Changeset 262827 in webkit

Timestamp:

Jun 9, 2020, 5:21:56 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

Disambiguate the OverridesGetPropertyNames structure flag
​https://bugs.webkit.org/show_bug.cgi?id=212909
<rdar://problem/63823557>

Reviewed by Saam Barati.

JSTests:

• stress/unexpected-stack-overflow-below-JSObject-getPropertyNames.js: Added.

Source/JavaScriptCore:

Previously, the OverridesGetPropertyNames structure flag could mean 2 different
things:

1. the getPropertyNames() method is overridden, or
2. any of the forms of getPropertyName() is overridden: getPropertyName, getOwnPropertyNames, getOwnNonIndexPropertyNames

Some parts of the code expects one definition while other parts expect the other.
This patch disambiguates between the 2 by introducing OverridesAnyFormOfGetPropertyNames
for definition (2). OverridesGetPropertyNames now only means definition (1).

Note: we could have implemented overridesGetPropertyNames() by doing a comparison
of the getPropertyNames pointer in the MethodTable. This is a little slower than
checking a TypeInfo flag, but probably doesn't matter a lot in the code paths
where overridesGetPropertyNames() is called. However, we have bits in TypeInfo
left. So, we'll might as well use it.

This ambiguity resulted in JSObject::getPropertyNames() recursing infinitely
when it didn't think it could recurse. This is demonstrated in
JSTests/stress/unexpected-stack-overflow-below-JSObject-getPropertyNames.js as
follows:

1. The test case invokes JSObject::getPropertyNames on a JSArray.

2. In the while loop at the bottom of JSObject::getPropertynames(), we check if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {.

3. The test overrides proto as follows: arg0.__proto__ = arr1 where both arg0 and arr1 are JArrays.

4. In the old code, JSArray sets OverridesGetPropertyNames but does not override getPropertyNames(). It actually meant to set OverridesAnyFormOfGetPropertyNames (after we disambiguated it) because JSArray overrides getOwnNonIndexPropertyNames().

5. When we get to the check at (2), we ask if the prototype overridesGetPropertyNames(). Since JSArray sets OverridesGetPropertyNames, the answer is yes / true.

JSObject::getPropertynames() then proceeds to invoke
prototype->methodTable(vm)->getPropertyNames(prototype, globalObject, propertyNames, mode);

But because JSArray does not actually overrides getPropertyNames(), we're
actually invoking JSObject::getPropertyNames() here. Viola! Infinite loop.

With this patch, JSArray is disambiguated to set OverridesAnyFormOfGetPropertyNames
instead of OverridesGetPropertyNames, and this infinite loop no longer exists.

This patch also made the following changes:

1. Templatized TypeInfo::isSetOnFlags1() and TypeInfo::isSetOnFlags2() so that we can used static_asserts instead of a debug ASSERT to verify the integrity of the flag we're checking against.

2. Added a Structure::validateFlags() called from the Structure constructor. validateFlags() will verify the following:
   1. OverridesGetOwnPropertySlot must be set in the flags if getOwnPropertySlot is overridden in the MethodTable.
   2. InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero must be set in the flags if getOwnPropertySlotByIndex is overridden in the MethodTable.
   3. HasPutPropertySecurityCheck must be set in the flags if doPutPropertySecurityCheck is overridden in the MethodTable.
   4. OverridesGetPropertyNames must be set in the flags if getPropertyNames is overridden in the MethodTable.
   5. OverridesAnyFormOfGetPropertyNames must be set in the flags if any of getPropertyNames, getOwnPropertyNames, or getOwnNonIndexPropertyNames are overridden in the MethodTable.

An alternate solution would be to automatically set these flags if we detect
their corresponding methods are overridden. However, this alternate solution
requires this laundry list to be checked every time a structure is constructed.
The current implementation of having the required flags already pre-determined
as a constant is more efficient in terms of performance and code space.

Also, it only takes one instantiation of the structure to verify that the flags
are valid. Since we only write JSCell / JSObject classes when we need them
and we always write tests to exercise new code (especially such classes), we're
guaranteed the flags validation will be exercised.

3. Made JSObject::getOwnPropertySlot() and JSObject::doPutPropertySecurityCheck() not inlined when ASSERT_ENABLED. This is needed in order for Structure::validateFlags() to do its checks using function pointer comparisons. Otherwise, the inline functions can result in multiple instantiations of these functions. For example, WebCore can get its own copy of JSObject::getOwnPropertySlot() and the comparisons will think the function is overridden even when it's not.

4. Structure::validateFlags() found the following problems which are now fixed:

GetterSetter was not using its StructureFlags. As a result, it was missing the
OverridesGetOwnPropertySlot flag.

JSDataView did not define its StructureFlags. It was missing the
OverridesGetOwnPropertySlot and OverridesAnyFormOfGetPropertyNames flags.

5. Changed a TypeInfo constructor to not have a default argument for the flags value. Also grepped for all uses of this constructor to make sure that it is passed the StructureFlags field. This exercise found the following issue:

JSAPIValueWrapper was not using its StructureFlags when creating its structure.
Previously, it was just ignoring the StructureIsImmortal flag in StructureFlags.

6. Hardened the assertions for hasReadOnlyOrGetterSetterPropertiesExcludingProto() and hasGetterSetterProperties() in the Structure constructor.

Previously, if the flag is set, it verifies that the ClassInfo has the
appropriate data expected by the flag. However, it does not assert the reverse
i.e. that if the ClassInfo data exists, then the flag must also be set.
The new assertions now checks both.

Moved the overridesGetCallData() assertion into Structure::validateFlags()
because it concerns the OverridesGetCallData flag. This assertion has also
ben hardened.

