[webkit-changes] [154313] trunk/Source

Mon, 19 Aug 2013 22:46:15 -0700

Title: [154313] trunk/Source
Revision
154313
Author
[email protected]
Date
2013-08-19 22:47:14 -0700 (Mon, 19 Aug 2013)

Log Message

Source/_javascript_Core: https://bugs.webkit.org/show_bug.cgi?id=120034
Remove custom getOwnPropertyDescriptor for global objects

Reviewed by Geoff Garen.

Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.

* runtime/JSGlobalObject.cpp:
    - Remove custom getOwnPropertyDescriptor implementation.
* runtime/JSSymbolTableObject.h:
(JSC::symbolTableGet):
    - The symbol table does not store the DontDelete attribute, we should be adding it back in.
* runtime/PropertyDescriptor.h:
    - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
* runtime/PropertySlot.h:
(JSC::PropertySlot::setUndefined):
    - This is used by WebCore when blocking access to properties on cross-frame access.
      Mark blocked properties as read-only, non-configurable to prevent defineProperty.

Source/WebCore: <https://webkit.org/b/120041> Remove superfluous min calls in RenderBlock::computeOverflow

Patch by Ryosuke Niwa <[email protected]> on 2013-08-19
Reviewed by Simon Fraser.

Merge https://chromium.googlesource.com/chromium/blink/+/29cad35d6b4642804e6b7c1a30f0b4435dd7a71d

They are contained in an "if" statement that ensures that textIndent < 0 and so the min will never be 0.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::computeOverflow):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (154312 => 154313)


--- trunk/Source/_javascript_Core/ChangeLog	2013-08-20 05:34:46 UTC (rev 154312)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-08-20 05:47:14 UTC (rev 154313)
@@ -1,3 +1,24 @@
+2013-08-19  Gavin Barraclough  <[email protected]>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120034
+        Remove custom getOwnPropertyDescriptor for global objects
+
+        Reviewed by Geoff Garen.
+
+        Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
+
+        * runtime/JSGlobalObject.cpp:
+            - Remove custom getOwnPropertyDescriptor implementation.
+        * runtime/JSSymbolTableObject.h:
+        (JSC::symbolTableGet):
+            - The symbol table does not store the DontDelete attribute, we should be adding it back in.
+        * runtime/PropertyDescriptor.h:
+            - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
+        * runtime/PropertySlot.h:
+        (JSC::PropertySlot::setUndefined):
+            - This is used by WebCore when blocking access to properties on cross-frame access.
+              Mark blocked properties as read-only, non-configurable to prevent defineProperty.
+
 2013-08-17  Filip Pizlo  <[email protected]>
 
         DFG should inline typedArray.byteOffset

Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (154312 => 154313)


--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp	2013-08-20 05:34:46 UTC (rev 154312)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp	2013-08-20 05:47:14 UTC (rev 154313)
@@ -641,13 +641,7 @@
     return symbolTableGet(thisObject, propertyName, slot);
 }
 
-bool JSGlobalObject::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, PropertyName propertyName, PropertyDescriptor& descriptor)
-{
-    JSGlobalObject* thisObject = jsCast<JSGlobalObject*>(object);
-    if (getStaticFunctionDescriptor<Base>(exec, ExecState::globalObjectTable(exec), thisObject, propertyName, descriptor))
-        return true;
-    return symbolTableGet(thisObject, propertyName, descriptor);
-}
+GET_OWN_PROPERTY_DESCRIPTOR_IMPL(JSGlobalObject)
 
 void JSGlobalObject::clearRareData(JSCell* cell)
 {

Modified: trunk/Source/_javascript_Core/runtime/JSSymbolTableObject.h (154312 => 154313)


--- trunk/Source/_javascript_Core/runtime/JSSymbolTableObject.h	2013-08-20 05:34:46 UTC (rev 154312)
+++ trunk/Source/_javascript_Core/runtime/JSSymbolTableObject.h	2013-08-20 05:47:14 UTC (rev 154313)
@@ -79,7 +79,7 @@
         return false;
     SymbolTableEntry::Fast entry = iter->value;
     ASSERT(!entry.isNull());
-    slot.setValue(object, entry.getAttributes(), object->registerAt(entry.getIndex()).get());
+    slot.setValue(object, entry.getAttributes() | DontDelete, object->registerAt(entry.getIndex()).get());
     return true;
 }
 
