Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (197969 => 197970)
--- trunk/Source/_javascript_Core/ChangeLog 2016-03-11 00:42:18 UTC (rev 197969)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-03-11 00:43:46 UTC (rev 197970)
@@ -1,3 +1,45 @@
+2016-03-10 Saam barati <[email protected]>
+
+ [ES6] Instanceof isn't spec compliant when the RHS is a Proxy with a target that is a function
+ https://bugs.webkit.org/show_bug.cgi?id=155329
+
+ Reviewed by Mark Lam.
+
+ We use type info flags on the structure to dictate whether or not
+ the RHS of an instanceof is a valid RHS (i.e, a function). The solution
+ to make Proxy a valid RHS when the Proxy's target is callable is to have
+ two different structures for ProxyObject: one for a non-callable target
+ and one for a callable target.
+
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSC::JSGlobalObject::moduleRecordStructure):
+ (JSC::JSGlobalObject::moduleNamespaceObjectStructure):
+ (JSC::JSGlobalObject::proxyObjectStructure):
+ (JSC::JSGlobalObject::callableProxyObjectStructure):
+ (JSC::JSGlobalObject::proxyRevokeStructure):
+ (JSC::JSGlobalObject::wasmModuleStructure):
+ * runtime/ProxyConstructor.cpp:
+ (JSC::makeRevocableProxy):
+ (JSC::constructProxyObject):
+ (JSC::ProxyConstructor::getConstructData):
+ * runtime/ProxyObject.cpp:
+ (JSC::ProxyObject::ProxyObject):
+ (JSC::ProxyObject::structureForTarget):
+ (JSC::ProxyObject::finishCreation):
+ * runtime/ProxyObject.h:
+ (JSC::ProxyObject::create):
+ (JSC::ProxyObject::createStructure):
+ * tests/es6.yaml:
+ * tests/stress/proxy-instanceof.js: Added.
+ (assert):
+ (test):
+ (C):
+ (test.let.handler.get if):
+ (test.let.handler):
+
2016-03-10 Michael Saboff <[email protected]>
[ES6] RegExp sticky flag should be ignored in String.match when global flag is given
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (197969 => 197970)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2016-03-11 00:42:18 UTC (rev 197969)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2016-03-11 00:43:46 UTC (rev 197970)
@@ -370,7 +370,12 @@
m_moduleRecordStructure.set(vm, this, JSModuleRecord::createStructure(vm, this, m_objectPrototype.get()));
m_moduleNamespaceObjectStructure.set(vm, this, JSModuleNamespaceObject::createStructure(vm, this, jsNull()));
- m_proxyObjectStructure.set(vm, this, ProxyObject::createStructure(vm, this, m_objectPrototype.get()));
+ {
+ bool isCallable = false;
+ m_proxyObjectStructure.set(vm, this, ProxyObject::createStructure(vm, this, m_objectPrototype.get(), isCallable));
+ isCallable = true;
+ m_callableProxyObjectStructure.set(vm, this, ProxyObject::createStructure(vm, this, m_objectPrototype.get(), isCallable));
+ }
m_proxyRevokeStructure.set(vm, this, ProxyRevoke::createStructure(vm, this, m_functionPrototype.get()));
#if ENABLE(WEBASSEMBLY)
@@ -913,6 +918,7 @@
visitor.append(&thisObject->m_dollarVMStructure);
visitor.append(&thisObject->m_internalFunctionStructure);
visitor.append(&thisObject->m_proxyObjectStructure);
+ visitor.append(&thisObject->m_callableProxyObjectStructure);
visitor.append(&thisObject->m_proxyRevokeStructure);
#if ENABLE(WEBASSEMBLY)
visitor.append(&thisObject->m_wasmModuleStructure);
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (197969 => 197970)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2016-03-11 00:42:18 UTC (rev 197969)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2016-03-11 00:43:46 UTC (rev 197970)
@@ -282,6 +282,7 @@
WriteBarrier<Structure> m_moduleRecordStructure;
WriteBarrier<Structure> m_moduleNamespaceObjectStructure;
WriteBarrier<Structure> m_proxyObjectStructure;