• API/JSAPIValueWrapper.h:
• API/JSCallbackObject.h:
• debugger/DebuggerScope.h:
• inspector/JSInjectedScriptHostPrototype.h:
• inspector/JSJavaScriptCallFramePrototype.h:
• runtime/ClonedArguments.h:
• runtime/ErrorInstance.h:
• runtime/GenericArguments.h:
• runtime/GetterSetter.h:
• runtime/JSArray.h:
• runtime/JSDataView.h:
• runtime/JSFunction.h:
• runtime/JSGenericTypedArrayView.h:
• runtime/JSGlobalObject.h:
• runtime/JSLexicalEnvironment.h:
• runtime/JSModuleEnvironment.h:
• runtime/JSModuleNamespaceObject.h:
• runtime/JSObject.cpp:

(JSC::JSObject::doPutPropertySecurityCheck):
(JSC::JSObject::getOwnPropertySlot):

• runtime/JSObject.h:

(JSC::JSObject::getOwnPropertySlotImpl):
(JSC::JSObject::getOwnPropertySlot):

• runtime/JSProxy.h:
• runtime/JSString.h:
• runtime/JSSymbolTableObject.h:
• runtime/JSTypeInfo.h:

(JSC::TypeInfo::TypeInfo):
(JSC::TypeInfo::masqueradesAsUndefined const):
(JSC::TypeInfo::implementsHasInstance const):
(JSC::TypeInfo::implementsDefaultHasInstance const):
(JSC::TypeInfo::overridesGetCallData const):
(JSC::TypeInfo::overridesToThis const):
(JSC::TypeInfo::structureIsImmortal const):
(JSC::TypeInfo::overridesGetPropertyNames const):
(JSC::TypeInfo::overridesAnyFormOfGetPropertyNames const):
(JSC::TypeInfo::prohibitsPropertyCaching const):
(JSC::TypeInfo::getOwnPropertySlotIsImpure const):
(JSC::TypeInfo::getOwnPropertySlotIsImpureForPropertyAbsence const):
(JSC::TypeInfo::hasPutPropertySecurityCheck const):
(JSC::TypeInfo::newImpurePropertyFiresWatchpoints const):
(JSC::TypeInfo::isImmutablePrototypeExoticObject const):
(JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero const):
(JSC::TypeInfo::isSetOnFlags1 const):
(JSC::TypeInfo::isSetOnFlags2 const):

• runtime/ObjectConstructor.cpp:

(JSC::objectConstructorAssign):

• runtime/ProxyObject.h:
• runtime/RegExpObject.h:
• runtime/StringObject.h:
• runtime/Structure.cpp:

(JSC::Structure::validateFlags):
(JSC::Structure::Structure):

• runtime/Structure.h:
• runtime/StructureInlines.h:

(JSC::Structure::canCacheOwnKeys const):

• tools/JSDollarVM.cpp:

Source/WebCore:

1. JSDOMWindowProperties was not defining its Base. As a result, its StructureFlags was inheriting from JSDOMObject's Base instead of from JSDOMObject as one would expect. This turns out to be harmless because JSDOMObject did not define any StructureFlags. Regardless, this is not fixed so that if JSDOMObject adds any StructureFlags, it will be inherited properly by JSDOMWindowProperties.

2. Updated CodeGeneratorJS.pm and rebased the binding test results.

• bindings/js/JSDOMWindowProperties.h:
• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):

• bindings/scripts/test/JS/JSTestEventTarget.h:
• bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.h:
• bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.h:
• bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.h:
• bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedDeleterNoIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedDeleterThrowingException.h:
• bindings/scripts/test/JS/JSTestNamedDeleterWithIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedDeleterWithIndexedGetter.h:
• bindings/scripts/test/JS/JSTestNamedGetterCallWith.h:
• bindings/scripts/test/JS/JSTestNamedGetterNoIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedGetterWithIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedSetterThrowingException.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithOverrideBuiltins.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins.h:
• bindings/scripts/test/JS/JSTestObj.h:
• bindings/scripts/test/JS/JSTestOverrideBuiltins.h:
• bridge/runtime_array.h:
• bridge/runtime_object.h:

Source/WebKit:

• WebProcess/Plugins/Netscape/JSNPObject.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/unexpected-stack-overflow-below-JSObject-getPropertyNames.js (added)
• Source/JavaScriptCore/API/JSAPIValueWrapper.h (modified) (3 diffs)
• Source/JavaScriptCore/API/JSCallbackObject.h (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/debugger/DebuggerScope.h (modified) (2 diffs)
• Source/JavaScriptCore/inspector/JSInjectedScriptHostPrototype.h (modified) (1 diff)
• Source/JavaScriptCore/inspector/JSJavaScriptCallFramePrototype.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ClonedArguments.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ErrorInstance.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/GenericArguments.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/GetterSetter.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArray.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSDataView.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSLexicalEnvironment.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSModuleEnvironment.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSModuleNamespaceObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSProxy.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSString.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSSymbolTableObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSTypeInfo.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ProxyObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/RegExpObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/Structure.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Structure.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StructureInlines.h (modified) (1 diff)
• Source/JavaScriptCore/tools/JSDollarVM.cpp (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowProperties.h (modified) (2 diffs)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterNoIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterThrowingException.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterWithIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterWithIndexedGetter.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterCallWith.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterNoIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterWithIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithOverrideBuiltins.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestObj.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.h (modified) (1 diff)
• Source/WebCore/bridge/runtime_array.h (modified) (1 diff)
• Source/WebCore/bridge/runtime_object.h (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/WebProcess/Plugins/Netscape/JSNPObject.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-06-09  Mark Lam  <mark.lam@apple.com>
+
+        Disambiguate the OverridesGetPropertyNames structure flag
+        https://bugs.webkit.org/show_bug.cgi?id=212909
+        <rdar://problem/63823557>
+
+        Reviewed by Saam Barati.
+
+        * stress/unexpected-stack-overflow-below-JSObject-getPropertyNames.js: Added.
+
 2020-06-08  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/JavaScriptCore/API/JSAPIValueWrapper.h

