Diff
Modified: trunk/LayoutTests/ChangeLog (184639 => 184640)
--- trunk/LayoutTests/ChangeLog 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/LayoutTests/ChangeLog 2015-05-20 16:54:09 UTC (rev 184640)
@@ -1,5 +1,31 @@
2015-05-20 Joseph Pecoraro <[email protected]>
+ ES6: Should not allow duplicate basic __proto__ properties in Object Literals
+ https://bugs.webkit.org/show_bug.cgi?id=145138
+
+ Reviewed by Darin Adler.
+
+ * js/dom/JSON-parse-expected.txt:
+ * js/resources/JSON-parse.js:
+ Update expected results for JSON parsing using eval() versus JSON.parse.
+ In eval, an object literal with a "__proto__" property modifies the prototype.
+ In JSON.parse, all properties are direct/own properties, no matter their name,
+ so "__proto__" does not get special treatment.
+
+ * js/eval-json-proto-expected.txt: Added.
+ * js/eval-json-proto.html: Added.
+ * js/script-tests/eval-json-proto.js: Added.
+ Direct test for LiteralParser behavior, in both eval and JSON.parse.
+
+ * js/object-literal-duplicate-properties-expected.txt:
+ * js/script-tests/object-literal-duplicate-properties.js:
+ (runProtoTestShouldThrow):
+ (runProtoTestShouldNotThrow):
+ Test for all cases of acceptable and unacceptable __proto__ duplicate
+ properties in literals.
+
+2015-05-20 Joseph Pecoraro <[email protected]>
+
Web Inspector: Slightly better node previews in arrays
https://bugs.webkit.org/show_bug.cgi?id=145188
Modified: trunk/LayoutTests/js/dom/JSON-parse-expected.txt (184639 => 184640)
--- trunk/LayoutTests/js/dom/JSON-parse-expected.txt 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/LayoutTests/js/dom/JSON-parse-expected.txt 2015-05-20 16:54:09 UTC (rev 184640)
@@ -69,7 +69,10 @@
function (jsonObject){
return jsonObject.parse('{"__proto__":5}');
}
-PASS JSON.stringify(tests[i](nativeJSON)) is JSON.stringify(tests[i](JSON))
+json2.js uses eval and will differ when parsing JSON with __proto__.
+PASS JSON.stringify(tests[i](nativeJSON)) is not JSON.stringify(tests[i](JSON))
+PASS JSON.stringify(tests[i](nativeJSON)) is tests[i].jsonParseExpected
+PASS JSON.stringify(tests[i](JSON)) is tests[i].evalExpected
function (jsonObject){
return jsonObject.parse('{"a":5,}');
}
@@ -443,7 +446,10 @@
function (jsonObject){
return jsonObject.parse('{"__proto__":{"a":5}}', log);
}
-PASS JSON.stringify(tests[i](nativeJSON)) is JSON.stringify(tests[i](JSON))
+json2.js uses eval and will differ when parsing JSON with __proto__.
+PASS JSON.stringify(tests[i](nativeJSON)) is not JSON.stringify(tests[i](JSON))
+PASS JSON.stringify(tests[i](nativeJSON)) is tests[i].jsonParseExpected
+PASS JSON.stringify(tests[i](JSON)) is tests[i].evalExpected
function (jsonObject){
logOrderString = "";
return jsonObject.parse("true", logOrder);
Added: trunk/LayoutTests/js/eval-json-proto-expected.txt (0 => 184640)
--- trunk/LayoutTests/js/eval-json-proto-expected.txt (rev 0)
+++ trunk/LayoutTests/js/eval-json-proto-expected.txt 2015-05-20 16:54:09 UTC (rev 184640)
@@ -0,0 +1,12 @@
+This test case checks different JSON literal constructions and ensures they handle __proto__ as expected.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS ({__proto__:[]}) instanceof Array is true
+PASS evalResult instanceof Array is true
+PASS jsonParseResult instanceof Array is false
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/eval-json-proto.html (0 => 184640)
--- trunk/LayoutTests/js/eval-json-proto.html (rev 0)
+++ trunk/LayoutTests/js/eval-json-proto.html 2015-05-20 16:54:09 UTC (rev 184640)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: trunk/LayoutTests/js/object-literal-duplicate-properties-expected.txt (184639 => 184640)
--- trunk/LayoutTests/js/object-literal-duplicate-properties-expected.txt 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/LayoutTests/js/object-literal-duplicate-properties-expected.txt 2015-05-20 16:54:09 UTC (rev 184640)
@@ -205,6 +205,38 @@
PASS o = {get foo(){return 2}, get foo(){return 2}, ['foo']:3, foo:1}; descriptionString(o, 'foo'); is 'value:1 keys:1 [ECW][Extensible]'
PASS 'use strict';o = {get foo(){return 2}, get foo(){return 2}, ['foo']:3, foo:1}; descriptionString(o, 'foo'); is 'value:1 keys:1 [ECW][Extensible]'
PASS (function(){o = {get foo(){return 2}, get foo(){return 2}, ['foo']:3, foo:1}; descriptionString(o, 'foo');})() did not throw exception.
