Changeset 204166 in webkit

Timestamp:

Aug 5, 2016, 4:25:28 AM (9 years ago)

Author:

commit-queue@webkit.org

Message:

Unreviewed, rolling out r203935.
​https://bugs.webkit.org/show_bug.cgi?id=160596

looks like a 1-2% PLUM regression on iPhone 6s (Requested by
kling_ on #webkit).

Reverted changeset:

"Window's named properties should be exposed on a
WindowProperties object in its prototype"
​https://bugs.webkit.org/show_bug.cgi?id=160354
​http://trac.webkit.org/changeset/203935

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Window/es52-globals-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/Window/es52-globals.html (modified) (1 diff)
• LayoutTests/fast/loader/window-clearing-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/window-named-proto-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/window-named-valueOf-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/window-named-valueOf.html (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt (modified) (1 diff)
• Source/WebCore/CMakeLists.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/WebCore.xcodeproj/project.pbxproj (modified) (6 diffs)
• Source/WebCore/bindings/js/JSBindingsAllInOne.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (4 diffs)
• Source/WebCore/bindings/js/JSDOMWindowProperties.cpp (deleted)
• Source/WebCore/bindings/js/JSDOMWindowProperties.h (deleted)
• Source/WebCore/bindings/js/JSDOMWindowShell.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-08-05  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r203935.
+        https://bugs.webkit.org/show_bug.cgi?id=160596
+
+        looks like a 1-2% PLUM regression on iPhone 6s (Requested by
+        kling_ on #webkit).
+
+        Reverted changeset:
+
+        "Window's named properties should be exposed on a
+        WindowProperties object in its prototype"
+        https://bugs.webkit.org/show_bug.cgi?id=160354
+        http://trac.webkit.org/changeset/203935
+
 2016-08-05  Youenn Fablet  <youenn@apple.com>
 

trunk/LayoutTests/fast/dom/Window/es52-globals-expected.txt

@@ -2 +2 @@
 PASS window.hasOwnProperty("x") is true
 PASS window.hasOwnProperty("y") is false
-PASS window.hasOwnProperty("f") is false
-PASS window.__proto__.__proto__.hasOwnProperty("f") is true
-PASS window.hasOwnProperty("div") is false
-PASS window.__proto__.__proto__.hasOwnProperty("div") is true
-PASS window.hasOwnProperty("a") is false
+PASS window.hasOwnProperty("f") is true
+PASS window.hasOwnProperty("div") is true
+FAIL window.hasOwnProperty("a") should be true. Was false.
 PASS Element is not undefined
 PASS x is 1

trunk/LayoutTests/fast/dom/Window/es52-globals.html

@@ -15 +15 @@
 shouldBeTrue('window.hasOwnProperty("x")');
 shouldBeFalse('window.hasOwnProperty("y")');
-shouldBeFalse('window.hasOwnProperty("f")');
-shouldBeTrue('window.__proto__.__proto__.hasOwnProperty("f")');
-shouldBeFalse('window.hasOwnProperty("div")');
-shouldBeTrue('window.__proto__.__proto__.hasOwnProperty("div")');
-shouldBeFalse('window.hasOwnProperty("a")');
+shouldBeTrue('window.hasOwnProperty("f")');
+shouldBeTrue('window.hasOwnProperty("div")');
+shouldBeTrue('window.hasOwnProperty("a")');
 
 </script>

trunk/LayoutTests/fast/loader/window-clearing-expected.txt

@@ -10 +10 @@
 
 PASS: element 3 in the window's prototype chain was cleared
-
-PASS: element 4 in the window's prototype chain was cleared

trunk/LayoutTests/http/tests/security/window-named-proto-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 2: TypeError: null is not an object (evaluating 'document.body.innerHTML')
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080".  The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
 
