Diff
Modified: trunk/LayoutTests/ChangeLog (198710 => 198711)
--- trunk/LayoutTests/ChangeLog 2016-03-26 04:37:17 UTC (rev 198710)
+++ trunk/LayoutTests/ChangeLog 2016-03-26 05:31:22 UTC (rev 198711)
@@ -1,3 +1,15 @@
+2016-03-25 Joseph Pecoraro <[email protected]>
+
+ Date.prototype.toLocaleDateString uses overridable Object.create
+ https://bugs.webkit.org/show_bug.cgi?id=155917
+
+ Reviewed by Mark Lam.
+
+ * js/regress-155917-expected.txt: Added.
+ * js/regress-155917.html: Added.
+ * js/script-tests/regress-155917.js: Added.
+ (Object.create):
+
2016-03-25 Jer Noble <[email protected]>
[Mac] Audio tracks in alternate groups are not represented correctly as AudioTracks
Added: trunk/LayoutTests/js/regress-155917-expected.txt (0 => 198711)
--- trunk/LayoutTests/js/regress-155917-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-155917-expected.txt 2016-03-26 05:31:22 UTC (rev 198711)
@@ -0,0 +1,9 @@
+Regression test for https://webkit.org/b/155917. This test should run without throwing an exception.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/regress-155917.html (0 => 198711)
--- trunk/LayoutTests/js/regress-155917.html (rev 0)
+++ trunk/LayoutTests/js/regress-155917.html 2016-03-26 05:31:22 UTC (rev 198711)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/regress-155917.js (0 => 198711)
--- trunk/LayoutTests/js/script-tests/regress-155917.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-155917.js 2016-03-26 05:31:22 UTC (rev 198711)
@@ -0,0 +1,11 @@
+description(
+"Regression test for https://webkit.org/b/155917. This test should run without throwing an exception."
+);
+
+Object.create = function() {
+ throw "User defined Object.create should not be used by Date.prototype methods.";
+};
+
+(new Date).toLocaleString();
+(new Date).toLocaleDateString();
+(new Date).toLocaleTimeString();
Modified: trunk/Source/_javascript_Core/ChangeLog (198710 => 198711)
--- trunk/Source/_javascript_Core/ChangeLog 2016-03-26 04:37:17 UTC (rev 198710)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-03-26 05:31:22 UTC (rev 198711)
@@ -1,3 +1,22 @@
+2016-03-25 Joseph Pecoraro <[email protected]>
+
+ Date.prototype.toLocaleDateString uses overridable Object.create
+ https://bugs.webkit.org/show_bug.cgi?id=155917
+
+ Reviewed by Mark Lam.
+
+ * builtins/DatePrototype.js:
+ (toLocaleString.toDateTimeOptionsAnyAll):
+ (toLocaleDateString.toDateTimeOptionsDateDate):
+ (toLocaleTimeString.toDateTimeOptionsTimeTime):
+ Switch from @Object.create to @Object.@create to guarentee we are
+ using the built-in create method and not user defined code.
+
+ * runtime/CommonIdentifiers.h:
+ * runtime/ObjectConstructor.cpp:
+ (JSC::ObjectConstructor::finishCreation):
+ Setup the @create private symbol.
+
2016-03-25 Benjamin Poulain <[email protected]>
[JSC] Put the x86 Assembler on a binary diet
Modified: trunk/Source/_javascript_Core/builtins/DatePrototype.js (198710 => 198711)
--- trunk/Source/_javascript_Core/builtins/DatePrototype.js 2016-03-26 04:37:17 UTC (rev 198710)
+++ trunk/Source/_javascript_Core/builtins/DatePrototype.js 2016-03-26 05:31:22 UTC (rev 198711)
@@ -55,7 +55,7 @@
// Only create descendant if it will have own properties.
if (needsDefaults) {
- options = @Object.create(options)
+ options = @Object.@create(options);
options.year = "numeric";
options.month = "numeric";
options.day = "numeric";
@@ -109,7 +109,7 @@
// Only create descendant if it will have own properties.
if (needsDefaults) {
- options = @Object.create(options)
+ options = @Object.@create(options);
options.year = "numeric";
options.month = "numeric";
options.day = "numeric";
@@ -158,7 +158,7 @@
// Only create descendant if it will have own properties.
if (needsDefaults) {
- options = @Object.create(options)
+ options = @Object.@create(options);
options.hour = "numeric";
options.minute = "numeric";
options.second = "numeric";
Modified: trunk/Source/_javascript_Core/runtime/CommonIdentifiers.h (198710 => 198711)
--- trunk/Source/_javascript_Core/runtime/CommonIdentifiers.h 2016-03-26 04:37:17 UTC (rev 198710)
+++ trunk/Source/_javascript_Core/runtime/CommonIdentifiers.h 2016-03-26 05:31:22 UTC (rev 198711)
@@ -317,6 +317,7 @@
macro(floor) \
macro(isFinite) \
macro(isNaN) \
+ macro(create) \
macro(getPrototypeOf) \
macro(getOwnPropertyDescriptor) \
macro(getOwnPropertyNames) \
Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (198710 => 198711)
--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-03-26 04:37:17 UTC (rev 198710)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-03-26 05:31:22 UTC (rev 198711)
@@ -99,6 +99,7 @@
// no. of arguments for constructor
putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), ReadOnly | DontEnum | DontDelete);
+ JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->createPrivateName, objectConstructorCreate, DontEnum, 2);
JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->getPrototypeOfPrivateName, objectConstructorGetPrototypeOf, DontEnum, 1);
JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->getOwnPropertyNamesPrivateName, objectConstructorGetOwnPropertyNames, DontEnum, 1);
}