@@ -111,7 +111,7 @@
         return false;
     SymbolTableEntry::Fast entry = iter->value;
     ASSERT(!entry.isNull());
-    slot.setValue(object, entry.getAttributes(), object->registerAt(entry.getIndex()).get());
+    slot.setValue(object, entry.getAttributes() | DontDelete, object->registerAt(entry.getIndex()).get());
     slotIsWriteable = !entry.isReadOnly();
     return true;
 }

Modified: trunk/Source/_javascript_Core/runtime/PropertyDescriptor.h (154312 => 154313)


--- trunk/Source/_javascript_Core/runtime/PropertyDescriptor.h	2013-08-20 05:34:46 UTC (rev 154312)
+++ trunk/Source/_javascript_Core/runtime/PropertyDescriptor.h	2013-08-20 05:47:14 UTC (rev 154313)
@@ -91,6 +91,9 @@
     JSC::PropertySlot slot(object); \
     if (!getOwnPropertySlot(object, exec, propertyName, slot)) \
         return false; \
+    /* Workaround, JSDOMWindow::getOwnPropertySlot searches the prototype chain. :-( */ \
+    if (slot.slotBase() && slot.slotBase() != object) \
+        return false; \
     if (slot.isGetter()) \
         descriptor.setAccessorDescriptor(slot.getterSetter(), slot.attributes()); \
     else \

Modified: trunk/Source/_javascript_Core/runtime/PropertySlot.h (154312 => 154313)


--- trunk/Source/_javascript_Core/runtime/PropertySlot.h	2013-08-20 05:34:46 UTC (rev 154312)
+++ trunk/Source/_javascript_Core/runtime/PropertySlot.h	2013-08-20 05:47:14 UTC (rev 154313)
@@ -200,6 +200,7 @@
     void setUndefined()
     {
         m_data.value = JSValue::encode(jsUndefined());
+        m_attributes = ReadOnly | DontDelete | DontEnum;
 
         m_slotBase = 0;
         m_propertyType = TypeValue;

Modified: trunk/Source/WebCore/ChangeLog (154312 => 154313)


--- trunk/Source/WebCore/ChangeLog	2013-08-20 05:34:46 UTC (rev 154312)
+++ trunk/Source/WebCore/ChangeLog	2013-08-20 05:47:14 UTC (rev 154313)
@@ -53,6 +53,20 @@
 
 2013-08-19  Gavin Barraclough  <[email protected]>
 
+        https://bugs.webkit.org/show_bug.cgi?id=120034
+        Remove custom getOwnPropertyDescriptor for global objects
+
+        Reviewed by Geoff Garen.
+
+        Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::getOwnPropertySlot):
+            - Remove custom getOwnPropertyDescriptor implementation, on cross-frame access ensure
+              all properties are marked as read-only, non-configurable to prevent defineProperty.
+
+2013-08-19  Gavin Barraclough  <[email protected]>
+
         https://bugs.webkit.org/show_bug.cgi?id=119995
         Start removing custom implementations of getOwnPropertyDescriptor

Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (154312 => 154313)


--- trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp	2013-08-20 05:34:46 UTC (rev 154312)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp	2013-08-20 05:47:14 UTC (rev 154313)
@@ -161,22 +161,22 @@
         if (entry->attributes() & JSC::Function) {
             if (entry->function() == jsDOMWindowPrototypeFunctionBlur) {
                 if (!allowsAccess) {
-                    slot.setCustom(thisObject, entry->attributes(), nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionBlur, 0>);
+                    slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionBlur, 0>);
                     return true;
                 }
             } else if (entry->function() == jsDOMWindowPrototypeFunctionClose) {
                 if (!allowsAccess) {
-                    slot.setCustom(thisObject, entry->attributes(), nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionClose, 0>);
+                    slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionClose, 0>);
                     return true;
                 }
             } else if (entry->function() == jsDOMWindowPrototypeFunctionFocus) {
                 if (!allowsAccess) {
-                    slot.setCustom(thisObject, entry->attributes(), nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionFocus, 0>);
+                    slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionFocus, 0>);
                     return true;
                 }
             } else if (entry->function() == jsDOMWindowPrototypeFunctionPostMessage) {
                 if (!allowsAccess) {
-                    slot.setCustom(thisObject, entry->attributes(), nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionPostMessage, 2>);
+                    slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionPostMessage, 2>);
                     return true;
                 }
             } else if (entry->function() == jsDOMWindowPrototypeFunctionShowModalDialog) {
@@ -198,7 +198,7 @@
 