+
+Duplicate simple __proto__ attributes are not allowed
+PASS o = {__proto__:null} did not throw exception.
+PASS 'use strict';o = {__proto__:null} did not throw exception.
+PASS (function(){o = {__proto__:null}})() did not throw exception.
+PASS ({__proto__:null, ['__proto__']:{}}) did not throw exception.
+PASS 'use strict';({__proto__:null, ['__proto__']:{}}) did not throw exception.
+PASS (function(){({__proto__:null, ['__proto__']:{}})})() did not throw exception.
+PASS o = {__proto__:null, ['__proto__']:{}} did not throw exception.
+PASS 'use strict';o = {__proto__:null, ['__proto__']:{}} did not throw exception.
+PASS (function(){o = {__proto__:null, ['__proto__']:{}}})() did not throw exception.
+PASS o = {__proto__:null, get __proto__(){}} did not throw exception.
+PASS 'use strict';o = {__proto__:null, get __proto__(){}} did not throw exception.
+PASS (function(){o = {__proto__:null, get __proto__(){}}})() did not throw exception.
+PASS var __proto__ = null; o = {__proto__:null, __proto__} did not throw exception.
+PASS 'use strict';var __proto__ = null; o = {__proto__:null, __proto__} did not throw exception.
+PASS (function(){var __proto__ = null; o = {__proto__:null, __proto__}})() did not throw exception.
+PASS ({__proto__:[], __proto__:{}}) threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS 'use strict';({__proto__:[], __proto__:{}}) threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS (function(){({__proto__:[], __proto__:{}})})() threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS o = {__proto__:null, '__proto__':{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS 'use strict';o = {__proto__:null, '__proto__':{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS (function(){o = {__proto__:null, '__proto__':{}}})() threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS o = {__proto__:[], __proto__:{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS 'use strict';o = {__proto__:[], __proto__:{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS (function(){o = {__proto__:[], __proto__:{}}})() threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS o = {'__proto__':{}, '__proto__':{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS 'use strict';o = {'__proto__':{}, '__proto__':{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS (function(){o = {'__proto__':{}, '__proto__':{}}})() threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS o = {a:1, __proto__:{}, b:2, ['c']:3, __proto__:{}, d:3} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS 'use strict';o = {a:1, __proto__:{}, b:2, ['c']:3, __proto__:{}, d:3} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS (function(){o = {a:1, __proto__:{}, b:2, ['c']:3, __proto__:{}, d:3}})() threw exception SyntaxError: Attempted to redefine __proto__ property..
