Changeset 264736 in webkit


Ignore:
Timestamp:
Jul 22, 2020, 5:08:50 PM (5 years ago)
Author:
mark.lam@apple.com
Message:

Disallow VM entry when doing a VMInquiry.
https://bugs.webkit.org/show_bug.cgi?id=214624
<rdar://problem/65915314>

Reviewed by Saam Barati.

Source/JavaScriptCore:

  1. In PropertySlot's constructor, automatically install a DisallowVMEntry scope if the passed in internal method type is VMInquiry. This ensures that we won't be able to enter the VM to call JS code while doing the inquiry. As a result, the PropertySlot constructor will now take an optional VM pointer, which is must be passed in in when the internal method type is VMInquiry.

Note that the handling of attempts to enter the VM depends on
Options::crashOnDisallowedVMEntry().

On Debug build (due to ASSERT_ENABLED), Options::crashOnDisallowedVMEntry()
defaults to true and the VM will crash on disallowed entry.
On Release build, Options::crashOnDisallowedVMEntry() defaults to false and
disallow entry attempts into the VM will be treated like calling an empty
function that returns undefined. This is not new behavior in this patch, but
I just want to have a reminder here of how DisallowVMEntry will be enforcing
no entry into the VM while doing a VMInquiry.

  1. After VMInquiry gets, sometimes the client code wants to do other work that do entails entering the VM. In such cases, we need to reset the PropertySlot's disallowVMEntry scope. Fixed up a few places in client code to do this reset.
  1. Make the DisableVMEntry scope copyable. At least one place wants to copy PropertySlot, and as a result, will need to copy its embedded DisableVMEntry scope as well if installed.

For DisableVMEntry, we'll handle copying semantics as follows: copying a
DisableVMEntry will ref the VM::disallowVMEntryCount. The count will be
decremented when both instances are destructed. As a result, VM entry will
be disallowed as long as one of the copies are still alive.

  1. For the setObjectToStringValue() method of Structure and StructureRareData, we were previously passing a PropertySlot by copy. We don't really need to do this. Ultimately, only StructureRareData::setObjectToStringValue() needs to access a few of the PropertySlot query methods. So, we changed these methods to pass a const PropertySlot& instead to void the needless copying.
  • API/JSCallbackObjectFunctions.h:

(JSC::JSCallbackObject<Parent>::put):
(JSC::JSCallbackObject<Parent>::staticFunctionGetter):

  • heap/HeapSnapshotBuilder.cpp:

(JSC::HeapSnapshotBuilder::json):

  • inspector/JSInjectedScriptHost.cpp:

(Inspector::JSInjectedScriptHost::queryInstances):

  • interpreter/Interpreter.cpp:

(JSC::Interpreter::execute):

  • jit/JITOperations.cpp:
  • llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

  • runtime/DisallowVMEntry.h:

(JSC::DisallowVMEntryImpl::DisallowVMEntryImpl):

  • runtime/ErrorInstance.cpp:

(JSC::ErrorInstance::sanitizedToString):

  • runtime/JSFunction.cpp:

(JSC::JSFunction::getOwnNonIndexPropertyNames):
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):

  • runtime/JSGenericTypedArrayViewConstructorInlines.h:

(JSC::constructGenericTypedArrayViewWithArguments):

  • runtime/JSGlobalObject.cpp:

(JSC::getGetterById):
(JSC::JSGlobalObject::defineOwnProperty):
(JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):

  • runtime/JSObject.cpp:

(JSC::JSObject::calculatedClassName):

  • runtime/JSObjectInlines.h:

(JSC::JSObject::getPrivateFieldSlot):

  • runtime/JSScope.cpp:

(JSC::abstractAccess):

  • runtime/PropertySlot.h:

(JSC::PropertySlot::PropertySlot):

  • runtime/SamplingProfiler.cpp:

(JSC::SamplingProfiler::StackFrame::nameFromCallee):

  • runtime/Structure.h:
  • runtime/StructureInlines.h:

(JSC::Structure::setObjectToStringValue):

  • runtime/StructureRareData.cpp:

(JSC::StructureRareData::setObjectToStringValue):

  • runtime/StructureRareData.h:
  • tools/JSDollarVM.cpp:

(JSC::functionGetGetterSetter):

Source/WebCore:

  1. Change binding to reset the DisallowVMEntry scope in PropertySlot after doing a VMInquiry.
  2. Rebase bindings test results to match.
  • bindings/js/JSDOMAbstractOperations.h:

(WebCore::isVisibleNamedProperty):
(WebCore::accessVisibleNamedProperty):

  • bindings/scripts/CodeGeneratorJS.pm:

(GeneratePut):
(GeneratePutByIndex):
(GenerateDefineOwnProperty):

  • bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp:

(WebCore::JSTestNamedAndIndexedSetterNoIdentifier::put):
(WebCore::JSTestNamedAndIndexedSetterNoIdentifier::putByIndex):
(WebCore::JSTestNamedAndIndexedSetterNoIdentifier::defineOwnProperty):

  • bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp:

(WebCore::JSTestNamedAndIndexedSetterThrowingException::put):
(WebCore::JSTestNamedAndIndexedSetterThrowingException::putByIndex):
(WebCore::JSTestNamedAndIndexedSetterThrowingException::defineOwnProperty):

  • bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp:

(WebCore::JSTestNamedAndIndexedSetterWithIdentifier::put):
(WebCore::JSTestNamedAndIndexedSetterWithIdentifier::putByIndex):
(WebCore::JSTestNamedAndIndexedSetterWithIdentifier::defineOwnProperty):

  • bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp:

(WebCore::JSTestNamedSetterNoIdentifier::put):
(WebCore::JSTestNamedSetterNoIdentifier::putByIndex):
(WebCore::JSTestNamedSetterNoIdentifier::defineOwnProperty):

  • bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp:

(WebCore::JSTestNamedSetterThrowingException::put):
(WebCore::JSTestNamedSetterThrowingException::putByIndex):
(WebCore::JSTestNamedSetterThrowingException::defineOwnProperty):

  • bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp:

(WebCore::JSTestNamedSetterWithIdentifier::put):
(WebCore::JSTestNamedSetterWithIdentifier::putByIndex):
(WebCore::JSTestNamedSetterWithIdentifier::defineOwnProperty):

  • bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp:

(WebCore::JSTestNamedSetterWithIndexedGetter::put):
(WebCore::JSTestNamedSetterWithIndexedGetter::putByIndex):
(WebCore::JSTestNamedSetterWithIndexedGetter::defineOwnProperty):

  • bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp:

(WebCore::JSTestNamedSetterWithIndexedGetterAndSetter::put):
(WebCore::JSTestNamedSetterWithIndexedGetterAndSetter::putByIndex):
(WebCore::JSTestNamedSetterWithIndexedGetterAndSetter::defineOwnProperty):

  • bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.cpp:

(WebCore::JSTestNamedSetterWithUnforgableProperties::put):
(WebCore::JSTestNamedSetterWithUnforgableProperties::putByIndex):
(WebCore::JSTestNamedSetterWithUnforgableProperties::defineOwnProperty):

Location:
trunk/Source
Files:
34 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h

    r262872 r264736  
    299299            if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(globalObject)) {
    300300                if (StaticFunctionEntry* entry = staticFunctions->get(name)) {
    301                     PropertySlot getSlot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
    302                     if (Parent::getOwnPropertySlot(thisObject, globalObject, propertyName, getSlot))
     301                    PropertySlot getSlot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
     302                    bool found = Parent::getOwnPropertySlot(thisObject, globalObject, propertyName, getSlot);
     303                    getSlot.disallowVMEntry.reset();
     304                    if (found)
    303305                        return Parent::put(thisObject, globalObject, propertyName, value, slot);
    304306                    if (entry->attributes & kJSPropertyAttributeReadOnly)
     