+CONSOLE MESSAGE: line 1: TypeError: undefined is not an object (evaluating 'parent.__proto__.alert')
+

trunk/LayoutTests/http/tests/security/window-named-valueOf-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Threw exception: TypeError: Illegal constructor
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080".  The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
+
+CONSOLE MESSAGE: line 1: Blocked a frame with origin "null" from accessing a frame with origin "http://localhost:8080".  The frame requesting access has a protocol of "data", the frame being accessed has a protocol of "http". Protocols must match.
+
 This passes if it doesn't alert the contents of innocent-victim.  

trunk/LayoutTests/http/tests/security/window-named-valueOf.html

@@ -24 +24 @@
                 alert(obj.valueOf.constructor("return document.body.innerHTML")());
             } catch(ex) {
-               console.log("Threw exception: " + ex)
             }
             if (window.testRunner)

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2016-08-05  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r203935.
+        https://bugs.webkit.org/show_bug.cgi?id=160596
+
+        looks like a 1-2% PLUM regression on iPhone 6s (Requested by
+        kling_ on #webkit).
+
+        Reverted changeset:
+
+        "Window's named properties should be exposed on a
+        WindowProperties object in its prototype"
+        https://bugs.webkit.org/show_bug.cgi?id=160354
+        http://trac.webkit.org/changeset/203935
+
 2016-08-05  Youenn Fablet  <youenn@apple.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/dom/interfaces-expected.txt

@@ -5160 +5160 @@
 PASS Window interface object length 
 PASS Window interface object name 
-PASS Window interface: existence and properties of interface prototype object 
+FAIL Window interface: existence and properties of interface prototype object assert_equals: Class name for prototype of Window.prototype is not "WindowProperties" expected "[object WindowProperties]" but got "[object EventTargetPrototype]"
 PASS Window interface: existence and properties of interface prototype object's "constructor" property 
 PASS Window interface: attribute self 

trunk/Source/WebCore/CMakeLists.txt

@@ -1134 +1134 @@
     bindings/js/JSDOMWindowBase.cpp
     bindings/js/JSDOMWindowCustom.cpp
-    bindings/js/JSDOMWindowProperties.cpp
     bindings/js/JSDOMWindowShell.cpp
     bindings/js/JSDOMWrapper.cpp

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-08-05  Commit Queue  <commit-queue@webkit.org>
+
+        Unreviewed, rolling out r203935.
+        https://bugs.webkit.org/show_bug.cgi?id=160596
+
+        looks like a 1-2% PLUM regression on iPhone 6s (Requested by
+        kling_ on #webkit).
+
+        Reverted changeset:
+
+        "Window's named properties should be exposed on a
+        WindowProperties object in its prototype"
+        https://bugs.webkit.org/show_bug.cgi?id=160354
+        http://trac.webkit.org/changeset/203935
+
 2016-08-05  Youenn Fablet  <youenn@apple.com>
 