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/js/resources/JSON-parse.js (184639 => 184640)
--- trunk/LayoutTests/js/resources/JSON-parse.js 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/LayoutTests/js/resources/JSON-parse.js 2015-05-20 16:54:09 UTC (rev 184640)
@@ -67,6 +67,8 @@
result.push(function(jsonObject){
return jsonObject.parse('{"__proto__":5}');
});
+ result[result.length - 1].jsonParseExpected = '{"__proto__":5}';
+ result[result.length - 1].evalExpected = '{}';
result.push(function(jsonObject){
return jsonObject.parse('{"a":5,}');
});
@@ -403,6 +405,8 @@
result.push(function(jsonObject){
return jsonObject.parse('{"__proto__":{"a":5}}', log);
});
+ result[result.length - 1].jsonParseExpected = '{"":{"__proto__":{"keyType":"string"}},"keyType":"string"}';
+ result[result.length - 1].evalExpected = '{"":{},"keyType":"string"}';
var logOrderString;
function logOrder(key, value) {
logOrderString += key +":"+JSON.stringify(value);
@@ -567,7 +571,12 @@
try { shouldBe('JSON.stringify(tests[i](nativeJSON))', "tests[i].expected") } catch(e) { debug("threw - " + e)}
else if (tests[i].unstringifiedExpected)
try { shouldBe('tests[i](nativeJSON)', "tests[i].unstringifiedExpected") } catch(e) { debug("threw - " + e)}
- else
+ else if (tests[i].evalExpected) {
+ debug("json2.js uses eval and will differ when parsing JSON with __proto__.");
+ try { shouldNotBe('JSON.stringify(tests[i](nativeJSON))', 'JSON.stringify(tests[i](JSON))') } catch(e) { debug("threw - " + e) };
+ try { shouldBe('JSON.stringify(tests[i](nativeJSON))', 'tests[i].jsonParseExpected') } catch(e) { debug("threw - " + e) };
+ try { shouldBe('JSON.stringify(tests[i](JSON))', 'tests[i].evalExpected') } catch(e) { debug("threw - " + e) };
+ } else
try { shouldBe('JSON.stringify(tests[i](nativeJSON))', 'JSON.stringify(tests[i](JSON))') } catch(e) { debug("threw - " + e) };
}catch(e){
debug(e);
Added: trunk/LayoutTests/js/script-tests/eval-json-proto.js (0 => 184640)
--- trunk/LayoutTests/js/script-tests/eval-json-proto.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/eval-json-proto.js 2015-05-20 16:54:09 UTC (rev 184640)
@@ -0,0 +1,9 @@
+description("This test case checks different JSON literal constructions and ensures they handle __proto__ as expected.");
+
+shouldBeTrue("({__proto__:[]}) instanceof Array");
+
+evalResult = eval("({__proto__:[]})");
+shouldBeTrue("evalResult instanceof Array");
+
+jsonParseResult = JSON.parse('{"__proto__":[]}');
+shouldBeFalse("jsonParseResult instanceof Array");
Modified: trunk/LayoutTests/js/script-tests/object-literal-duplicate-properties.js (184639 => 184640)
--- trunk/LayoutTests/js/script-tests/object-literal-duplicate-properties.js 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/LayoutTests/js/script-tests/object-literal-duplicate-properties.js 2015-05-20 16:54:09 UTC (rev 184640)
@@ -182,3 +182,27 @@
runTest("o = {set foo(x){}, ['foo']:3, set foo(x){}, foo:1}", "'value:1 keys:1 [ECW][Extensible]'");
runTest("o = {set foo(x){}, foo:1, get foo(){return 2}, ['foo']:3}", "'value:3 keys:1 [ECW][Extensible]'");
runTest("o = {get foo(){return 2}, get foo(){return 2}, ['foo']:3, foo:1}", "'value:1 keys:1 [ECW][Extensible]'");
+
+// __proto__ duplicates are not allowed.
+function runProtoTestShouldThrow(test) {
+ shouldThrow(test);
+ shouldThrow("'use strict';" + test);
+ shouldThrow("(function(){" + test + "})()");
+}
+function runProtoTestShouldNotThrow(test) {
+ shouldNotThrow(test);
+ shouldNotThrow("'use strict';" + test);
+ shouldNotThrow("(function(){" + test + "})()");
+}
+
+debug(""); debug("Duplicate simple __proto__ attributes are not allowed");
+runProtoTestShouldNotThrow("o = {__proto__:null}");
+runProtoTestShouldNotThrow("({__proto__:null, ['__proto__']:{}})");
+runProtoTestShouldNotThrow("o = {__proto__:null, ['__proto__']:{}}");
+runProtoTestShouldNotThrow("o = {__proto__:null, get __proto__(){}}");
+runProtoTestShouldNotThrow("var __proto__ = null; o = {__proto__:null, __proto__}");
+runProtoTestShouldThrow("({__proto__:[], __proto__:{}})");
+runProtoTestShouldThrow("o = {__proto__:null, '__proto__':{}}");
+runProtoTestShouldThrow("o = {__proto__:[], __proto__:{}}");
+runProtoTestShouldThrow("o = {'__proto__':{}, '__proto__':{}}");
+runProtoTestShouldThrow("o = {a:1, __proto__:{}, b:2, ['c']:3, __proto__:{}, d:3}");
Modified: trunk/Source/_javascript_Core/ChangeLog (184639 => 184640)
--- trunk/Source/_javascript_Core/ChangeLog 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-05-20 16:54:09 UTC (rev 184640)
@@ -1,3 +1,49 @@
+2015-05-20 Joseph Pecoraro <[email protected]>
+
+ ES6: Should not allow duplicate basic __proto__ properties in Object Literals
+ https://bugs.webkit.org/show_bug.cgi?id=145138
+
+ Reviewed by Darin Adler.
