Changeset 200423 in webkit

Timestamp:

May 4, 2016 12:23:41 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

ES6 Function.name inferred from property names of literal objects can break some websites.
​https://bugs.webkit.org/show_bug.cgi?id=157246

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Specifically, the library mathjs (see ​http://mathjs.org and ​https://github.com/josdejong/mathjs)
uses an idiom where it created literal objects with property names that look like
this: 'number | BigNumber | Unit'. Later, this name is used in a string to create
function source code that gets eval'ed. Since 'number | BigNumber | Unit' is not
a valid function name, we get a syntax error.

Here are the details:

1. mathjs uses object literals with the funky property names for its function members. For example,

helper function to type check the middle value of the array
var middle = typed({

'number | BigNumber | Unit': function (value) {

return value;

}

});

2. mathjs' getName() uses Function.name to get the name of functions (hence, picks up the property name as inferred value of Function.name as specified by ES6):

/

• Retrieve the function name from a set of functions, and check
• whether the name of all functions match (if given) ... */

function getName (fns) {

var name = ;

for (var i = 0; i < fns.length; i++) {

var fn = fns[i];
...

name = fn.name;

...

return name;

}

3. mathjs uses that name to assembler new function source code that gets eval'ed:

/

• Compose a function from sub-functions each handling a single type signature. ... */

function _typed(name, signatures) {

...
generate code for the typed function
var code = [];

var _name = name

;

...
code.push('function ' + _name + '(' + _args.join(', ') + ') {');
code.push(' "use strict";');
code.push(' var name = \ + _name + '\';');
code.push(node.toCode(refs, ' '));
code.push('}');

generate body for the factory function
var body = [

refs.toCode(),
'return ' + code.join('\n')

].join('\n');

evaluate the JavaScript code and attach function references
var factory = (new Function(refs.name, 'createError', body)); <== Syntax Error here!
var fn = factory(refs, createError);
...
return fn;

}

Until mathjs (and any other frameworks that does similar things) and sites that
uses mathjs has been updated to work with ES6, we'll need a compatibility hack to
work around it.

Here's what we'll do:

1. Introduce a needsSiteSpecificQuirks flag in JSGlobalObject.
2. Have WebCore's JSDOMWindowBase set that flag if the browser's needsSiteSpecificQuirks is enabled in its settings.
3. If needsSiteSpecificQuirks is enabled, have JSFunction::reifyName() check for ' ' or '|' in the name string it will use to reify the Function.name property. If those characters exists in the name, we'll replace the name string with a null string.

• runtime/JSFunction.cpp:

(JSC::JSFunction::reifyName):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::needsSiteSpecificQuirks):
(JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo):
(JSC::JSGlobalObject::setNeedsSiteSpecificQuirks):

Source/WebCore:

Test: js/dom/regress-157246.html

• bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::finishCreation):

• Set the needsSiteSpecificQuirks flag in the JSGlobalObject if needed.

Tools:

• WebKitTestRunner/TestController.cpp:

(WTR::TestController::resetPreferencesToConsistentValues):
(WTR::updateTestOptionsFromTestHeader):

• WebKitTestRunner/TestOptions.h:

• WebKitTestRunner/ios/PlatformWebViewIOS.mm:

(WTR::PlatformWebView::viewSupportsOptions):

• WebKitTestRunner/mac/PlatformWebViewMac.mm:

(WTR::PlatformWebView::viewSupportsOptions):

• Add needsSiteSpecificQuirks to WKTR options that can be set.

LayoutTests:

• js/dom/regress-157246-expected.txt: Added.
• js/dom/regress-157246.html: Added.
• js/dom/script-tests/regress-157246.js: Added.

• platform/ios-simulator-wk1/TestExpectations:
• platform/mac-wk1/TestExpectations:
• Skip js/dom/regress-157246.html for wk1 because it relies on a WKTR feature to enable the needsSiteSpecificQuirks settings before running the test.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/dom/regress-157246-expected.txt (added)
• LayoutTests/js/dom/regress-157246.html (added)
• LayoutTests/js/dom/script-tests/regress-157246.js (added)
• LayoutTests/platform/ios-simulator-wk1/TestExpectations (modified) (1 diff)
• LayoutTests/platform/mac-wk1/TestExpectations (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (3 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (1 diff)
• Tools/ChangeLog (modified) (1 diff)
• Tools/WebKitTestRunner/TestController.cpp (modified) (2 diffs)
• Tools/WebKitTestRunner/TestOptions.h (modified) (1 diff)
• Tools/WebKitTestRunner/ios/PlatformWebViewIOS.mm (modified) (1 diff)
• Tools/WebKitTestRunner/mac/PlatformWebViewMac.mm (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-05-04  Mark Lam  <mark.lam@apple.com>
+
+        ES6 Function.name inferred from property names of literal objects can break some websites.
+        https://bugs.webkit.org/show_bug.cgi?id=157246
+
+        Reviewed by Geoffrey Garen.
+
+        * js/dom/regress-157246-expected.txt: Added.
+        * js/dom/regress-157246.html: Added.
+        * js/dom/script-tests/regress-157246.js: Added.
+
+        * platform/ios-simulator-wk1/TestExpectations:
+        * platform/mac-wk1/TestExpectations:
+        - Skip js/dom/regress-157246.html for wk1 because it relies on a WKTR feature to
+          enable the needsSiteSpecificQuirks settings before running the test.
+
 2016-05-04  Keith Miller  <keith_miller@apple.com>
 