    669671   
    670672    // Check for cached or override property.
    671     PropertySlot slot2(thisObj, PropertySlot::InternalMethodType::VMInquiry);
    672     if (Parent::getOwnPropertySlot(thisObj, globalObject, propertyName, slot2))
     673    PropertySlot slot2(thisObj, PropertySlot::InternalMethodType::VMInquiry, &vm);
     674    bool found = Parent::getOwnPropertySlot(thisObj, globalObject, propertyName, slot2);
     675    slot2.disallowVMEntry.reset();
     676    if (found)
    673677        return JSValue::encode(slot2.getValue(globalObject, propertyName));
    674678

  • trunk/Source/JavaScriptCore/ChangeLog

    r264696 r264736  
     12020-07-22  Mark Lam  <mark.lam@apple.com>
     2
     3        Disallow VM entry when doing a VMInquiry.
     4        https://bugs.webkit.org/show_bug.cgi?id=214624
     5        <rdar://problem/65915314>
     6
     7        Reviewed by Saam Barati.
     8
     9        1. In PropertySlot's constructor, automatically install a DisallowVMEntry scope
     10           if the passed in internal method type is VMInquiry.  This ensures that we won't
     11           be able to enter the VM to call JS code while doing the inquiry.  As a result,
     12           the PropertySlot constructor will now take an optional VM pointer, which is
     13           must be passed in in when the internal method type is VMInquiry.
     14
     15           Note that the handling of attempts to enter the VM depends on
     16           Options::crashOnDisallowedVMEntry().
     17
     18           On Debug build (due to ASSERT_ENABLED), Options::crashOnDisallowedVMEntry()
     19           defaults to true and the VM will crash on disallowed entry.
     20           On Release build, Options::crashOnDisallowedVMEntry() defaults to false and
     21           disallow entry attempts into the VM will be treated like calling an empty
     22           function that returns undefined.  This is not new behavior in this patch, but
     23           I just want to have a reminder here of how DisallowVMEntry will be enforcing
     24           no entry into the VM while doing a VMInquiry.
     25
     26        2. After VMInquiry gets, sometimes the client code wants to do other work that
     27           do entails entering the VM.  In such cases, we need to reset the PropertySlot's
     28           disallowVMEntry scope.  Fixed up a few places in client code to do this reset.
     29
     30        3. Make the DisableVMEntry scope copyable.  At least one place wants to copy
     31           PropertySlot, and as a result, will need to copy its embedded DisableVMEntry
     32           scope as well if installed.
     33
     34           For DisableVMEntry, we'll handle copying semantics as follows: copying a
     35           DisableVMEntry will ref the VM::disallowVMEntryCount.  The count will be
     36           decremented when both instances are destructed.  As a result, VM entry will
     37           be disallowed as long as one of the copies are still alive.
     38
     39        4. For the setObjectToStringValue() method of Structure and StructureRareData, we
     40           were previously passing a PropertySlot by copy.  We don't really need to do
     41           this.  Ultimately, only StructureRareData::setObjectToStringValue() needs to
     42           access a few of the PropertySlot query methods.  So, we changed these methods
     43           to pass a `const PropertySlot&` instead to void the needless copying.
     44
     45        * API/JSCallbackObjectFunctions.h:
     46        (JSC::JSCallbackObject<Parent>::put):
     47        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
     48        * heap/HeapSnapshotBuilder.cpp:
     49        (JSC::HeapSnapshotBuilder::json):
     50        * inspector/JSInjectedScriptHost.cpp:
     51        (Inspector::JSInjectedScriptHost::queryInstances):
     52        * interpreter/Interpreter.cpp:
     53        (JSC::Interpreter::execute):
     54        * jit/JITOperations.cpp:
     55        * llint/LLIntSlowPaths.cpp:
     56        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
     57        * runtime/DisallowVMEntry.h:
     58        (JSC::DisallowVMEntryImpl::DisallowVMEntryImpl):
     59        * runtime/ErrorInstance.cpp:
     60        (JSC::ErrorInstance::sanitizedToString):
     61        * runtime/JSFunction.cpp:
     62        (JSC::JSFunction::getOwnNonIndexPropertyNames):
     63        (JSC::JSFunction::put):
     64        (JSC::JSFunction::defineOwnProperty):
     65        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
     66        (JSC::constructGenericTypedArrayViewWithArguments):
     67        * runtime/JSGlobalObject.cpp:
     68        (JSC::getGetterById):
     69        (JSC::JSGlobalObject::defineOwnProperty):
     70        (JSC::JSGlobalObject::tryInstallArraySpeciesWatchpoint):
     71        * runtime/JSObject.cpp:
     72        (JSC::JSObject::calculatedClassName):
     73        * runtime/JSObjectInlines.h:
     74        (JSC::JSObject::getPrivateFieldSlot):
     75        * runtime/JSScope.cpp:
     76        (JSC::abstractAccess):
     77        * runtime/PropertySlot.h:
     78        (JSC::PropertySlot::PropertySlot):
     79        * runtime/SamplingProfiler.cpp:
     80        (JSC::SamplingProfiler::StackFrame::nameFromCallee):
     81        * runtime/Structure.h:
     82        * runtime/StructureInlines.h:
     83        (JSC::Structure::setObjectToStringValue):
     84        * runtime/StructureRareData.cpp:
     85        (JSC::StructureRareData::setObjectToStringValue):
     86        * runtime/StructureRareData.h:
     87        * tools/JSDollarVM.cpp:
     88        (JSC::functionGetGetterSetter):
     89
    1902020-07-22  Geoffrey Garen  <ggaren@apple.com>
    291