+
+ Implement ES6 Annex B.3.1, which disallows duplicate basic __proto__
+ properties in object literals. This doesn't affect computed properties,
+ shorthand properties, or getters/setters all of which avoid setting
+ the actual prototype of the object anyway.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::eval):
+ Remove out of date comment. Duplicate property names are allowed
+ now in ES6, they were not in ES5 strict mode.
+
+ * parser/ASTBuilder.h:
+ (JSC::ASTBuilder::getName):
+ (JSC::ASTBuilder::getType):
+ * parser/SyntaxChecker.h:
+ (JSC::SyntaxChecker::getName):
+ Add back getName to get the property name depending on the tree builder.
+ Also tighten up the parameter types.
+
+ * runtime/LiteralParser.cpp:
+ (JSC::LiteralParser<CharType>::parse):
+ In quick JSON literal parsing for eval, we actually need to evaluate
+ the __proto__ property assignment, instead of just building up a list
+ of direct properties. Only do this when not doing a strict JSON parse.
+
+ * parser/Nodes.h:
+ Add "Shorthand" to the list of PropertyNode types to allow it to
+ be distinguished without relying on other information.
+
+ * parser/Parser.h:
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parseProperty):
+ Add the Shorthand type when parsing a shorthand property.
+
+ (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate):
+ (JSC::Parser<LexerType>::parseObjectLiteral):
+ (JSC::Parser<LexerType>::parseStrictObjectLiteral):
+ Check for duplicate __proto__ properties, and throw a SyntaxError
+ if that was the case.
+
2015-05-20 Csaba Osztrogonác <[email protected]>
[JSC] Add missing copyrights and licenses for some scripts
Modified: trunk/Source/_javascript_Core/interpreter/Interpreter.cpp (184639 => 184640)
--- trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2015-05-20 16:54:09 UTC (rev 184640)
@@ -151,8 +151,6 @@
if (!eval) {
if (!callerCodeBlock->isStrictMode()) {
- // FIXME: We can use the preparser in strict mode, we just need additional logic
- // to prevent duplicates.
if (programSource.is8Bit()) {
LiteralParser<LChar> preparser(callFrame, programSource.characters8(), programSource.length(), NonStrictJSON);
if (JSValue parsedObject = preparser.tryLiteralParse())
Modified: trunk/Source/_javascript_Core/parser/ASTBuilder.h (184639 => 184640)
--- trunk/Source/_javascript_Core/parser/ASTBuilder.h 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/_javascript_Core/parser/ASTBuilder.h 2015-05-20 16:54:09 UTC (rev 184640)
@@ -719,9 +719,10 @@
assignmentStackDepth--;
return result;
}
-
- PropertyNode::Type getType(Property property) const { return property->type(); }
+ const Identifier* getName(const Property& property) const { return property->name(); }
+ PropertyNode::Type getType(const Property& property) const { return property->type(); }
+
bool isResolve(ExpressionNode* expr) const { return expr->isResolveNode(); }
ExpressionNode* createDeconstructingAssignment(const JSTokenLocation& location, PassRefPtr<DeconstructionPatternNode> pattern, ExpressionNode* initializer)
Modified: trunk/Source/_javascript_Core/parser/Nodes.h (184639 => 184640)
--- trunk/Source/_javascript_Core/parser/Nodes.h 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/_javascript_Core/parser/Nodes.h 2015-05-20 16:54:09 UTC (rev 184640)
@@ -580,7 +580,7 @@
class PropertyNode : public ParserArenaFreeable {
public:
- enum Type { Constant = 1, Getter = 2, Setter = 4, Computed = 8 };
+ enum Type { Constant = 1, Getter = 2, Setter = 4, Computed = 8, Shorthand = 16 };
enum PutType { Unknown, KnownDirect };