trunk/LayoutTests/platform/ios-simulator-wk1/TestExpectations

@@ -1360 +1360 @@
 
 webkit.org/b/137572 scrollbars/scrollbar-iframe-click-does-not-blur-content.html [ Failure ]
+
+# This test relies on a settings option that we can only set with WKRT.
+js/dom/regress-157246.html

trunk/LayoutTests/platform/mac-wk1/TestExpectations

@@ -214 +214 @@
 
 webkit.org/b/157007 fast/layers/no-clipping-overflow-hidden-added-after-transform.html [ Pass ImageOnlyFailure ]
+
+# This test relies on a settings option that we can only set with WKRT.
+js/dom/regress-157246.html

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-05-04  Mark Lam  <mark.lam@apple.com>
+
+        ES6 Function.name inferred from property names of literal objects can break some websites.
+        https://bugs.webkit.org/show_bug.cgi?id=157246
+
+        Reviewed by Geoffrey Garen.
+
+        Specifically, the library mathjs (see http://mathjs.org and https://github.com/josdejong/mathjs)
+        uses an idiom where it created literal objects with property names that look like
+        this: 'number | BigNumber | Unit'.  Later, this name is used in a string to create
+        function source code that gets eval'ed.  Since 'number | BigNumber | Unit' is not
+        a valid function name, we get a syntax error.
+
+        Here are the details:
+
+        1. mathjs uses object literals with the funky property names for its function members.
+           For example, 
+
+              // helper function to type check the middle value of the array
+              var middle = typed({
+                'number | BigNumber | Unit': function (value) {
+                  return value;
+                }
+              });
+
+        2. mathjs' getName() uses Function.name to get the name of functions (hence, picks
+           up the property name as inferred value of Function.name as specified by ES6):
+
+                /**
+                 * Retrieve the function name from a set of functions, and check
+                 * whether the name of all functions match (if given)
+                 ...
+                 */
+                function getName (fns) {
+                  var name = '';
+
+                  for (var i = 0; i < fns.length; i++) {
+                    var fn = fns[i];
+                    ...
+                        name = fn.name;
+                    ...
+                  return name;
+                }
+
+        3. mathjs uses that name to assembler new function source code that gets eval'ed:
+
+                /**
+                 * Compose a function from sub-functions each handling a single type signature.
+                 ...
+                 */
+                function _typed(name, signatures) {
+                  ...
+                  // generate code for the typed function
+                  var code = [];
+                  var _name = name || '';
+                  ...
+                  code.push('function ' + _name + '(' + _args.join(', ') + ') {');
+                  code.push('  "use strict";');
+                  code.push('  var name = \'' + _name + '\';');
+                  code.push(node.toCode(refs, '  '));
+                  code.push('}');
+
+                  // generate body for the factory function
+                  var body = [
+                    refs.toCode(),
+                    'return ' + code.join('\n')
+                  ].join('\n');
+
+                  // evaluate the JavaScript code and attach function references
+                  var factory = (new Function(refs.name, 'createError', body));  // <== Syntax Error here!
+                  var fn = factory(refs, createError);
+                  ...
+                  return fn;
+                }
+
+        Until mathjs (and any other frameworks that does similar things) and sites that
+        uses mathjs has been updated to work with ES6, we'll need a compatibility hack to
+        work around it.
+
+        Here's what we'll do:
+        1. Introduce a needsSiteSpecificQuirks flag in JSGlobalObject.
+        2. Have WebCore's JSDOMWindowBase set that flag if the browser's
+           needsSiteSpecificQuirks is enabled in its settings.
+        3. If needsSiteSpecificQuirks is enabled, have JSFunction::reifyName() check for
+           ' ' or '|' in the name string it will use to reify the Function.name property.
+           If those characters exists in the name, we'll replace the name string with a
+           null string.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::reifyName):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::needsSiteSpecificQuirks):
+        (JSC::JSGlobalObject::GlobalPropertyInfo::GlobalPropertyInfo):
+        (JSC::JSGlobalObject::setNeedsSiteSpecificQuirks):
+
 2016-05-04  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -632 +632 @@
     const Identifier& propID = exec->propertyNames().name;
 
+    if (exec->lexicalGlobalObject()->needsSiteSpecificQuirks()) {
+        auto illegalCharMatcher = [] (UChar ch) -> bool {
+            return ch == ' ' || ch == '|';
+        };
+        if (name.find(illegalCharMatcher) != notFound)
+            name = String();
+    }
+    
     if (jsExecutable()->isGetter())
         name = makeString("get ", name);