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
- *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -34 +34 @@
 public:
     using Base = JSCell;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal;
+
+    // OverridesAnyFormOfGetPropertyNames (which used to be OverridesGetPropertyNames) was here
+    // since ancient times back when we pessimistically choose to apply this flag. I think we
+    // can remove it, but we should do more testing before we do so.
+    // Ref: http://trac.webkit.org/changeset/49694/webkit#file9
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=212954
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesAnyFormOfGetPropertyNames | StructureIsImmortal;
 
     template<typename CellType, SubspaceAccess mode>
@@ -46 +52 @@
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
     {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(APIValueWrapperType, OverridesGetPropertyNames), info());
+        return Structure::create(vm, globalObject, prototype, TypeInfo(APIValueWrapperType, StructureFlags), info());
     }
 

trunk/Source/JavaScriptCore/API/JSCallbackObject.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2006-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2020 Apple Inc. All rights reserved.
  * Copyright (C) 2007 Eric Seidel <eric@webkit.org>
  *
@@ -126 +126 @@
 public:
     using Base = Parent;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesGetPropertyNames | OverridesGetCallData;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesAnyFormOfGetPropertyNames | OverridesGetCallData;
     static_assert(!(StructureFlags & ImplementsDefaultHasInstance), "using customHasInstance");
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-06-09  Mark Lam  <mark.lam@apple.com>
+
+        Disambiguate the OverridesGetPropertyNames structure flag
+        https://bugs.webkit.org/show_bug.cgi?id=212909
+        <rdar://problem/63823557>
+
+        Reviewed by Saam Barati.
+
+        Previously, the OverridesGetPropertyNames structure flag could mean 2 different
+        things:
+        1. the getPropertyNames() method is overridden, or
+        2. any of the forms of getPropertyName() is overridden:
+           getPropertyName, getOwnPropertyNames, getOwnNonIndexPropertyNames
+
+        Some parts of the code expects one definition while other parts expect the other.
+        This patch disambiguates between the 2 by introducing OverridesAnyFormOfGetPropertyNames
+        for definition (2).  OverridesGetPropertyNames now only means definition (1).
+
+        Note: we could have implemented overridesGetPropertyNames() by doing a comparison
+        of the getPropertyNames pointer in the MethodTable.  This is a little slower than
+        checking a TypeInfo flag, but probably doesn't matter a lot in the code paths
+        where overridesGetPropertyNames() is called.  However, we have bits in TypeInfo
+        left.  So, we'll might as well use it.
+
+        This ambiguity resulted in JSObject::getPropertyNames() recursing infinitely
+        when it didn't think it could recurse.  This is demonstrated in
+        JSTests/stress/unexpected-stack-overflow-below-JSObject-getPropertyNames.js as
+        follows:
+
+        1. The test case invokes JSObject::getPropertyNames on a JSArray.
+
+        2. In the while loop at the bottom of JSObject::getPropertynames(), we check
+           `if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {`.
+
+        3. The test overrides proto as follows:
+           `arg0.__proto__ = arr1` where both arg0 and arr1 are JArrays.
+
+        4. In the old code, JSArray sets OverridesGetPropertyNames but does not override
+           getPropertyNames().  It actually meant to set OverridesAnyFormOfGetPropertyNames
+           (after we disambiguated it) because JSArray overrides getOwnNonIndexPropertyNames().
+
+        5. When we get to the check at (2), we ask if the prototype overridesGetPropertyNames().
+           Since JSArray sets OverridesGetPropertyNames, the answer is yes / true.
+
+           JSObject::getPropertynames() then proceeds to invoke
+           `prototype->methodTable(vm)->getPropertyNames(prototype, globalObject, propertyNames, mode);`
+
+           But because JSArray does not actually overrides getPropertyNames(), we're
+           actually invoking JSObject::getPropertyNames() here.  Viola!  Infinite loop.
+
+        With this patch, JSArray is disambiguated to set OverridesAnyFormOfGetPropertyNames
+        instead of OverridesGetPropertyNames, and this infinite loop no longer exists.
+
+        This patch also made the following changes:
+
+        1. Templatized TypeInfo::isSetOnFlags1() and TypeInfo::isSetOnFlags2() so that
+           we can used static_asserts instead of a debug ASSERT to verify the integrity of
+           the flag we're checking against.
+
+        2. Added a Structure::validateFlags() called from the Structure constructor.
+           validateFlags() will verify the following:
+           a. OverridesGetOwnPropertySlot must be set in the flags if getOwnPropertySlot
+              is overridden in the MethodTable.
+           b. InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero must be set in
+              the flags if getOwnPropertySlotByIndex is overridden in the MethodTable.
+           c. HasPutPropertySecurityCheck must be set in the flags if doPutPropertySecurityCheck
+              is overridden in the MethodTable.
+           d. OverridesGetPropertyNames must be set in the flags if getPropertyNames
+              is overridden in the MethodTable.
+           e. OverridesAnyFormOfGetPropertyNames must be set in the flags if any of
+              getPropertyNames, getOwnPropertyNames, or getOwnNonIndexPropertyNames are
+              overridden in the MethodTable.
+
+           An alternate solution would be to automatically set these flags if we detect
+           their corresponding methods are overridden.  However, this alternate solution
+           requires this laundry list to be checked every time a structure is constructed.
+           The current implementation of having the required flags already pre-determined
+           as a constant is more efficient in terms of performance and code space.
+
+           Also, it only takes one instantiation of the structure to verify that the flags
+           are valid.  Since we only write JSCell / JSObject classes when we need them
+           and we always write tests to exercise new code (especially such classes), we're
+           guaranteed the flags validation will be exercised.
+
+        3. Made JSObject::getOwnPropertySlot() and JSObject::doPutPropertySecurityCheck()
+           not inlined when ASSERT_ENABLED.  This is needed in order for Structure::validateFlags()
+           to do its checks using function pointer comparisons.  Otherwise, the inline
+           functions can result in multiple instantiations of these functions.  For
+           example, WebCore can get its own copy of JSObject::getOwnPropertySlot() and
+           the comparisons will think the function is overridden even when it's not.
+
+        4. Structure::validateFlags() found the following problems which are now fixed:
+
+           GetterSetter was not using its StructureFlags.  As a result, it was missing the
+           OverridesGetOwnPropertySlot flag.
+
+           JSDataView did not define its StructureFlags.  It was missing the
+           OverridesGetOwnPropertySlot and OverridesAnyFormOfGetPropertyNames flags.
+
+        5. Changed a TypeInfo constructor to not have a default argument for the flags value.
+           Also grepped for all uses of this constructor to make sure that it is passed
+           the StructureFlags field.  This exercise found the following issue:
+
+           JSAPIValueWrapper was not using its StructureFlags when creating its structure.
+           Previously, it was just ignoring the StructureIsImmortal flag in StructureFlags.
+
+        6. Hardened the assertions for hasReadOnlyOrGetterSetterPropertiesExcludingProto()
+           and hasGetterSetterProperties() in the Structure constructor.
+
+           Previously, if the flag is set, it verifies that the ClassInfo has the
+           appropriate data expected by the flag.  However, it does not assert the reverse
+           i.e. that if the ClassInfo data exists, then the flag must also be set.
+           The new assertions now checks both.
+
+           Moved the overridesGetCallData() assertion into Structure::validateFlags()
+           because it concerns the OverridesGetCallData flag.  This assertion has also
+           ben hardened.
+
+        * API/JSAPIValueWrapper.h:
+        * API/JSCallbackObject.h:
+        * debugger/DebuggerScope.h:
+        * inspector/JSInjectedScriptHostPrototype.h:
+        * inspector/JSJavaScriptCallFramePrototype.h:
+        * runtime/ClonedArguments.h:
+        * runtime/ErrorInstance.h:
+        * runtime/GenericArguments.h:
+        * runtime/GetterSetter.h:
+        * runtime/JSArray.h:
+        * runtime/JSDataView.h:
+        * runtime/JSFunction.h:
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSLexicalEnvironment.h:
+        * runtime/JSModuleEnvironment.h:
+        * runtime/JSModuleNamespaceObject.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::doPutPropertySecurityCheck):
+        (JSC::JSObject::getOwnPropertySlot):
+        * runtime/JSObject.h:
+        (JSC::JSObject::getOwnPropertySlotImpl):
+        (JSC::JSObject::getOwnPropertySlot):
+        * runtime/JSProxy.h:
+        * runtime/JSString.h:
+        * runtime/JSSymbolTableObject.h:
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::TypeInfo):
+        (JSC::TypeInfo::masqueradesAsUndefined const):
+        (JSC::TypeInfo::implementsHasInstance const):
+        (JSC::TypeInfo::implementsDefaultHasInstance const):
+        (JSC::TypeInfo::overridesGetCallData const):
+        (JSC::TypeInfo::overridesToThis const):
+        (JSC::TypeInfo::structureIsImmortal const):
+        (JSC::TypeInfo::overridesGetPropertyNames const):
+        (JSC::TypeInfo::overridesAnyFormOfGetPropertyNames const):
+        (JSC::TypeInfo::prohibitsPropertyCaching const):
+        (JSC::TypeInfo::getOwnPropertySlotIsImpure const):
+        (JSC::TypeInfo::getOwnPropertySlotIsImpureForPropertyAbsence const):
+        (JSC::TypeInfo::hasPutPropertySecurityCheck const):
+        (JSC::TypeInfo::newImpurePropertyFiresWatchpoints const):
+        (JSC::TypeInfo::isImmutablePrototypeExoticObject const):
+        (JSC::TypeInfo::interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero const):
+        (JSC::TypeInfo::isSetOnFlags1 const):
+        (JSC::TypeInfo::isSetOnFlags2 const):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorAssign):
+        * runtime/ProxyObject.h:
+        * runtime/RegExpObject.h:
+        * runtime/StringObject.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::validateFlags):
+        (JSC::Structure::Structure):
+        * runtime/Structure.h:
+        * runtime/StructureInlines.h:
+        (JSC::Structure::canCacheOwnKeys const):
+        * tools/JSDollarVM.cpp:
+
 2020-06-09  Jonathan Bedard  <jbedard@apple.com>
 