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -1787 +1787 @@
                 460BB6151D0A1BF000221812 /* Base64Utilities.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 460BB6131D0A1BEC00221812 /* Base64Utilities.cpp */; };
                 460BB6161D0A1BF000221812 /* Base64Utilities.h in Headers */ = {isa = PBXBuildFile; fileRef = 460BB6141D0A1BEC00221812 /* Base64Utilities.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                460CBF351D4BCD0E0092E88E /* JSDOMWindowProperties.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 460CBF331D4BCCFE0092E88E /* JSDOMWindowProperties.cpp */; };
-                460CBF361D4BCD0E0092E88E /* JSDOMWindowProperties.h in Headers */ = {isa = PBXBuildFile; fileRef = 460CBF341D4BCCFE0092E88E /* JSDOMWindowProperties.h */; };
                 4634592C1AC2271000ECB71C /* PowerObserverMac.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4634592B1AC2271000ECB71C /* PowerObserverMac.cpp */; };
                 463EB6221B8789E00096ED51 /* TagCollection.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 463EB6201B8789CB0096ED51 /* TagCollection.cpp */; };
@@ -9089 +9087 @@
                 460BB6131D0A1BEC00221812 /* Base64Utilities.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Base64Utilities.cpp; sourceTree = "<group>"; };
                 460BB6141D0A1BEC00221812 /* Base64Utilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Base64Utilities.h; sourceTree = "<group>"; };
-                460CBF331D4BCCFE0092E88E /* JSDOMWindowProperties.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSDOMWindowProperties.cpp; sourceTree = "<group>"; };
-                460CBF341D4BCCFE0092E88E /* JSDOMWindowProperties.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSDOMWindowProperties.h; sourceTree = "<group>"; };
                 4634592B1AC2271000ECB71C /* PowerObserverMac.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PowerObserverMac.cpp; sourceTree = "<group>"; };
                 463EB6201B8789CB0096ED51 /* TagCollection.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TagCollection.cpp; sourceTree = "<group>"; };
@@ -17762 +17758 @@
                                 9767CE09145ABC12005E64DB /* ExceptionHeaders.h */,
                                 9767CE0A145ABC13005E64DB /* ExceptionInterfaces.h */,
+                                9908B0FD1BCAD07D00ED0F45 /* FetchInternalsBuiltins.cpp */,
                                 9B03D8061BB3110D00B764B9 /* FetchInternalsBuiltins.h */,
                                 A17C81200F2A5CF7005DAAEB /* HTMLElementFactory.cpp */,
@@ -21939 +21936 @@
                                 BC6932710D7E293900AE44D1 /* JSDOMWindowBase.cpp */,
                                 BC6932720D7E293900AE44D1 /* JSDOMWindowBase.h */,
-                                460CBF331D4BCCFE0092E88E /* JSDOMWindowProperties.cpp */,
-                                460CBF341D4BCCFE0092E88E /* JSDOMWindowProperties.h */,
                                 BCBFB53A0DCD29CF0019B3E5 /* JSDOMWindowShell.cpp */,
                                 BCBFB53B0DCD29CF0019B3E5 /* JSDOMWindowShell.h */,
@@ -26256 +26251 @@
                                 81BE20D311F4BC3200915DFA /* JSIDBCursor.h in Headers */,
                                 C585A68311D4FB08004C3E4B /* JSIDBDatabase.h in Headers */,
-                                460CBF361D4BCD0E0092E88E /* JSDOMWindowProperties.h in Headers */,
                                 C585A69711D4FB13004C3E4B /* JSIDBFactory.h in Headers */,
                                 C572EE1F1201C9BC007D8F82 /* JSIDBIndex.h in Headers */,
@@ -29099 +29093 @@
                                 A8C2280E11D4A59700D5A7D3 /* DocumentParser.cpp in Sources */,
                                 4A4F48A916B0DFC000EDBB29 /* DocumentRuleSets.cpp in Sources */,
-                                460CBF351D4BCD0E0092E88E /* JSDOMWindowProperties.cpp in Sources */,
                                 AD6E71AC1668899D00320C13 /* DocumentSharedObjectPool.cpp in Sources */,
                                 0B9056190F2578BE0095FF6A /* DocumentThreadableLoader.cpp in Sources */,

trunk/Source/WebCore/bindings/js/JSBindingsAllInOne.cpp

@@ -63 +63 @@
 #include "JSDOMWindowBase.cpp"
 #include "JSDOMWindowCustom.cpp"
-#include "JSDOMWindowProperties.cpp"
 #include "JSDOMWindowShell.cpp"
 #include "JSDOMWrapper.cpp"