     entry = JSDOMWindow::info()->propHashTable(exec)->entry(exec, propertyName);
     if (entry) {
-        slot.setCustom(thisObject, entry->attributes(), entry->propertyGetter());
+        slot.setCustom(thisObject, allowsAccess ? entry->attributes() : ReadOnly | DontDelete | DontEnum, entry->propertyGetter());
         return true;
     }
 
@@ -331,79 +331,8 @@
     return Base::getOwnPropertySlotByIndex(thisObject, exec, index, slot);
 }
 
-bool JSDOMWindow::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, PropertyName propertyName, PropertyDescriptor& descriptor)
-{
-    JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
-    // Never allow cross-domain getOwnPropertyDescriptor
-    if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->impl()))
-        return false;
+GET_OWN_PROPERTY_DESCRIPTOR_IMPL(JSDOMWindow)
 
-    const HashEntry* entry;
-    
-    // We don't want any properties other than "close" and "closed" on a closed window.
-    if (!thisObject->impl()->frame()) {
-        // The following code is safe for cross-domain and same domain use.
-        // It ignores any custom properties that might be set on the DOMWindow (including a custom prototype).
-        entry = s_info.propHashTable(exec)->entry(exec, propertyName);
-        if (entry && !(entry->attributes() & JSC::Function) && entry->propertyGetter() == jsDOMWindowClosed) {
-            descriptor.setDescriptor(jsBoolean(true), ReadOnly | DontDelete | DontEnum);
-            return true;
-        }
-        entry = JSDOMWindowPrototype::info()->propHashTable(exec)->entry(exec, propertyName);
-        if (entry && (entry->attributes() & JSC::Function) && entry->function() == jsDOMWindowPrototypeFunctionClose) {
-            PropertySlot slot(thisObject);
-            slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionClose, 0>);
-            descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
-            return true;
-        }
-        descriptor.setUndefined();
-        return true;
-    }
-
-    entry = JSDOMWindow::info()->propHashTable(exec)->entry(exec, propertyName);
-    if (entry) {
-        PropertySlot slot(thisObject);
-        slot.setCustom(thisObject, entry->attributes(), entry->propertyGetter());
-        descriptor.setDescriptor(slot.getValue(exec, propertyName), entry->attributes());
-        return true;
-    }
-    
-    // Check for child frames by name before built-in properties to
-    // match Mozilla. This does not match IE, but some sites end up
-    // naming frames things that conflict with window properties that
-    // are in Moz but not IE. Since we have some of these, we have to do
-    // it the Moz way.
-    if (thisObject->impl()->frame()->tree()->scopedChild(propertyNameToAtomicString(propertyName))) {
-        PropertySlot slot(thisObject);
-        slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, childFrameGetter);
-        descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
-        return true;
-    }
-    
-    unsigned i = propertyName.asIndex();
-    if (i < thisObject->impl()->frame()->tree()->scopedChildCount()) {
-        ASSERT(i != PropertyName::NotAnIndex);
-        PropertySlot slot(thisObject);
-        slot.setCustomIndex(thisObject, ReadOnly | DontDelete | DontEnum, i, indexGetter);
-        descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
-        return true;
-    }
-
-    // Allow shortcuts like 'Image1' instead of document.images.Image1
-    Document* document = thisObject->impl()->frame()->document();
-    if (document->isHTMLDocument()) {
-        AtomicStringImpl* atomicPropertyName = findAtomicString(propertyName);
-        if (atomicPropertyName && toHTMLDocument(document)->hasWindowNamedItem(atomicPropertyName)) {
-            PropertySlot slot(thisObject);
-            slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, namedItemGetter);
-            descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
-            return true;
-        }
-    }
-    
-    return Base::getOwnPropertyDescriptor(thisObject, exec, propertyName, descriptor);
-}
-
 void JSDOMWindow::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(cell);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to