  • trunk/Source/JavaScriptCore/heap/HeapSnapshotBuilder.cpp

    r261464 r264736  
    410410            JSObject* object = asObject(node.cell);
    411411            if (JSGlobalObject* globalObject = object->globalObject(vm)) {
    412                 PropertySlot slot(object, PropertySlot::InternalMethodType::VMInquiry);
     412                PropertySlot slot(object, PropertySlot::InternalMethodType::VMInquiry, &vm);
    413413                if (!object->getOwnPropertySlot(object, globalObject, vm.propertyNames->constructor, slot))
    414414                    className = JSObject::calculatedClassName(object);

  • trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp

    r261895 r264736  
    11/*
    2  * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    647647    JSValue prototype = object;
    648648
    649     PropertySlot prototypeSlot(object, PropertySlot::InternalMethodType::VMInquiry);
     649    PropertySlot prototypeSlot(object, PropertySlot::InternalMethodType::VMInquiry, &vm);
    650650    if (object->getPropertySlot(globalObject, vm.propertyNames->prototype, prototypeSlot)) {
    651651        RETURN_IF_EXCEPTION(scope, { });
     
    658658        }
    659659    }
     660    prototypeSlot.disallowVMEntry.reset();
    660661
    661662    if (object->inherits<ProxyObject>(vm) || prototype.inherits<ProxyObject>(vm))

  • trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

    r264688 r264736  
    10981098        for (unsigned i = 0; i < numVariables; ++i) {
    10991099            const Identifier& ident = unlinkedCodeBlock->variable(i);
    1100             PropertySlot slot(globalLexicalEnvironment, PropertySlot::InternalMethodType::VMInquiry);
     1100            PropertySlot slot(globalLexicalEnvironment, PropertySlot::InternalMethodType::VMInquiry, &vm);
    11011101            if (JSGlobalLexicalEnvironment::getOwnPropertySlot(globalLexicalEnvironment, globalObject, ident, slot)) {
    11021102                return checkedReturn(throwTypeError(globalObject, throwScope, makeString("Can't create duplicate global variable in eval: '", String(ident.impl()), "'")));
     
    11061106        for (unsigned i = 0; i < numTopLevelFunctionDecls; ++i) {
    11071107            FunctionExecutable* function = codeBlock->functionDecl(i);
    1108             PropertySlot slot(globalLexicalEnvironment, PropertySlot::InternalMethodType::VMInquiry);
     1108            PropertySlot slot(globalLexicalEnvironment, PropertySlot::InternalMethodType::VMInquiry, &vm);
    11091109            if (JSGlobalLexicalEnvironment::getOwnPropertySlot(globalLexicalEnvironment, globalObject, function->name(), slot)) {
    11101110                return checkedReturn(throwTypeError(globalObject, throwScope, makeString("Can't create duplicate global variable in eval: '", String(function->name().impl()), "'")));

