Title: [154334] trunk/Source/_javascript_Core
Revision
154334
Author
[email protected]
Date
2013-08-20 10:07:02 -0700 (Tue, 20 Aug 2013)

Log Message

https://bugs.webkit.org/show_bug.cgi?id=120052
Remove custom getOwnPropertyDescriptor for JSProxy

Reviewed by Geoff Garen.

GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.

* runtime/JSProxy.cpp:
    - Remove custom getOwnPropertyDescriptor implementation.
* runtime/PropertyDescriptor.h:
    - Modify own property access check to perform toThis conversion.

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (154333 => 154334)


--- trunk/Source/_javascript_Core/ChangeLog	2013-08-20 17:00:02 UTC (rev 154333)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-08-20 17:07:02 UTC (rev 154334)
@@ -1,3 +1,21 @@
+2013-08-20  Gavin Barraclough  <[email protected]>
+
+        https://bugs.webkit.org/show_bug.cgi?id=120052
+        Remove custom getOwnPropertyDescriptor for JSProxy
+
+        Reviewed by Geoff Garen.
+
+        GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
+        Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
+        object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
+        assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
+        the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
+
+        * runtime/JSProxy.cpp:
+            - Remove custom getOwnPropertyDescriptor implementation.
+        * runtime/PropertyDescriptor.h:
+            - Modify own property access check to perform toThis conversion.
+
 2013-08-20  Alex Christensen  <[email protected]>
 
         Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.

Modified: trunk/Source/_javascript_Core/runtime/JSProxy.cpp (154333 => 154334)


--- trunk/Source/_javascript_Core/runtime/JSProxy.cpp	2013-08-20 17:00:02 UTC (rev 154333)
+++ trunk/Source/_javascript_Core/runtime/JSProxy.cpp	2013-08-20 17:07:02 UTC (rev 154334)
@@ -82,11 +82,7 @@
     return thisObject->target()->methodTable()->getOwnPropertySlotByIndex(thisObject->target(), exec, propertyName, slot);
 }
 
-bool JSProxy::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, PropertyName propertyName, PropertyDescriptor& descriptor)
-{
-    JSProxy* thisObject = jsCast<JSProxy*>(object);
-    return thisObject->target()->methodTable()->getOwnPropertyDescriptor(thisObject->target(), exec, propertyName, descriptor);
-}
+GET_OWN_PROPERTY_DESCRIPTOR_IMPL(JSProxy)
 
 void JSProxy::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {

Modified: trunk/Source/_javascript_Core/runtime/PropertyDescriptor.h (154333 => 154334)


--- trunk/Source/_javascript_Core/runtime/PropertyDescriptor.h	2013-08-20 17:00:02 UTC (rev 154333)
+++ trunk/Source/_javascript_Core/runtime/PropertyDescriptor.h	2013-08-20 17:07:02 UTC (rev 154334)
@@ -92,7 +92,7 @@
     if (!getOwnPropertySlot(object, exec, propertyName, slot)) \
         return false; \
     /* Workaround, JSDOMWindow::getOwnPropertySlot searches the prototype chain. :-( */ \
-    if (slot.slotBase() && slot.slotBase() != object) \
+    if (slot.slotBase() != object && slot.slotBase() && slot.slotBase()->methodTable()->toThis(slot.slotBase(), exec, NotStrictMode) != object) \
         return false; \
     if (slot.isGetter()) \
         descriptor.setAccessorDescriptor(slot.getterSetter(), slot.attributes()); \
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to