PropertyNode(const Identifier&, ExpressionNode*, Type, PutType, SuperBinding);
@@ -598,7 +598,7 @@
const Identifier* m_name;
ExpressionNode* m_expression;
ExpressionNode* m_assign;
- unsigned m_type : 4;
+ unsigned m_type : 5;
unsigned m_needsSuperBinding : 1;
unsigned m_putType : 1;
};
Modified: trunk/Source/_javascript_Core/parser/Parser.cpp (184639 => 184640)
--- trunk/Source/_javascript_Core/parser/Parser.cpp 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/_javascript_Core/parser/Parser.cpp 2015-05-20 16:54:09 UTC (rev 184640)
@@ -2035,7 +2035,7 @@
JSTokenLocation location(tokenLocation());
currentScope()->useVariable(ident, m_vm->propertyNames->eval == *ident);
TreeExpression node = context.createResolve(location, ident, start);
- return context.createProperty(ident, node, PropertyNode::Constant, PropertyNode::KnownDirect, complete);
+ return context.createProperty(ident, node, static_cast<PropertyNode::Type>(PropertyNode::Constant | PropertyNode::Shorthand), PropertyNode::KnownDirect, complete);
}
PropertyNode::Type type;
@@ -2135,14 +2135,27 @@
}
template <typename LexerType>
+template <class TreeBuilder> bool Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate(TreeBuilder& context, const TreeProperty& property)
+{
+ if (m_syntaxAlreadyValidated)
+ return false;
+
+ if (!context.getName(property))
+ return false;
+
+ // A Constant property that is not a Computed or Shorthand Constant property.
+ return context.getType(property) == PropertyNode::Constant;
+}
+
+template <typename LexerType>
template <class TreeBuilder> TreeExpression Parser<LexerType>::parseObjectLiteral(TreeBuilder& context)
{
auto savePoint = createSavePoint();
consumeOrFailWithFlags(OPENBRACE, TreeBuilder::DontBuildStrings, "Expected opening '{' at the start of an object literal");
- JSTokenLocation location(tokenLocation());
int oldNonLHSCount = m_nonLHSCount;
-
+
+ JSTokenLocation location(tokenLocation());
if (match(CLOSEBRACE)) {
next();
return context.createObjectLiteral(location);
@@ -2150,10 +2163,16 @@
TreeProperty property = parseProperty(context, false);
failIfFalse(property, "Cannot parse object literal property");
+
if (!m_syntaxAlreadyValidated && context.getType(property) & (PropertyNode::Getter | PropertyNode::Setter)) {
restoreSavePoint(savePoint);
return parseStrictObjectLiteral(context);
}
+
+ bool seenUnderscoreProto = false;
+ if (shouldCheckPropertyForUnderscoreProtoDuplicate(context, property))
+ seenUnderscoreProto = *context.getName(property) == m_vm->propertyNames->underscoreProto;
+
TreePropertyList propertyList = context.createPropertyList(location, property);
TreePropertyList tail = propertyList;
while (match(COMMA)) {
@@ -2167,6 +2186,12 @@
restoreSavePoint(savePoint);
return parseStrictObjectLiteral(context);
}
+ if (shouldCheckPropertyForUnderscoreProtoDuplicate(context, property)) {
+ if (*context.getName(property) == m_vm->propertyNames->underscoreProto) {
+ semanticFailIfTrue(seenUnderscoreProto, "Attempted to redefine __proto__ property");
+ seenUnderscoreProto = true;
+ }
+ }
tail = context.createPropertyList(propertyLocation, property, tail);
}
@@ -2193,7 +2218,11 @@
TreeProperty property = parseProperty(context, true);
failIfFalse(property, "Cannot parse object literal property");
-
+
+ bool seenUnderscoreProto = false;
+ if (shouldCheckPropertyForUnderscoreProtoDuplicate(context, property))
+ seenUnderscoreProto = *context.getName(property) == m_vm->propertyNames->underscoreProto;
+
TreePropertyList propertyList = context.createPropertyList(location, property);
TreePropertyList tail = propertyList;