trunk/Source/JavaScriptCore/debugger/DebuggerScope.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37 +37 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesAnyFormOfGetPropertyNames;
 
     template<typename CellType, SubspaceAccess mode>

trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHostPrototype.h

@@ -33 +33 @@
 public:
     using Base = JSC::JSNonFinalObject;
+    // Do we really need OverridesGetOwnPropertySlot?
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=212956
     static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot;
 

trunk/Source/JavaScriptCore/inspector/JSJavaScriptCallFramePrototype.h

@@ -33 +33 @@
 public:
     using Base = JSC::JSNonFinalObject;
+    // Do we really need OverridesGetOwnPropertySlot?
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=212956
     static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot;
 

trunk/Source/JavaScriptCore/runtime/ClonedArguments.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -41 +41 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesAnyFormOfGetPropertyNames;
 
     template<typename CellType, SubspaceAccess mode>

trunk/Source/JavaScriptCore/runtime/ErrorInstance.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ *  Copyright (C) 2008-2020 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -30 +30 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesAnyFormOfGetPropertyNames;
     static constexpr bool needsDestruction = true;
 

trunk/Source/JavaScriptCore/runtime/GenericArguments.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37 +37 @@
 public:
     typedef JSNonFinalObject Base;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesAnyFormOfGetPropertyNames;
 
 protected:

trunk/Source/JavaScriptCore/runtime/GetterSetter.h

@@ -108 +108 @@
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
     {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(GetterSetterType), info());
+        return Structure::create(vm, globalObject, prototype, TypeInfo(GetterSetterType, StructureFlags), info());
     }
 

trunk/Source/JavaScriptCore/runtime/JSArray.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -41 +41 @@
 public:
     typedef JSNonFinalObject Base;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesAnyFormOfGetPropertyNames;
 
     static size_t allocationSize(Checked<size_t> inlineCapacity)

trunk/Source/JavaScriptCore/runtime/JSDataView.h

@@ -34 +34 @@
 public:
     using Base = JSArrayBufferView;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesAnyFormOfGetPropertyNames;
+
     static constexpr unsigned elementSize = 1;
 

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
  *  Copyright (C) 2007 Maks Orlovich
@@ -71 +71 @@
     
     typedef JSCallee Base;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | OverridesGetCallData;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesAnyFormOfGetPropertyNames | OverridesGetCallData;
 
     static size_t allocationSize(Checked<size_t> inlineCapacity)

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -97 +97 @@
     typedef typename Adaptor::Type ElementType;
 
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetPropertyNames | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesAnyFormOfGetPropertyNames | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
 
     static constexpr unsigned elementSize = sizeof(typename Adaptor::Type);

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -1 +1 @@
 /*
  *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
- *  Copyright (C) 2007-2019 Apple Inc. All rights reserved.
+ *  Copyright (C) 2007-2020 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -532 +532 @@
 public:
     using Base = JSSegmentedVariableObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | HasStaticPropertyTable | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | IsImmutablePrototypeExoticObject;
+    // Do we realy need OverridesAnyFormOfGetPropertyNames here?
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=212954
+    static constexpr unsigned StructureFlags = Base::StructureFlags | HasStaticPropertyTable | OverridesGetOwnPropertySlot | OverridesAnyFormOfGetPropertyNames | IsImmutablePrototypeExoticObject;
 
     static constexpr bool needsDestruction = true;

trunk/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -49 +49 @@
 
     using Base = JSSymbolTableObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesAnyFormOfGetPropertyNames;
 