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -718 +718 @@
     UnlinkedModuleProgramCodeBlock* createModuleProgramCodeBlock(CallFrame*, ModuleProgramExecutable*);
 
+    bool needsSiteSpecificQuirks() const { return m_needsSiteSpecificQuirks; }
+
 protected:
     struct GlobalPropertyInfo {
@@ -735 +737 @@
     JS_EXPORT_PRIVATE static JSC::JSValue toThis(JSC::JSCell*, JSC::ExecState*, ECMAMode);
 
+    void setNeedsSiteSpecificQuirks(bool needQuirks) { m_needsSiteSpecificQuirks = needQuirks; }
+
 private:
     friend class LLIntOffsetsExtractor;
@@ -746 +750 @@
 
     JS_EXPORT_PRIVATE static void clearRareData(JSCell*);
+
+    bool m_needsSiteSpecificQuirks { false };
 };
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-05-04  Mark Lam  <mark.lam@apple.com>
+
+        ES6 Function.name inferred from property names of literal objects can break some websites.
+        https://bugs.webkit.org/show_bug.cgi?id=157246
+
+        Reviewed by Geoffrey Garen.
+
+        Test: js/dom/regress-157246.html
+
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::JSDOMWindowBase::finishCreation):
+        - Set the needsSiteSpecificQuirks flag in the JSGlobalObject if needed.
+
 2016-05-04  Konstantin Tokarev  <annulen@yandex.ru>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

@@ -86 +86 @@
 
     addStaticGlobals(staticGlobals, WTF_ARRAY_LENGTH(staticGlobals));
+
+    if (m_wrapped && m_wrapped->frame() && m_wrapped->frame()->settings().needsSiteSpecificQuirks())
+        setNeedsSiteSpecificQuirks(true);
 }
 

trunk/Tools/ChangeLog

@@ +1 @@
+2016-05-04  Mark Lam  <mark.lam@apple.com>
+
+        ES6 Function.name inferred from property names of literal objects can break some websites.
+        https://bugs.webkit.org/show_bug.cgi?id=157246
+
+        Reviewed by Geoffrey Garen.
+
+        * WebKitTestRunner/TestController.cpp:
+        (WTR::TestController::resetPreferencesToConsistentValues):
+        (WTR::updateTestOptionsFromTestHeader):
+        * WebKitTestRunner/TestOptions.h:
+
+        * WebKitTestRunner/ios/PlatformWebViewIOS.mm:
+        (WTR::PlatformWebView::viewSupportsOptions):
+        * WebKitTestRunner/mac/PlatformWebViewMac.mm:
+        (WTR::PlatformWebView::viewSupportsOptions):
+        - Add needsSiteSpecificQuirks to WKTR options that can be set. 
+
 2016-05-04  Joanmarie Diggs  <jdiggs@igalia.com>
 

trunk/Tools/WebKitTestRunner/TestController.cpp

@@ -667 +667 @@
     WKPreferencesSetInteractiveFormValidationEnabled(preferences, true);
     WKPreferencesSetMockScrollbarsEnabled(preferences, options.useMockScrollbars);
+    WKPreferencesSetNeedsSiteSpecificQuirks(preferences, options.needsSiteSpecificQuirks);
 
     static WKStringRef defaultTextEncoding = WKStringCreateWithUTF8CString("ISO-8859-1");
@@ -956 +957 @@
         if (key == "useMockScrollbars")
             testOptions.useMockScrollbars = parseBooleanTestHeaderValue(value);
+        if (key == "needsSiteSpecificQuirks")
+            testOptions.needsSiteSpecificQuirks = parseBooleanTestHeaderValue(value);
         pairStart = pairEnd + 1;
     }

trunk/Tools/WebKitTestRunner/TestOptions.h

@@ -42 +42 @@
     bool useDataDetection { false };
     bool useMockScrollbars { true };
+    bool needsSiteSpecificQuirks { false };
 
     Vector<String> overrideLanguages;

trunk/Tools/WebKitTestRunner/ios/PlatformWebViewIOS.mm

@@ -213 +213 @@
 bool PlatformWebView::viewSupportsOptions(const TestOptions& options) const
 {
-    if (m_options.overrideLanguages != options.overrideLanguages)
+    if (m_options.overrideLanguages != options.overrideLanguages || m_options.needsSiteSpecificQuirks != options.needsSiteSpecificQuirks)
         return false;
 

trunk/Tools/WebKitTestRunner/mac/PlatformWebViewMac.mm

@@ -234 +234 @@
 bool PlatformWebView::viewSupportsOptions(const TestOptions& options) const
 {
-    if (m_options.useThreadedScrolling != options.useThreadedScrolling || m_options.overrideLanguages != options.overrideLanguages || m_options.useMockScrollbars != options.useMockScrollbars)
+    if (m_options.useThreadedScrolling != options.useThreadedScrolling || m_options.overrideLanguages != options.overrideLanguages || m_options.useMockScrollbars != options.useMockScrollbars || m_options.needsSiteSpecificQuirks != options.needsSiteSpecificQuirks)
         return false;