  • trunk/Source/JavaScriptCore/jit/JITOperations.cpp

    r262613 r264736  
    175175
    176176    JSValue baseValue = JSValue::decode(base);
    177     PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry);
     177    PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry, &vm);
    178178    baseValue.getPropertySlot(globalObject, ident, slot);
    179179
     
    191191
    192192    JSValue baseValue = JSValue::decode(base);
    193     PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry);
     193    PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry, &vm);
    194194    baseValue.getPropertySlot(globalObject, ident, slot);
    195195
     
    207207
    208208    JSValue baseValue = JSValue::decode(base);
    209     PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry);
     209    PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry, &vm);
    210210
    211211    baseValue.getPropertySlot(globalObject, ident, slot);

  • trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

    r264688 r264736  
    635635    const Identifier& ident = codeBlock->identifier(bytecode.m_property);
    636636    JSValue baseValue = getOperand(callFrame, bytecode.m_base);
    637     PropertySlot slot(baseValue, PropertySlot::PropertySlot::InternalMethodType::VMInquiry);
     637    PropertySlot slot(baseValue, PropertySlot::PropertySlot::InternalMethodType::VMInquiry, &vm);
    638638
    639639    baseValue.getPropertySlot(globalObject, ident, slot);

  • trunk/Source/JavaScriptCore/runtime/DisallowVMEntry.h

    r264688 r264736  
    3737template<typename VMType = VM>
    3838class DisallowVMEntryImpl {
    39     WTF_MAKE_NONCOPYABLE(DisallowVMEntryImpl);
    4039public:
    4140    DisallowVMEntryImpl(VMType& vm)
    4241        : m_vm(&vm)
     42    {
     43        m_vm->disallowVMEntryCount++;
     44    }
     45
     46    DisallowVMEntryImpl(const DisallowVMEntryImpl& other)
     47        : m_vm(other.m_vm)
    4348    {
    4449        m_vm->disallowVMEntryCount++;

  • trunk/Source/JavaScriptCore/runtime/ErrorInstance.cpp

    r264160 r264736  
    140140    JSValue nameValue;
    141141    auto namePropertName = vm.propertyNames->name;
    142     PropertySlot nameSlot(this, PropertySlot::InternalMethodType::VMInquiry);
     142    PropertySlot nameSlot(this, PropertySlot::InternalMethodType::VMInquiry, &vm);
    143143
    144144    JSValue currentObj = this;
     
    168168    JSValue messageValue;
    169169    auto messagePropertName = vm.propertyNames->message;
    170     PropertySlot messageSlot(this, PropertySlot::InternalMethodType::VMInquiry);
     170    PropertySlot messageSlot(this, PropertySlot::InternalMethodType::VMInquiry, &vm);
    171171    if (JSObject::getOwnPropertySlot(this, globalObject, messagePropertName, messageSlot) && messageSlot.isValue())
    172172        messageValue = messageSlot.getValue(globalObject, messagePropertName);

  • trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

    r262252 r264736  
    22 *  Copyright (C) 1999-2002 Harri Porten (porten@kde.org)
    33 *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
    4  *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
     4 *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
    55 *  Copyright (C) 2007 Cameron Zwarich (cwzwarich@uwaterloo.ca)
    66 *  Copyright (C) 2007 Maks Orlovich
     
    509509        if (!thisObject->isHostOrBuiltinFunction()) {
    510510            // Make sure prototype has been reified.
    511             PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
     511            PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
    512512            thisObject->methodTable(vm)->getOwnPropertySlot(thisObject, globalObject, vm.propertyNames->prototype, slot);
    513513            RETURN_IF_EXCEPTION(scope, void());
     