     WriteBarrierBase<Unknown>* variables()

trunk/Source/JavaScriptCore/runtime/JSModuleEnvironment.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -41 +41 @@
 public:
     using Base = JSLexicalEnvironment;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesAnyFormOfGetPropertyNames;
 
     static JSModuleEnvironment* create(VM& vm, JSGlobalObject* globalObject, JSScope* currentScope, SymbolTable* symbolTable, JSValue initialValue, AbstractModuleRecord* moduleRecord)

trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +34 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames | GetOwnPropertySlotIsImpureForPropertyAbsence | IsImmutablePrototypeExoticObject;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesAnyFormOfGetPropertyNames | GetOwnPropertySlotIsImpureForPropertyAbsence | IsImmutablePrototypeExoticObject;
 
     static constexpr bool needsDestruction = true;

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -670 +670 @@
 }
 
+#if ASSERT_ENABLED
+// These needs to be unique (not inlined) for ASSERT_ENABLED builds to enable
+// Structure::validateFlags() to do checks using function pointer comparisons.
+
+bool JSObject::getOwnPropertySlot(JSObject* object, JSGlobalObject* globalObject, PropertyName propertyName, PropertySlot& slot)
+{
+    return getOwnPropertySlotImpl(object, globalObject, propertyName, slot);
+}
+
+void JSObject::doPutPropertySecurityCheck(JSObject*, JSGlobalObject*, PropertyName, PutPropertySlot&)
+{
+}
+#endif // ASSERT_ENABLED
+
 // https://tc39.github.io/ecma262/#sec-ordinaryset
 bool ordinarySetSlow(JSGlobalObject* globalObject, JSObject* object, PropertyName propertyName, JSValue value, JSValue receiver, bool shouldThrow)

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -93 +93 @@
 class JSFinalObject;
 
+#if ASSERT_ENABLED
+#define JS_EXPORT_PRIVATE_IF_ASSERT_ENABLED JS_EXPORT_PRIVATE
+#else
+#define JS_EXPORT_PRIVATE_IF_ASSERT_ENABLED
+#endif
+
 class JSObject : public JSCell {
     friend class BatchedTransitionOptimizer;
@@ -171 +177 @@
     template<typename CallbackWhenNoException> typename std::result_of<CallbackWhenNoException(bool, PropertySlot&)>::type getPropertySlot(JSGlobalObject*, PropertyName, PropertySlot&, CallbackWhenNoException) const;
 
-    static bool getOwnPropertySlot(JSObject*, JSGlobalObject*, PropertyName, PropertySlot&);
+private:
+    static bool getOwnPropertySlotImpl(JSObject*, JSGlobalObject*, PropertyName, PropertySlot&);
+public:
+    JS_EXPORT_PRIVATE_IF_ASSERT_ENABLED static bool getOwnPropertySlot(JSObject*, JSGlobalObject*, PropertyName, PropertySlot&);
+
     JS_EXPORT_PRIVATE static bool getOwnPropertySlotByIndex(JSObject*, JSGlobalObject*, unsigned propertyName, PropertySlot&);
     bool getOwnPropertySlotInline(JSGlobalObject*, PropertyName, PropertySlot&);
-    static void doPutPropertySecurityCheck(JSObject*, JSGlobalObject*, PropertyName, PutPropertySlot&);
+    JS_EXPORT_PRIVATE_IF_ASSERT_ENABLED static void doPutPropertySecurityCheck(JSObject*, JSGlobalObject*, PropertyName, PutPropertySlot&);
 
     // The key difference between this and getOwnPropertySlot is that getOwnPropertySlot
@@ -1436 +1446 @@
 // but it makes a big difference to property lookup that derived classes can inline their
 // base class call to this.
-ALWAYS_INLINE bool JSObject::getOwnPropertySlot(JSObject* object, JSGlobalObject* globalObject, PropertyName propertyName, PropertySlot& slot)
+ALWAYS_INLINE bool JSObject::getOwnPropertySlotImpl(JSObject* object, JSGlobalObject* globalObject, PropertyName propertyName, PropertySlot& slot)
 {
     VM& vm = getVM(globalObject);
@@ -1447 +1457 @@
 }
 
+#if !ASSERT_ENABLED
+ALWAYS_INLINE bool JSObject::getOwnPropertySlot(JSObject* object, JSGlobalObject* globalObject, PropertyName propertyName, PropertySlot& slot)
+{
+    return getOwnPropertySlotImpl(object, globalObject, propertyName, slot);
+}
+
 ALWAYS_INLINE void JSObject::doPutPropertySecurityCheck(JSObject*, JSGlobalObject*, PropertyName, PutPropertySlot&)
 {
 }
+#endif
 
 // It may seem crazy to inline a function this large but it makes a big difference

trunk/Source/JavaScriptCore/runtime/JSProxy.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33 +33 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | OverridesAnyFormOfGetPropertyNames | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
 
     template<typename CellType, SubspaceAccess>

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -90 +90 @@
 
     typedef JSCell Base;
+    // Do we really need OverridesGetOwnPropertySlot?
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=212956
+    // Do we really need InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero?
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=212958
     static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | StructureIsImmortal | OverridesToThis;
 

trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -40 +40 @@
 public:
     using Base = JSScope;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesAnyFormOfGetPropertyNames;
 