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -147 +147 @@
     }
 
+    // Do prototype lookup early so that functions and attributes in the prototype can have
+    // precedence over the index and name getters.
+    // FIXME: This seems like a silly idea. It only serves to suppress named property access
+    // to frames that happen to have names corresponding to properties on the prototype.
+    // This seems to only serve to leak some information cross-origin.
+    JSValue proto = thisObject->getPrototypeDirect();
+    if (proto.isObject() && asObject(proto)->getPropertySlot(exec, propertyName, slot)) {
+        thisObject->printErrorMessage(errorMessage);
+        slot.setUndefined();
+        return true;
+    }
+
     // Check for child frames by name before built-in properties to match Mozilla. This does
     // not match IE, but some sites end up naming frames things that conflict with window
@@ -159 +171 @@
     slot.setUndefined();
     return true;
+}
+
+static bool jsDOMWindowGetOwnPropertySlotNamedItemGetter(JSDOMWindow* thisObject, Frame& frame, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
+{
+    JSValue proto = thisObject->getPrototypeDirect();
+    if (proto.isObject() && asObject(proto)->hasProperty(exec, propertyName))
+        return false;
+
+    // Check for child frames by name before built-in properties to match Mozilla. This does
+    // not match IE, but some sites end up naming frames things that conflict with window
+    // properties that are in Moz but not IE. Since we have some of these, we have to do it
+    // the Moz way.
+    if (auto* scopedChild = frame.tree().scopedChild(propertyNameToAtomicString(propertyName))) {
+        slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, toJS(exec, scopedChild->document()->domWindow()));
+        return true;
+    }
+
+    // FIXME: Search the whole frame hierarchy somewhere around here.
+    // We need to test the correct priority order.
+
+    // Allow shortcuts like 'Image1' instead of document.images.Image1
+    Document* document = frame.document();
+    if (is<HTMLDocument>(*document)) {
+        auto& htmlDocument = downcast<HTMLDocument>(*document);
+        auto* atomicPropertyName = propertyName.publicName();
+        if (atomicPropertyName && htmlDocument.hasWindowNamedItem(*atomicPropertyName)) {
+            JSValue namedItem;
+            if (UNLIKELY(htmlDocument.windowNamedItemContainsMultipleElements(*atomicPropertyName))) {
+                Ref<HTMLCollection> collection = document->windowNamedItems(atomicPropertyName);
+                ASSERT(collection->length() > 1);
+                namedItem = toJS(exec, thisObject->globalObject(), collection);
+            } else
+                namedItem = toJS(exec, thisObject->globalObject(), htmlDocument.windowNamedItem(*atomicPropertyName));
+            slot.setValue(thisObject, ReadOnly | DontDelete | DontEnum, namedItem);
+            return true;
+        }
+    }
+
+    return false;
 }
 
@@ -204 +255 @@
 #endif
 
-    return false;
+    // (3) Finally, named properties.
+    // Really, this should just be 'return false;' - these should all be on the NPO.
+    return jsDOMWindowGetOwnPropertySlotNamedItemGetter(thisObject, *frame, exec, propertyName, slot);
 }
 
@@ -232 +285 @@
 
     // (2) Regular own properties.
-    return Base::getOwnPropertySlotByIndex(thisObject, exec, index, slot);
+    if (Base::getOwnPropertySlotByIndex(thisObject, exec, index, slot))
+        return true;
+
+    // (3) Finally, named properties.
+    // Really, this should just be 'return false;' - these should all be on the NPO.
+    return jsDOMWindowGetOwnPropertySlotNamedItemGetter(thisObject, *frame, exec, Identifier::from(exec, index), slot);
 }
 

trunk/Source/WebCore/bindings/js/JSDOMWindowShell.cpp

@@ -33 +33 @@
 #include "GCController.h"
 #include "JSDOMWindow.h"
-#include "JSDOMWindowProperties.h"
 #include "JSEventTarget.h"
 #include "ScriptController.h"
@@ -87 +86 @@
     JSDOMWindow* jsDOMWindow = JSDOMWindow::create(vm, structure, *domWindow, this);
     prototype->structure()->setGlobalObject(vm, jsDOMWindow);
-
-    Structure* windowPropertiesStructure = JSDOMWindowProperties::createStructure(vm, jsDOMWindow, JSEventTarget::prototype(vm, jsDOMWindow));
-    JSDOMWindowProperties* windowProperties = JSDOMWindowProperties::create(windowPropertiesStructure, *jsDOMWindow);
-
-    prototype->structure()->setPrototypeWithoutTransition(vm, windowProperties);
+    prototype->structure()->setPrototypeWithoutTransition(vm, JSEventTarget::prototype(vm, jsDOMWindow));
     setWindow(vm, jsDOMWindow);
     ASSERT(jsDOMWindow->globalObject() == jsDOMWindow);