while (match(COMMA)) {
@@ -2203,6 +2232,12 @@
JSTokenLocation propertyLocation(tokenLocation());
property = parseProperty(context, true);
failIfFalse(property, "Cannot parse object literal property");
+ if (shouldCheckPropertyForUnderscoreProtoDuplicate(context, property)) {
+ if (*context.getName(property) == m_vm->propertyNames->underscoreProto) {
+ semanticFailIfTrue(seenUnderscoreProto, "Attempted to redefine __proto__ property");
+ seenUnderscoreProto = true;
+ }
+ }
tail = context.createPropertyList(propertyLocation, property, tail);
}
Modified: trunk/Source/_javascript_Core/parser/Parser.h (184639 => 184640)
--- trunk/Source/_javascript_Core/parser/Parser.h 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/_javascript_Core/parser/Parser.h 2015-05-20 16:54:09 UTC (rev 184640)
@@ -784,6 +784,8 @@
template <class TreeBuilder> NEVER_INLINE typename TreeBuilder::TemplateLiteral parseTemplateLiteral(TreeBuilder&, typename LexerType::RawStringsBuildMode);
#endif
+ template <class TreeBuilder> ALWAYS_INLINE bool shouldCheckPropertyForUnderscoreProtoDuplicate(TreeBuilder&, const TreeProperty&);
+
ALWAYS_INLINE int isBinaryOperator(JSTokenType);
bool allowAutomaticSemicolon();
Modified: trunk/Source/_javascript_Core/parser/SyntaxChecker.h (184639 => 184640)
--- trunk/Source/_javascript_Core/parser/SyntaxChecker.h 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/_javascript_Core/parser/SyntaxChecker.h 2015-05-20 16:54:09 UTC (rev 184640)
@@ -293,6 +293,7 @@
void assignmentStackAppend(int, int, int, int, int, Operator) { }
int createAssignment(const JSTokenLocation&, int, int, int, int, int) { RELEASE_ASSERT_NOT_REACHED(); return AssignmentExpr; }
+ const Identifier* getName(const Property& property) const { return property.name; }
PropertyNode::Type getType(const Property& property) const { return property.type; }
bool isResolve(ExpressionType expr) const { return expr == ResolveExpr || expr == ResolveEvalExpr; }
ExpressionType createDeconstructingAssignment(const JSTokenLocation&, int, ExpressionType)
Modified: trunk/Source/_javascript_Core/runtime/LiteralParser.cpp (184639 => 184640)
--- trunk/Source/_javascript_Core/runtime/LiteralParser.cpp 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/_javascript_Core/runtime/LiteralParser.cpp 2015-05-20 16:54:09 UTC (rev 184640)
@@ -548,6 +548,7 @@
JSValue lastValue;
Vector<ParserState, 16, UnsafeVectorOverflow> stateStack;
Vector<Identifier, 16, UnsafeVectorOverflow> identifierStack;
+ HashSet<JSObject*> visitedUnderscoreProto;
while (1) {
switch(state) {
startParseArray:
@@ -649,10 +650,20 @@
{
JSObject* object = asObject(objectStack.last());
PropertyName ident = identifierStack.last();
- if (Optional<uint32_t> index = parseIndex(ident))
- object->putDirectIndex(m_exec, index.value(), lastValue);
- else
- object->putDirect(m_exec->vm(), ident, lastValue);
+ if (m_mode != StrictJSON && ident == m_exec->vm().propertyNames->underscoreProto) {
+ if (!visitedUnderscoreProto.add(object).isNewEntry) {
+ m_parseErrorMessage = ASCIILiteral("Attempted to redefine __proto__ property");
+ return JSValue();
+ }
+ CodeBlock* codeBlock = m_exec->codeBlock();
+ PutPropertySlot slot(object, codeBlock ? codeBlock->isStrictMode() : false);
+ objectStack.last().put(m_exec, ident, lastValue, slot);
+ } else {
+ if (Optional<uint32_t> index = parseIndex(ident))
+ object->putDirectIndex(m_exec, index.value(), lastValue);
+ else
+ object->putDirect(m_exec->vm(), ident, lastValue);
+ }
identifierStack.removeLast();
if (m_lexer.currentToken().type == TokComma)
goto doParseObjectStartExpression;