+ WriteBarrier<Structure> m_callableProxyObjectStructure;
WriteBarrier<Structure> m_proxyRevokeStructure;
#if ENABLE(WEBASSEMBLY)
WriteBarrier<Structure> m_wasmModuleStructure;
@@ -536,6 +537,7 @@
Structure* moduleRecordStructure() const { return m_moduleRecordStructure.get(); }
Structure* moduleNamespaceObjectStructure() const { return m_moduleNamespaceObjectStructure.get(); }
Structure* proxyObjectStructure() const { return m_proxyObjectStructure.get(); }
+ Structure* callableProxyObjectStructure() const { return m_callableProxyObjectStructure.get(); }
Structure* proxyRevokeStructure() const { return m_proxyRevokeStructure.get(); }
#if ENABLE(WEBASSEMBLY)
Structure* wasmModuleStructure() const { return m_wasmModuleStructure.get(); }
Modified: trunk/Source/_javascript_Core/runtime/ProxyConstructor.cpp (197969 => 197970)
--- trunk/Source/_javascript_Core/runtime/ProxyConstructor.cpp 2016-03-11 00:42:18 UTC (rev 197969)
+++ trunk/Source/_javascript_Core/runtime/ProxyConstructor.cpp 2016-03-11 00:43:46 UTC (rev 197970)
@@ -63,7 +63,7 @@
ArgList args(exec);
JSValue target = args.at(0);
JSValue handler = args.at(1);
- ProxyObject* proxy = ProxyObject::create(exec, exec->lexicalGlobalObject()->proxyObjectStructure(), target, handler);
+ ProxyObject* proxy = ProxyObject::create(exec, exec->lexicalGlobalObject(), target, handler);
if (vm.exception())
return JSValue::encode(JSValue());
ProxyRevoke* revoke = ProxyRevoke::create(vm, exec->lexicalGlobalObject()->proxyRevokeStructure(), proxy);
@@ -100,7 +100,7 @@
ArgList args(exec);
JSValue target = args.at(0);
JSValue handler = args.at(1);
- return JSValue::encode(ProxyObject::create(exec, exec->lexicalGlobalObject()->proxyObjectStructure(), target, handler));
+ return JSValue::encode(ProxyObject::create(exec, exec->lexicalGlobalObject(), target, handler));
}
ConstructType ProxyConstructor::getConstructData(JSCell*, ConstructData& constructData)
Modified: trunk/Source/_javascript_Core/runtime/ProxyObject.cpp (197969 => 197970)
--- trunk/Source/_javascript_Core/runtime/ProxyObject.cpp 2016-03-11 00:42:18 UTC (rev 197969)
+++ trunk/Source/_javascript_Core/runtime/ProxyObject.cpp 2016-03-11 00:43:46 UTC (rev 197970)
@@ -45,6 +45,17 @@
{
}
+Structure* ProxyObject::structureForTarget(JSGlobalObject* globalObject, JSValue target)
+{
+ if (!target.isObject())
+ return globalObject->proxyObjectStructure();
+
+ JSObject* targetAsObject = jsCast<JSObject*>(target);
+ CallData ignoredCallData;
+ bool isCallable = targetAsObject->methodTable()->getCallData(targetAsObject, ignoredCallData) != CallType::None;
+ return isCallable ? globalObject->callableProxyObjectStructure() : globalObject->proxyObjectStructure();
+}
+
void ProxyObject::finishCreation(VM& vm, ExecState* exec, JSValue target, JSValue handler)
{
Base::finishCreation(vm);
@@ -67,6 +78,10 @@
CallData ignoredCallData;
m_isCallable = targetAsObject->methodTable(vm)->getCallData(targetAsObject, ignoredCallData) != CallType::None;
+ if (m_isCallable) {
+ TypeInfo info = structure(vm)->typeInfo();
+ RELEASE_ASSERT(info.implementsHasInstance() && info.implementsDefaultHasInstance());
+ }
ConstructData ignoredConstructData;
m_isConstructible = jsCast<JSObject*>(target)->methodTable(vm)->getConstructData(jsCast<JSObject*>(target), ignoredConstructData) != ConstructType::None;
Modified: trunk/Source/_javascript_Core/runtime/ProxyObject.h (197969 => 197970)
--- trunk/Source/_javascript_Core/runtime/ProxyObject.h 2016-03-11 00:42:18 UTC (rev 197969)
+++ trunk/Source/_javascript_Core/runtime/ProxyObject.h 2016-03-11 00:43:46 UTC (rev 197970)
@@ -40,17 +40,20 @@
// property name enumeration caching.
