- Revision
- 126720
- Author
- [email protected]
- Date
- 2012-08-26 20:48:14 -0700 (Sun, 26 Aug 2012)
Log Message
Removed a JSC-specific hack from the web inspector
https://bugs.webkit.org/show_bug.cgi?id=95033
Reviewed by Filip Pizlo.
Source/_javascript_Core:
Added support for what the web inspector really wanted instead.
* runtime/JSActivation.cpp:
(JSC::JSActivation::symbolTableGet):
(JSC::JSActivation::symbolTablePut): Added some explanation for these
checks, which were non-obvious to me.
(JSC::JSActivation::getOwnPropertySlot): It's impossible to access the
arguments property of an activation after it's been torn off, since the
only way to tear off an activation is to instantiate a new function,
which has its own arguments property in scope. However, the inspector
get special access to activations, and may try to perform this access,
so we need a special guard to maintain coherence and avoid crashing in
case the activation optimized out the arguments property.
* runtime/JSActivation.cpp:
(JSC::JSActivation::symbolTableGet):
(JSC::JSActivation::symbolTablePut):
(JSC::JSActivation::getOwnPropertyNames):
(JSC::JSActivation::getOwnPropertyDescriptor): Provide getOwnPropertyNames
and getOwnPropertyDescriptor implementations, to meet the web inspector's
needs. (User code can never call these.)
Source/WebCore:
The hack was never reviewed. If it had been, I suspect it would have
gotten an r- for making weird assumptions about the engine's implimentation.
* inspector/InjectedScriptSource.js: It's not sound to assume that an
object has no properties except for "arguments" if and only if it's an
activation: non-activations can have a property named "arguments", and
activations can optimize out "arguments".
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (126719 => 126720)
--- trunk/Source/_javascript_Core/ChangeLog 2012-08-27 02:49:36 UTC (rev 126719)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-08-27 03:48:14 UTC (rev 126720)
@@ -1,3 +1,33 @@
+2011-08-26 Geoffrey Garen <[email protected]>
+
+ Removed a JSC-specific hack from the web inspector
+ https://bugs.webkit.org/show_bug.cgi?id=95033
+
+ Reviewed by Filip Pizlo.
+
+ Added support for what the web inspector really wanted instead.
+
+ * runtime/JSActivation.cpp:
+ (JSC::JSActivation::symbolTableGet):
+ (JSC::JSActivation::symbolTablePut): Added some explanation for these
+ checks, which were non-obvious to me.
+
+ (JSC::JSActivation::getOwnPropertySlot): It's impossible to access the
+ arguments property of an activation after it's been torn off, since the
+ only way to tear off an activation is to instantiate a new function,
+ which has its own arguments property in scope. However, the inspector
+ get special access to activations, and may try to perform this access,
+ so we need a special guard to maintain coherence and avoid crashing in
+ case the activation optimized out the arguments property.
+
+ * runtime/JSActivation.cpp:
+ (JSC::JSActivation::symbolTableGet):
+ (JSC::JSActivation::symbolTablePut):
+ (JSC::JSActivation::getOwnPropertyNames):
+ (JSC::JSActivation::getOwnPropertyDescriptor): Provide getOwnPropertyNames
+ and getOwnPropertyDescriptor implementations, to meet the web inspector's
+ needs. (User code can never call these.)
+
2012-08-24 Filip Pizlo <[email protected]>
Finally inlining should correctly track the catch context
Modified: trunk/Source/_javascript_Core/runtime/JSActivation.cpp (126719 => 126720)
--- trunk/Source/_javascript_Core/runtime/JSActivation.cpp 2012-08-27 02:49:36 UTC (rev 126719)
+++ trunk/Source/_javascript_Core/runtime/JSActivation.cpp 2012-08-27 03:48:14 UTC (rev 126720)
@@ -86,6 +86,8 @@
SymbolTableEntry entry = symbolTable()->inlineGet(propertyName.publicName());
if (entry.isNull())
return false;
+
+ // Defend against the inspector asking for a var after it has been optimized out.
if (m_isTornOff && entry.getIndex() >= m_numCapturedVars)
return false;
@@ -93,6 +95,20 @@
return true;
}
+inline bool JSActivation::symbolTableGet(PropertyName propertyName, PropertyDescriptor& descriptor)
+{
+ SymbolTableEntry entry = symbolTable()->inlineGet(propertyName.publicName());
+ if (entry.isNull())
+ return false;
+
+ // Defend against the inspector asking for a var after it has been optimized out.