     SymbolTable* symbolTable() const { return m_symbolTable.get(); }

trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h

@@ -50 +50 @@
 static constexpr unsigned ImplementsHasInstance = 1 << 8;
 static constexpr unsigned OverridesGetPropertyNames = 1 << 9;
-static constexpr unsigned ProhibitsPropertyCaching = 1 << 10;
-static constexpr unsigned GetOwnPropertySlotIsImpure = 1 << 11;
-static constexpr unsigned NewImpurePropertyFiresWatchpoints = 1 << 12;
-static constexpr unsigned IsImmutablePrototypeExoticObject = 1 << 13;
-static constexpr unsigned GetOwnPropertySlotIsImpureForPropertyAbsence = 1 << 14;
-static constexpr unsigned InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero = 1 << 15;
-static constexpr unsigned StructureIsImmortal = 1 << 16;
-static constexpr unsigned HasPutPropertySecurityCheck = 1 << 17;
+// OverridesAnyFormOfGetPropertyNames means that we cannot make assumptions about
+// the cacheability or enumerability of property names, and therefore, we'll need
+// to disable certain optimizations. This flag should be set if one or more of the
+// following Object methods are overridden:
+//     getOwnPropertyNames, getOwnNonIndexPropertyNames, getPropertyNames
+static constexpr unsigned OverridesAnyFormOfGetPropertyNames = 1 << 10;
+static constexpr unsigned ProhibitsPropertyCaching = 1 << 11;
+static constexpr unsigned GetOwnPropertySlotIsImpure = 1 << 12;
+static constexpr unsigned NewImpurePropertyFiresWatchpoints = 1 << 13;
+static constexpr unsigned IsImmutablePrototypeExoticObject = 1 << 14;
+static constexpr unsigned GetOwnPropertySlotIsImpureForPropertyAbsence = 1 << 15;
+static constexpr unsigned InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero = 1 << 16;
+static constexpr unsigned StructureIsImmortal = 1 << 17;
+static constexpr unsigned HasPutPropertySecurityCheck = 1 << 18;
 
 class TypeInfo {
@@ -64 +70 @@
     typedef uint16_t OutOfLineTypeFlags;
 
-    TypeInfo(JSType type, unsigned flags = 0)
+    TypeInfo(JSType type, unsigned flags)
         : TypeInfo(type, flags & 0xff, flags >> 8)
     {
@@ -84 +90 @@
 
     unsigned flags() const { return (static_cast<unsigned>(m_flags2) << 8) | static_cast<unsigned>(m_flags); }
-    bool masqueradesAsUndefined() const { return isSetOnFlags1(MasqueradesAsUndefined); }
-    bool implementsHasInstance() const { return isSetOnFlags2(ImplementsHasInstance); }
-    bool implementsDefaultHasInstance() const { return isSetOnFlags1(ImplementsDefaultHasInstance); }
-    bool overridesGetCallData() const { return isSetOnFlags1(OverridesGetCallData); }
+    bool masqueradesAsUndefined() const { return isSetOnFlags1<MasqueradesAsUndefined>(); }
+    bool implementsHasInstance() const { return isSetOnFlags2<ImplementsHasInstance>(); }
+    bool implementsDefaultHasInstance() const { return isSetOnFlags1<ImplementsDefaultHasInstance>(); }
+    bool overridesGetCallData() const { return isSetOnFlags1<OverridesGetCallData>(); }
     bool overridesGetOwnPropertySlot() const { return overridesGetOwnPropertySlot(inlineTypeFlags()); }
     static bool overridesGetOwnPropertySlot(InlineTypeFlags flags) { return flags & OverridesGetOwnPropertySlot; }
     static bool hasStaticPropertyTable(InlineTypeFlags flags) { return flags & HasStaticPropertyTable; }
     static bool perCellBit(InlineTypeFlags flags) { return flags & TypeInfoPerCellBit; }
-    bool overridesToThis() const { return isSetOnFlags1(OverridesToThis); }
-    bool structureIsImmortal() const { return isSetOnFlags2(StructureIsImmortal); }
-    bool overridesGetPropertyNames() const { return isSetOnFlags2(OverridesGetPropertyNames); }
-    bool prohibitsPropertyCaching() const { return isSetOnFlags2(ProhibitsPropertyCaching); }
-    bool getOwnPropertySlotIsImpure() const { return isSetOnFlags2(GetOwnPropertySlotIsImpure); }
-    bool getOwnPropertySlotIsImpureForPropertyAbsence() const { return isSetOnFlags2(GetOwnPropertySlotIsImpureForPropertyAbsence); }
-    bool hasPutPropertySecurityCheck() const { return isSetOnFlags2(HasPutPropertySecurityCheck); }
-    bool newImpurePropertyFiresWatchpoints() const { return isSetOnFlags2(NewImpurePropertyFiresWatchpoints); }
-    bool isImmutablePrototypeExoticObject() const { return isSetOnFlags2(IsImmutablePrototypeExoticObject); }
-    bool interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero() const { return isSetOnFlags2(InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero); }
+    bool overridesToThis() const { return isSetOnFlags1<OverridesToThis>(); }
+    bool structureIsImmortal() const { return isSetOnFlags2<StructureIsImmortal>(); }
+    bool overridesGetPropertyNames() const { return isSetOnFlags2<OverridesGetPropertyNames>(); }
+    bool overridesAnyFormOfGetPropertyNames() const { return isSetOnFlags2<OverridesAnyFormOfGetPropertyNames>(); }
+    bool prohibitsPropertyCaching() const { return isSetOnFlags2<ProhibitsPropertyCaching>(); }
+    bool getOwnPropertySlotIsImpure() const { return isSetOnFlags2<GetOwnPropertySlotIsImpure>(); }
+    bool getOwnPropertySlotIsImpureForPropertyAbsence() const { return isSetOnFlags2<GetOwnPropertySlotIsImpureForPropertyAbsence>(); }
+    bool hasPutPropertySecurityCheck() const { return isSetOnFlags2<HasPutPropertySecurityCheck>(); }
+    bool newImpurePropertyFiresWatchpoints() const { return isSetOnFlags2<NewImpurePropertyFiresWatchpoints>(); }
+    bool isImmutablePrototypeExoticObject() const { return isSetOnFlags2<IsImmutablePrototypeExoticObject>(); }
+    bool interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero() const { return isSetOnFlags2<InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero>(); }
 
     static bool isArgumentsType(JSType type)
@@ -132 +139 @@
     friend class LLIntOffsetsExtractor;
 
-    bool isSetOnFlags1(unsigned flag) const { ASSERT(flag <= (1 << 7)); return m_flags & flag; }
-    bool isSetOnFlags2(unsigned flag) const { ASSERT(flag >= (1 << 8)); return m_flags2 & (flag >> 8); }
+    template<unsigned flag>
+    bool isSetOnFlags1() const
+    {
+        static_assert(flag <= (1 << 7));
+        return m_flags & flag;
+    }
+
+    template<unsigned flag>
+    bool isSetOnFlags2() const
+    {
+        static_assert(flag >= (1 << 8) && flag <= (1 << 24));
+        return m_flags2 & (flag >> 8);
+    }
 
     JSType m_type;