const static unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | TypeOfShouldCallGetCallData | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames | ProhibitsPropertyCaching;
- static ProxyObject* create(ExecState* exec, Structure* structure, JSValue target, JSValue handler)
+ static ProxyObject* create(ExecState* exec, JSGlobalObject* globalObject, JSValue target, JSValue handler)
{
VM& vm = exec->vm();
- ProxyObject* proxy = new (NotNull, allocateCell<ProxyObject>(vm.heap)) ProxyObject(vm, structure);
+ ProxyObject* proxy = new (NotNull, allocateCell<ProxyObject>(vm.heap)) ProxyObject(vm, ProxyObject::structureForTarget(globalObject, target));
proxy->finishCreation(vm, exec, target, handler);
return proxy;
}
- static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+ static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, bool isCallable)
{
- Structure* result = Structure::create(vm, globalObject, prototype, TypeInfo(ProxyObjectType, StructureFlags), info(), NonArray | MayHaveIndexedAccessors);
+ unsigned flags = StructureFlags;
+ if (isCallable)
+ flags |= (ImplementsHasInstance | ImplementsDefaultHasInstance);
+ Structure* result = Structure::create(vm, globalObject, prototype, TypeInfo(ProxyObjectType, flags), info(), NonArray | MayHaveIndexedAccessors);
result->setIsQuickPropertyAccessAllowedForEnumeration(false);
RELEASE_ASSERT(!result->canAccessPropertiesQuicklyForEnumeration());
RELEASE_ASSERT(!result->canCachePropertyNameEnumerator());
@@ -72,6 +75,7 @@
private:
ProxyObject(VM&, Structure*);
void finishCreation(VM&, ExecState*, JSValue target, JSValue handler);
+ static Structure* structureForTarget(JSGlobalObject*, JSValue target);
static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&);
Modified: trunk/Source/_javascript_Core/tests/es6.yaml (197969 => 197970)
--- trunk/Source/_javascript_Core/tests/es6.yaml 2016-03-11 00:42:18 UTC (rev 197969)
+++ trunk/Source/_javascript_Core/tests/es6.yaml 2016-03-11 00:43:46 UTC (rev 197970)
@@ -979,7 +979,7 @@
- path: es6/Proxy_internal_get_calls_HasBinding.js
cmd: runES6 :normal
- path: es6/Proxy_internal_get_calls_instanceof_operator.js
- cmd: runES6 :fail
+ cmd: runES6 :normal
- path: es6/Proxy_internal_get_calls_IteratorComplete_IteratorValue.js
cmd: runES6 :normal
- path: es6/Proxy_internal_get_calls_JSON.stringify.js
Added: trunk/Source/_javascript_Core/tests/stress/proxy-instanceof.js (0 => 197970)
--- trunk/Source/_javascript_Core/tests/stress/proxy-instanceof.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/proxy-instanceof.js 2016-03-11 00:43:46 UTC (rev 197970)
@@ -0,0 +1,39 @@
+function assert(b) {
+ if (!b)
+ throw new Error("Bad assertion");
+}
+
+function test(f) {
+ for (let i = 0; i < 1000; i++)
+ f();
+}
+
+let constructors = [Error, String, RegExp, function() {}, class C {}];
+
+for (let constructor of constructors) {
+ test(function() {
+ let proxy = new Proxy(constructor, {});
+ assert(new constructor instanceof proxy);
+ });
+}
+
+test(function() {
+ let called = false;
+ let proxy = new Proxy(function(){ called = true; }, {});
+ assert(new proxy instanceof proxy);
+ assert(called);
+});
+
+test(function() {
+ let called = false;
+ let handler = {
+ get: function(target, prop) {
+ if (prop === "prototype")
+ return {};
+ return target[prop];
+ }
+ };
+ let proxy = new Proxy(function(){ called = true; }, handler);
+ assert(!(new proxy instanceof proxy));
+ assert(called);
+});