+ if (m_isTornOff && entry.getIndex() >= m_numCapturedVars)
+ return false;
+
+ descriptor.setDescriptor(registerAt(entry.getIndex()).get(), entry.getAttributes());
+ return true;
+}
+
inline bool JSActivation::symbolTablePut(ExecState* exec, PropertyName propertyName, JSValue value, bool shouldThrow)
{
JSGlobalData& globalData = exec->globalData();
@@ -106,6 +122,8 @@
throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
return true;
}
+
+ // Defend against the inspector asking for a var after it has been optimized out.
if (m_isTornOff && entry.getIndex() >= m_numCapturedVars)
return false;
@@ -116,6 +134,10 @@
void JSActivation::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
{
JSActivation* thisObject = jsCast<JSActivation*>(object);
+
+ if (mode == IncludeDontEnumProperties)
+ propertyNames.add(exec->propertyNames().arguments);
+
SymbolTable::const_iterator end = thisObject->symbolTable()->end();
for (SymbolTable::const_iterator it = thisObject->symbolTable()->begin(); it != end; ++it) {
if (it->second.getAttributes() & DontEnum && mode != IncludeDontEnumProperties)
@@ -148,9 +170,13 @@
bool JSActivation::getOwnPropertySlot(JSCell* cell, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
{
JSActivation* thisObject = jsCast<JSActivation*>(cell);
+
if (propertyName == exec->propertyNames().arguments) {
- slot.setCustom(thisObject, thisObject->getArgumentsGetter());
- return true;
+ // Defend against the inspector asking for the arguments object after it has been optimized out.
+ if (!thisObject->m_isTornOff) {
+ slot.setCustom(thisObject, thisObject->getArgumentsGetter());
+ return true;
+ }
}
if (thisObject->symbolTableGet(propertyName, slot))
@@ -168,6 +194,26 @@
return false;
}
+bool JSActivation::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, PropertyName propertyName, PropertyDescriptor& descriptor)
+{
+ JSActivation* thisObject = jsCast<JSActivation*>(object);
+
+ if (propertyName == exec->propertyNames().arguments) {
+ // Defend against the inspector asking for the arguments object after it has been optimized out.
+ if (!thisObject->m_isTornOff) {
+ PropertySlot slot;
+ JSActivation::getOwnPropertySlot(thisObject, exec, propertyName, slot);
+ descriptor.setDescriptor(slot.getValue(exec, propertyName), DontEnum);
+ return true;
+ }
+ }
+
+ if (thisObject->symbolTableGet(propertyName, descriptor))
+ return true;
+
+ return Base::getOwnPropertyDescriptor(object, exec, propertyName, descriptor);
+}
+
void JSActivation::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
{
JSActivation* thisObject = jsCast<JSActivation*>(cell);
Modified: trunk/Source/_javascript_Core/runtime/JSActivation.h (126719 => 126720)
--- trunk/Source/_javascript_Core/runtime/JSActivation.h 2012-08-27 02:49:36 UTC (rev 126719)
+++ trunk/Source/_javascript_Core/runtime/JSActivation.h 2012-08-27 03:48:14 UTC (rev 126720)
@@ -60,6 +60,7 @@
static bool getOwnPropertySlot(JSCell*, ExecState*, PropertyName, PropertySlot&);
static void getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
+ JS_EXPORT_PRIVATE static bool getOwnPropertyDescriptor(JSObject*, ExecState*, PropertyName, PropertyDescriptor&);
static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
Modified: trunk/Source/WebCore/ChangeLog (126719 => 126720)
--- trunk/Source/WebCore/ChangeLog 2012-08-27 02:49:36 UTC (rev 126719)
+++ trunk/Source/WebCore/ChangeLog 2012-08-27 03:48:14 UTC (rev 126720)
@@ -1,3 +1,18 @@
+2012-08-26 Geoffrey Garen <[email protected]>
+
+ Removed a JSC-specific hack from the web inspector
+ https://bugs.webkit.org/show_bug.cgi?id=95033
+
+ Reviewed by Filip Pizlo.
+
+ The hack was never reviewed. If it had been, I suspect it would have
+ gotten an r- for making weird assumptions about the engine's implimentation.
+
+ * inspector/InjectedScriptSource.js: It's not sound to assume that an
+ object has no properties except for "arguments" if and only if it's an
+ activation: non-activations can have a property named "arguments", and
+ activations can optimize out "arguments".
+
2012-08-26 Christopher Cameron <[email protected]>
[chromium] Fix a bug where CCThreadProxy::canDraw() gets stuck at false on tab switch
Modified: trunk/Source/WebCore/inspector/InjectedScriptSource.js (126719 => 126720)
--- trunk/Source/WebCore/inspector/InjectedScriptSource.js 2012-08-27 02:49:36 UTC (rev 126719)
+++ trunk/Source/WebCore/inspector/InjectedScriptSource.js 2012-08-27 03:48:14 UTC (rev 126720)
@@ -222,12 +222,6 @@
var descriptors = this._propertyDescriptors(object, ownProperties);
// Go over properties, wrap object values.
- if (descriptors.length === 0 && "arguments" in object) {
- // Fill in JSC scope object.
- for (var key in object)
- descriptors.push({ name: key, value: object[key], writable: false, configurable: false, enumerable: true});
- }
-
for (var i = 0; i < descriptors.length; ++i) {
var descriptor = descriptors[i];
if ("get" in descriptor)
