Diff
Modified: trunk/LayoutTests/ChangeLog (183274 => 183275)
--- trunk/LayoutTests/ChangeLog 2015-04-24 19:01:48 UTC (rev 183274)
+++ trunk/LayoutTests/ChangeLog 2015-04-24 19:08:01 UTC (rev 183275)
@@ -1,3 +1,15 @@
+2015-04-24 Matthew Mirman <[email protected]>
+
+ Added tests to ensure that Object.prototype.__proto__ native getter and setter do not coerce undefined to this
+ https://bugs.webkit.org/show_bug.cgi?id=141865
+ rdar://problem/19927273
+
+ Reviewed by Filip Pizlo.
+
+ * js/script-tests/sloppy-getter-setter-global-object.js: Added.
+ * js/sloppy-getter-setter-global-object-expected.txt: Added.
+ * js/sloppy-getter-setter-global-object.html: Added.
+
2015-04-24 Alexey Proskuryakov <[email protected]>
fast/frames/flattening/iframe-flattening-resize-event-count.html times out on Yosemite WK2
Added: trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js (0 => 183275)
--- trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js 2015-04-24 19:08:01 UTC (rev 183275)
@@ -0,0 +1,36 @@
+description(
+"Tests that check that sloppy getters and setters on the global object don't coerce undefined to their this."
+);
+
+var act_e = undefined;
+try {
+ this.__proto__;
+ var originalProto = this.__proto__;
+ this.__proto__ = 1;
+ if (this.__proto__ != originalProto)
+ throw "__proto__ was modified";
+} catch (e) {
+ act_e = e;
+}
+
+if (act_e)
+ testFailed("shouldn't have thrown '"+ e + "' when accessing and modifying this.__proto__");
+else
+ testPassed("this.__proto__ accessed succesfully and stayed frozen.");
+
+shouldNotThrow("Object.prototype.valueOf.call(3);");
+shouldThrow("Object.prototype.valueOf.call(null);");
+
+
+shouldNotThrow("Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get()");
+shouldNotThrow("Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set(['foo'])");
+
+shouldThrow("(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)()", "\"TypeError: Can't convert undefined or null to object\"");
+shouldThrow("(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo'])", "\"TypeError: Can't convert undefined or null to object\"");
+
+
+var top_level_sloppy_getter = Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get;
+shouldNotThrow("top_level_sloppy_getter();");
+
+var top_level_sloppy_setter = Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set;
+shouldNotThrow("top_level_sloppy_setter(['foo']);");
Added: trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt (0 => 183275)
--- trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt (rev 0)
+++ trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt 2015-04-24 19:08:01 UTC (rev 183275)
@@ -0,0 +1,18 @@
+Tests that check that sloppy getters and setters on the global object don't coerce undefined to their this.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS this.__proto__ accessed succesfully and stayed frozen.
+PASS Object.prototype.valueOf.call(3); did not throw exception.
+PASS Object.prototype.valueOf.call(null); threw exception TypeError: null is not an object (evaluating 'Object.prototype.valueOf.call(null)').
+PASS Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get() did not throw exception.
+PASS Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set(['foo']) did not throw exception.
+PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)() threw exception TypeError: Can't convert undefined or null to object.
+PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo']) threw exception TypeError: Can't convert undefined or null to object.
+PASS top_level_sloppy_getter(); did not throw exception.
+PASS top_level_sloppy_setter(['foo']); did not throw exception.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/sloppy-getter-setter-global-object.html (0 => 183275)
--- trunk/LayoutTests/js/sloppy-getter-setter-global-object.html (rev 0)
+++ trunk/LayoutTests/js/sloppy-getter-setter-global-object.html 2015-04-24 19:08:01 UTC (rev 183275)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: trunk/Source/_javascript_Core/ChangeLog (183274 => 183275)
--- trunk/Source/_javascript_Core/ChangeLog 2015-04-24 19:01:48 UTC (rev 183274)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-04-24 19:08:01 UTC (rev 183275)
@@ -1,3 +1,15 @@
+2015-04-24 Matthew Mirman <[email protected]>
+
+ Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined
+ https://bugs.webkit.org/show_bug.cgi?id=141865
+ rdar://problem/19927273
+
+ Reviewed by Filip Pizlo.
+
+ * runtime/JSGlobalObjectFunctions.cpp:
+ (JSC::globalFuncProtoGetter):
+ (JSC::globalFuncProtoSetter):
+
2015-04-23 Benjamin Poulain <[email protected]>
Remove a useless branch on DFGGraph::addShouldSpeculateMachineInt()
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp (183274 => 183275)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2015-04-24 19:01:48 UTC (rev 183274)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObjectFunctions.cpp 2015-04-24 19:08:01 UTC (rev 183275)
@@ -801,6 +801,9 @@
EncodedJSValue JSC_HOST_CALL globalFuncProtoGetter(ExecState* exec)
{
+ if (exec->thisValue().isUndefinedOrNull())
+ return throwVMError(exec, createTypeError(exec, "Can't convert undefined or null to object"));
+
JSObject* thisObject = jsDynamicCast<JSObject*>(exec->thisValue().toThis(exec, NotStrictMode));
if (!thisObject)
@@ -841,6 +844,9 @@
EncodedJSValue JSC_HOST_CALL globalFuncProtoSetter(ExecState* exec)
{
+ if (exec->thisValue().isUndefinedOrNull())
+ return throwVMError(exec, createTypeError(exec, "Can't convert undefined or null to object"));
+
JSValue value = exec->argument(0);
JSObject* thisObject = jsDynamicCast<JSObject*>(exec->thisValue().toThis(exec, NotStrictMode));