    564564        // Make sure prototype has been reified, such that it can only be overwritten
    565565        // following the rules set out in ECMA-262 8.12.9.
    566         PropertySlot getSlot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
     566        PropertySlot getSlot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
    567567        thisObject->methodTable(vm)->getOwnPropertySlot(thisObject, globalObject, propertyName, getSlot);
    568568        RETURN_IF_EXCEPTION(scope, false);
    569569        if (FunctionRareData* rareData = thisObject->rareData())
    570570            rareData->clear("Store to prototype property of a function");
     571        getSlot.disallowVMEntry.reset();
    571572        RELEASE_AND_RETURN(scope, Base::put(thisObject, globalObject, propertyName, value, slot));
    572573    }
     
    643644        // Make sure prototype has been reified, such that it can only be overwritten
    644645        // following the rules set out in ECMA-262 8.12.9.
    645         PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
     646        PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
    646647        thisObject->methodTable(vm)->getOwnPropertySlot(thisObject, globalObject, propertyName, slot);
    647648        RETURN_IF_EXCEPTION(scope, false);
    648649        if (FunctionRareData* rareData = thisObject->rareData())
    649650            rareData->clear("Store to prototype property of a function");
     651        slot.disallowVMEntry.reset();
    650652        RELEASE_AND_RETURN(scope, Base::defineOwnProperty(object, globalObject, propertyName, descriptor, throwException));
    651653    }

  • trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h

    r263315 r264736  
    11/*
    2  * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    157157            // This getPropertySlot operation should not be observed by the Proxy.
    158158            // So we use VMInquiry. And purge the opaque object cases (proxy and namespace object) by isTaintedByOpaqueObject() guard.
    159             PropertySlot lengthSlot(object, PropertySlot::InternalMethodType::VMInquiry);
     159            PropertySlot lengthSlot(object, PropertySlot::InternalMethodType::VMInquiry, &vm);
    160160            object->getPropertySlot(globalObject, vm.propertyNames->length, lengthSlot);
    161161            RETURN_IF_EXCEPTION(scope, nullptr);
     162            lengthSlot.disallowVMEntry.reset();
    162163
    163164            JSValue iteratorFunc = object->get(globalObject, vm.propertyNames->iteratorSymbol);

  • trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

    r264639 r264736  
    507507static GetterSetter* getGetterById(JSGlobalObject* globalObject, JSObject* base, const Identifier& ident)
    508508{
     509    VM& vm = globalObject->vm();
    509510    JSValue baseValue = JSValue(base);
    510     PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry);
     511    PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry, &vm);
    511512    baseValue.getPropertySlot(globalObject, ident, slot);
    512513    return jsCast<GetterSetter*>(slot.getPureResult());
     
    13951396bool JSGlobalObject::defineOwnProperty(JSObject* object, JSGlobalObject* globalObject, PropertyName propertyName, const PropertyDescriptor& descriptor, bool shouldThrow)
    13961397{
     1398    VM& vm = globalObject->vm();
    13971399    JSGlobalObject* thisObject = jsCast<JSGlobalObject*>(object);
    1398     PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry);
     1400    PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
    13991401    // silently ignore attempts to add accessors aliasing vars.
    14001402    if (descriptor.isAccessorDescriptor() && symbolTableGet(thisObject, propertyName, slot))
    14011403        return false;
     1404    slot.disallowVMEntry.reset();
    14021405    return Base::defineOwnProperty(thisObject, globalObject, propertyName, descriptor, shouldThrow);
    14031406}
     
    20662069    };
    20672070
    2068     PropertySlot constructorSlot(arrayPrototype, PropertySlot::InternalMethodType::VMInquiry);
     2071    PropertySlot constructorSlot(arrayPrototype, PropertySlot::InternalMethodType::VMInquiry, &vm);
    20692072    arrayPrototype->getOwnPropertySlot(arrayPrototype, this, vm.propertyNames->constructor, constructorSlot);
    20702073    scope.assertNoException();
     
    20802083        constructorStructure = constructorStructure->flattenDictionaryStructure(vm, arrayConstructor);
    20812084
    2082     PropertySlot speciesSlot(arrayConstructor, PropertySlot::InternalMethodType::VMInquiry);
     2085    PropertySlot speciesSlot(arrayConstructor, PropertySlot::InternalMethodType::VMInquiry, &vm);
    20832086    arrayConstructor->getOwnPropertySlot(arrayConstructor, this, vm.propertyNames->speciesSymbol, speciesSlot);
    20842087    scope.assertNoException();