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -303 +303 @@
                 if (structure->typeInfo().overridesGetOwnPropertySlot())
                     return false;
-                if (structure->typeInfo().overridesGetPropertyNames())
+                if (structure->typeInfo().overridesAnyFormOfGetPropertyNames())
                     return false;
                 // FIXME: Indexed properties can be handled.

trunk/Source/JavaScriptCore/runtime/ProxyObject.h

@@ -35 +35 @@
     typedef JSNonFinalObject Base;
 
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames | ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames | OverridesAnyFormOfGetPropertyNames | ProhibitsPropertyCaching;
 
     template<typename CellType, SubspaceAccess mode>

trunk/Source/JavaScriptCore/runtime/RegExpObject.h

@@ -31 +31 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | OverridesAnyFormOfGetPropertyNames;
 
     template<typename CellType, SubspaceAccess mode>

trunk/Source/JavaScriptCore/runtime/StringObject.h

@@ -29 +29 @@
 public:
     using Base = JSWrapperObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesAnyFormOfGetPropertyNames;
 
     template<typename, SubspaceAccess mode>

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -163 +163 @@
 }
 
+#if ASSERT_ENABLED
+void Structure::validateFlags()
+{
+    const MethodTable& methodTable = m_classInfo->methodTable;
+
+    bool overridesGetCallData = methodTable.getCallData != JSCell::getCallData;
+    RELEASE_ASSERT(overridesGetCallData == typeInfo().overridesGetCallData());
+
+    bool overridesGetOwnPropertySlot =
+        methodTable.getOwnPropertySlot != JSObject::getOwnPropertySlot
+        && methodTable.getOwnPropertySlot != JSCell::getOwnPropertySlot;
+    // We can strengthen this into an equivalence test if there are no classes
+    // that specifies this flag without overriding getOwnPropertySlot.
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=212956
+    if (overridesGetOwnPropertySlot)
+        RELEASE_ASSERT(typeInfo().overridesGetOwnPropertySlot());
+
+    bool overridesGetOwnPropertySlotByIndex =
+        methodTable.getOwnPropertySlotByIndex != JSObject::getOwnPropertySlotByIndex
+        && methodTable.getOwnPropertySlotByIndex != JSCell::getOwnPropertySlotByIndex;
+    // We can strengthen this into an equivalence test if there are no classes
+    // that specifies this flag without overriding getOwnPropertySlotByIndex.
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=212958
+    if (overridesGetOwnPropertySlotByIndex)
+        RELEASE_ASSERT(typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero());
+
+    bool overridesPutPropertySecurityCheck =
+        methodTable.doPutPropertySecurityCheck != JSObject::doPutPropertySecurityCheck
+        && methodTable.doPutPropertySecurityCheck != JSCell::doPutPropertySecurityCheck;
+    RELEASE_ASSERT(overridesPutPropertySecurityCheck == typeInfo().hasPutPropertySecurityCheck());
+
+    bool overridesGetPropertyNames =
+        methodTable.getPropertyNames != JSObject::getPropertyNames
+        && methodTable.getPropertyNames != JSCell::getPropertyNames;
+    bool overridesGetOwnPropertyNames =
+        methodTable.getOwnPropertyNames != JSObject::getOwnPropertyNames
+        && methodTable.getOwnPropertyNames != JSCell::getOwnPropertyNames;
+    bool overridesGetOwnNonIndexPropertyNames =
+        methodTable.getOwnNonIndexPropertyNames != JSObject::getOwnNonIndexPropertyNames
+        && methodTable.getOwnNonIndexPropertyNames != JSCell::getOwnNonIndexPropertyNames;
+
+    RELEASE_ASSERT(overridesGetPropertyNames == typeInfo().overridesGetPropertyNames());
+
+    // We can strengthen this into an equivalence test if there are no classes
+    // that specifies this flag without overriding any of the forms of getPropertyNames.
+    // FIXME: https://bugs.webkit.org/show_bug.cgi?id=212954
+    if (overridesGetPropertyNames
+        || overridesGetOwnPropertyNames
+        || overridesGetOwnNonIndexPropertyNames)
+        RELEASE_ASSERT(typeInfo().overridesAnyFormOfGetPropertyNames());
+}
+#else
+inline void Structure::validateFlags() { }
+#endif
+
 Structure::Structure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
     : JSCell(vm, vm.structureStructure.get())
@@ -196 +251 @@
     ASSERT(static_cast<PropertyOffset>(inlineCapacity) < firstOutOfLineOffset);
     ASSERT(!hasRareData());
-    ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties());
-    ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties());
-    ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData);
+    ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() == m_classInfo->hasStaticSetterOrReadonlyProperties());
+    ASSERT(hasGetterSetterProperties() == m_classInfo->hasStaticSetterOrReadonlyProperties());
+
+    validateFlags();
 }
 

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -174 +174 @@
     }
 
+    void validateFlags();
+
 public:
     StructureID id() const { return m_blob.structureID(); }

trunk/Source/JavaScriptCore/runtime/StructureInlines.h

@@ -268 +268 @@
     if (hasIndexedProperties(indexingType()))
         return false;
-    if (typeInfo().overridesGetPropertyNames())
+    if (typeInfo().overridesAnyFormOfGetPropertyNames())
         return false;
     return true;

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -537 +537 @@
 public:
     typedef JSArray Base;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesAnyFormOfGetPropertyNames;
 
 IGNORE_WARNINGS_BEGIN("unused-const-variable")

