-origin Window/Location objects properties as cacheable
+ given that we do not support yet caching of such properties. This is because
+ they are using the new CustomAccesstor PropertySlot type, which is not handled
+ yet by Repatch.cpp. Performance is anyway not critical for cross-origin
+ Window / Location properties.
+
+ Test: http/tests/security/cross-origin-window-property-caching-crash.html
+
+ * bindings/js/JSDOMWindowCustom.cpp:
+ (WebCore::jsDOMWindowGetOwnPropertySlotRestrictedAccess):
+ * bindings/js/JSLocationCustom.cpp:
+ (WebCore::JSLocation::getOwnPropertySlotDelegate):
+
+2016-09-24 Chris Dumez <[email protected]>
+
REGRESSION (r205524): Crash under WTF::numGraphemeClusters()
https://bugs.webkit.org/show_bug.cgi?id=162534
<rdar://problem/28463828>
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (206358 => 206359)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2016-09-25 05:08:56 UTC (rev 206358)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp 2016-09-25 06:37:04 UTC (rev 206359)
@@ -133,7 +133,7 @@
|| propertyName == exec->propertyNames().top) {
bool shouldExposeSetter = propertyName == exec->propertyNames().location;
CustomGetterSetter* customGetterSetter = CustomGetterSetter::create(vm, entry->propertyGetter(), shouldExposeSetter ? entry->propertyPutter() : nullptr);
- slot.setCacheableCustomGetterSetter(thisObject, DontEnum | CustomAccessor, customGetterSetter);
+ slot.setCustomGetterSetter(thisObject, DontEnum | CustomAccessor, customGetterSetter);
return true;
}
Modified: trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp (206358 => 206359)
--- trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2016-09-25 05:08:56 UTC (rev 206358)
+++ trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp 2016-09-25 06:37:04 UTC (rev 206359)
@@ -62,7 +62,7 @@
if (slot.internalMethodType() == PropertySlot::InternalMethodType::GetOwnProperty && propertyName == exec->propertyNames().href) {
auto* entry = JSLocation::info()->staticPropHashTable->entry(propertyName);
CustomGetterSetter* customGetterSetter = CustomGetterSetter::create(vm, nullptr, entry->propertyPutter());
- slot.setCacheableCustomGetterSetter(this, DontEnum | CustomAccessor, customGetterSetter);
+ slot.setCustomGetterSetter(this, DontEnum | CustomAccessor, customGetterSetter);
return true;
}