  • trunk/Source/JavaScriptCore/runtime/JSObject.cpp

    r264574 r264736  
    22 *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
    33 *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
    4  *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
     4 *  Copyright (C) 2003-2020 Apple Inc. All rights reserved.
    55 *  Copyright (C) 2007 Eric Seidel (eric@webkit.org)
    66 *
     
    535535    // Check for a display name of obj.constructor.
    536536    // This is useful to get `Foo` for the `(class Foo).prototype` object.
    537     PropertySlot slot(object, PropertySlot::InternalMethodType::VMInquiry);
     537    PropertySlot slot(object, PropertySlot::InternalMethodType::VMInquiry, &vm);
    538538    if (object->getOwnPropertySlot(object, globalObject, vm.propertyNames->constructor, slot)) {
    539539        EXCEPTION_ASSERT(!scope.exception());
     
    559559            if (protoValue.isObject()) {
    560560                JSObject* protoObject = asObject(protoValue);
    561                 PropertySlot slot(protoValue, PropertySlot::InternalMethodType::VMInquiry);
     561                PropertySlot slot(protoValue, PropertySlot::InternalMethodType::VMInquiry, &vm);
    562562                if (protoObject->getPropertySlot(globalObject, vm.propertyNames->constructor, slot)) {
    563563                    EXCEPTION_ASSERT(!scope.exception());

  • trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h

    r264679 r264736  
    585585
    586586    JSValue value = object->getDirect(offset);
     587#if ASSERT_ENABLED
    587588    ASSERT(value);
    588589    if (value.isCell()) {
     
    595596        // https://bugs.webkit.org/show_bug.cgi?id=194435
    596597    }
     598#endif
    597599
    598600    slot.setValue(object, attributes, value, offset);

  • trunk/Source/JavaScriptCore/runtime/JSScope.cpp

    r262613 r264736  
    11/*
    2  * Copyright (C) 2012-2017 Apple Inc. All Rights Reserved.
     2 * Copyright (C) 2012-2020 Apple Inc. All Rights Reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    153153        }
    154154
    155         PropertySlot slot(globalObject, PropertySlot::InternalMethodType::VMInquiry);
     155        PropertySlot slot(globalObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
    156156        bool hasOwnProperty = globalObject->getOwnPropertySlot(globalObject, globalObject, ident, slot);
     157        slot.disallowVMEntry.reset();
    157158        if (!hasOwnProperty) {
    158159            op = ResolveOp(makeType(UnresolvedProperty, needsVarInjectionChecks), 0, nullptr, nullptr, nullptr, 0);

  • trunk/Source/JavaScriptCore/runtime/PropertySlot.h

    r264679 r264736  
    2222
    2323#include "DOMAnnotation.h"
     24#include "DisallowVMEntry.h"
    2425#include "GetVM.h"
    2526#include "JSCJSValue.h"
     
    113114    };
    114115
    115     explicit PropertySlot(const JSValue thisValue, InternalMethodType internalMethodType)
     116    explicit PropertySlot(const JSValue thisValue, InternalMethodType internalMethodType, VM* vmForInquiry = nullptr)
    116117        : m_thisValue(thisValue)
    117118        , m_internalMethodType(internalMethodType)
    118119    {
     120        if (isVMInquiry())
     121            disallowVMEntry.emplace(*vmForInquiry);
    119122    }
    120123
     
    400403    AdditionalDataType m_additionalDataType { AdditionalDataType::None };
    401404    bool m_isTaintedByOpaqueObject { false };
     405public:
     406    Optional<DisallowVMEntry> disallowVMEntry;
     407private:
    402408    union {
    403409        DOMAttributeAnnotation domAttribute;