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-06-09  Mark Lam  <mark.lam@apple.com>
+
+        Disambiguate the OverridesGetPropertyNames structure flag
+        https://bugs.webkit.org/show_bug.cgi?id=212909
+        <rdar://problem/63823557>
+
+        Reviewed by Saam Barati.
+
+        1. JSDOMWindowProperties was not defining its Base.  As a result, its
+           StructureFlags was inheriting from JSDOMObject's Base instead of from JSDOMObject
+           as one would expect.  This turns out to be harmless because JSDOMObject did not
+           define any StructureFlags.  Regardless, this is not fixed so that if JSDOMObject
+           adds any StructureFlags, it will be inherited properly by JSDOMWindowProperties.
+
+        2. Updated CodeGeneratorJS.pm and rebased the binding test results.
+
+        * bindings/js/JSDOMWindowProperties.h:
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateHeader):
+        * bindings/scripts/test/JS/JSTestEventTarget.h:
+        * bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.h:
+        * bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.h:
+        * bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.h:
+        * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.h:
+        * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.h:
+        * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.h:
+        * bindings/scripts/test/JS/JSTestNamedDeleterNoIdentifier.h:
+        * bindings/scripts/test/JS/JSTestNamedDeleterThrowingException.h:
+        * bindings/scripts/test/JS/JSTestNamedDeleterWithIdentifier.h:
+        * bindings/scripts/test/JS/JSTestNamedDeleterWithIndexedGetter.h:
+        * bindings/scripts/test/JS/JSTestNamedGetterCallWith.h:
+        * bindings/scripts/test/JS/JSTestNamedGetterNoIdentifier.h:
+        * bindings/scripts/test/JS/JSTestNamedGetterWithIdentifier.h:
+        * bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.h:
+        * bindings/scripts/test/JS/JSTestNamedSetterThrowingException.h:
+        * bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.h:
+        * bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.h:
+        * bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.h:
+        * bindings/scripts/test/JS/JSTestNamedSetterWithOverrideBuiltins.h:
+        * bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.h:
+        * bindings/scripts/test/JS/JSTestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins.h:
+        * bindings/scripts/test/JS/JSTestObj.h:
+        * bindings/scripts/test/JS/JSTestOverrideBuiltins.h:
+        * bridge/runtime_array.h:
+        * bridge/runtime_object.h:
+
 2020-06-09  Dean Jackson  <dino@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowProperties.h

@@ -33 +33 @@
 class JSDOMWindowProperties final : public JSDOMObject {
 public:
+    using Base = JSDOMObject;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::IsImmutablePrototypeExoticObject;
+
     static constexpr bool needsDestruction = false;
     template<typename CellType, JSC::SubspaceAccess>
@@ -58 +61 @@
     static bool getOwnPropertySlotByIndex(JSC::JSObject*, JSC::JSGlobalObject*, unsigned propertyName, JSC::PropertySlot&);
 
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::IsImmutablePrototypeExoticObject;
-
 private:
     JSDOMWindowProperties(JSC::Structure* structure, JSC::JSGlobalObject& globalObject)

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -2686 +2686 @@
     if (InstanceOverridesGetOwnPropertyNames($interface)) {
         push(@headerContent, "    static void getOwnPropertyNames(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyNameArray&, JSC::EnumerationMode = JSC::EnumerationMode());\n");
-        $structureFlags{"JSC::OverridesGetPropertyNames"} = 1;
+        $structureFlags{"JSC::OverridesAnyFormOfGetPropertyNames"} = 1;
     }
     

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.h

@@ -67 +67 @@
     }
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::MasqueradesAsUndefined | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::MasqueradesAsUndefined | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestEventTarget(JSC::Structure*, JSDOMGlobalObject&, Ref<TestEventTarget>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestIndexedSetterNoIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestIndexedSetterNoIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestIndexedSetterThrowingException(JSC::Structure*, JSDOMGlobalObject&, Ref<TestIndexedSetterThrowingException>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestIndexedSetterWithIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestIndexedSetterWithIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedAndIndexedSetterNoIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedAndIndexedSetterNoIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedAndIndexedSetterThrowingException(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedAndIndexedSetterThrowingException>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedAndIndexedSetterWithIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedAndIndexedSetterWithIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterNoIdentifier.h

@@ -64 +64 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestNamedDeleterNoIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedDeleterNoIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterThrowingException.h

@@ -64 +64 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestNamedDeleterThrowingException(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedDeleterThrowingException>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterWithIdentifier.h

@@ -64 +64 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestNamedDeleterWithIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedDeleterWithIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedDeleterWithIndexedGetter.h

@@ -64 +64 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestNamedDeleterWithIndexedGetter(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedDeleterWithIndexedGetter>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterCallWith.h

@@ -62 +62 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestNamedGetterCallWith(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedGetterCallWith>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterNoIdentifier.h

@@ -62 +62 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestNamedGetterNoIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedGetterNoIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedGetterWithIdentifier.h

@@ -62 +62 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestNamedGetterWithIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedGetterWithIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterNoIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterNoIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterThrowingException(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterThrowingException>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithIndexedGetter(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithIndexedGetter>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithIndexedGetterAndSetter(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithIndexedGetterAndSetter>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithOverrideBuiltins.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithOverrideBuiltins(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithOverrideBuiltins>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithUnforgableProperties(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithUnforgableProperties>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.h

@@ -87 +87 @@
     JSC::JSValue testCustomReturnsOwnPromiseFunction(JSC::JSGlobalObject&, JSC::CallFrame&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetCallData | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetCallData | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestObj(JSC::Structure*, JSDOMGlobalObject&, Ref<TestObj>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestOverrideBuiltins.h

@@ -62 +62 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetOwnPropertySlot;
 protected:
     JSTestOverrideBuiltins(JSC::Structure*, JSDOMGlobalObject&, Ref<TestOverrideBuiltins>&&);

trunk/Source/WebCore/bridge/runtime_array.h

@@ -36 +36 @@
 public:
     using Base = JSArray;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesAnyFormOfGetPropertyNames;
     static constexpr bool needsDestruction = true;
 

trunk/Source/WebCore/bridge/runtime_object.h

@@ -36 +36 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetPropertyNames | OverridesGetCallData;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesAnyFormOfGetPropertyNames | OverridesGetCallData;
     static constexpr bool needsDestruction = true;
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2020-06-09  Mark Lam  <mark.lam@apple.com>
+
+        Disambiguate the OverridesGetPropertyNames structure flag
+        https://bugs.webkit.org/show_bug.cgi?id=212909
+        <rdar://problem/63823557>
+
+        Reviewed by Saam Barati.
+
+        * WebProcess/Plugins/Netscape/JSNPObject.h:
+
 2020-06-09  Dean Jackson  <dino@apple.com>
 

trunk/Source/WebKit/WebProcess/Plugins/Netscape/JSNPObject.h

@@ -45 +45 @@
 public:
     using Base = JSC::JSDestructibleObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetPropertyNames | JSC::OverridesGetCallData;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot | JSC::OverridesAnyFormOfGetPropertyNames | JSC::OverridesGetCallData;
 
     template<typename CellType, JSC::SubspaceAccess>