  • trunk/Source/JavaScriptCore/runtime/SamplingProfiler.cpp

    r262161 r264736  
    729729    JSGlobalObject* globalObject = callee->globalObject(vm);
    730730    auto getPropertyIfPureOperation = [&] (const Identifier& ident) -> String {
    731         PropertySlot slot(callee, PropertySlot::InternalMethodType::VMInquiry);
     731        PropertySlot slot(callee, PropertySlot::InternalMethodType::VMInquiry, &vm);
    732732        PropertyName propertyName(ident);
    733733        bool hasProperty = callee->getPropertySlot(globalObject, propertyName, slot);

  • trunk/Source/JavaScriptCore/runtime/Structure.h

    r263035 r264736  
    11/*
    2  * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2008-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    537537    }
    538538
    539     void setObjectToStringValue(JSGlobalObject*, VM&, JSString* value, PropertySlot toStringTagSymbolSlot);
     539    void setObjectToStringValue(JSGlobalObject*, VM&, JSString* value, const PropertySlot& toStringTagSymbolSlot);
    540540
    541541    const ClassInfo* classInfo() const { return m_classInfo; }

  • trunk/Source/JavaScriptCore/runtime/StructureInlines.h

    r262827 r264736  
    11/*
    2  * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    428428}
    429429
    430 inline void Structure::setObjectToStringValue(JSGlobalObject* globalObject, VM& vm, JSString* value, PropertySlot toStringTagSymbolSlot)
     430inline void Structure::setObjectToStringValue(JSGlobalObject* globalObject, VM& vm, JSString* value, const PropertySlot& toStringTagSymbolSlot)
    431431{
    432432    if (!hasRareData())

  • trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp

    r262054 r264736  
    11/*
    2  * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    9696};
    9797
    98 void StructureRareData::setObjectToStringValue(JSGlobalObject* globalObject, VM& vm, Structure* ownStructure, JSString* value, PropertySlot toStringTagSymbolSlot)
     98void StructureRareData::setObjectToStringValue(JSGlobalObject* globalObject, VM& vm, Structure* ownStructure, JSString* value, const PropertySlot& toStringTagSymbolSlot)
    9999{
    100100    if (canCacheObjectToStringValue())

  • trunk/Source/JavaScriptCore/runtime/StructureRareData.h

    r259463 r264736  
    11/*
    2  * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    6767
    6868    JSString* objectToStringValue() const;
    69     void setObjectToStringValue(JSGlobalObject*, VM&, Structure* baseStructure, JSString* value, PropertySlot toStringTagSymbolSlot);
     69    void setObjectToStringValue(JSGlobalObject*, VM&, Structure* baseStructure, JSString* value, const PropertySlot& toStringTagSymbolSlot);
    7070    void giveUpOnObjectToStringValueCache() { m_objectToStringValue.setWithoutWriteBarrier(objectToStringCacheGiveUpMarker()); }
    7171    bool canCacheObjectToStringValue() { return m_objectToStringValue.unvalidatedGet() == objectToStringCacheGiveUpMarker(); }

  • trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

    r264304 r264736  
    28962896    RETURN_IF_EXCEPTION(scope, { });
    28972897
    2898     PropertySlot slot(value, PropertySlot::InternalMethodType::VMInquiry);
     2898    PropertySlot slot(value, PropertySlot::InternalMethodType::VMInquiry, &vm);
    28992899    value.getPropertySlot(globalObject, propertyName, slot);
    29002900    RETURN_IF_EXCEPTION(scope, { });

  • trunk/Source/WebCore/ChangeLog

    r264734 r264736  
     12020-07-21  Mark Lam  <mark.lam@apple.com>
     2
     3        Disallow VM entry when doing a VMInquiry.
     4        https://bugs.webkit.org/show_bug.cgi?id=214624
     5        <rdar://problem/65915314>
     6
     7        Reviewed by Saam Barati.
     8
     9        1. Change binding to reset the DisallowVMEntry scope in PropertySlot after doing
     10           a VMInquiry.
     11        2. Rebase bindings test results to match.
     12
     13        * bindings/js/JSDOMAbstractOperations.h:
     14        (WebCore::isVisibleNamedProperty):
     15        (WebCore::accessVisibleNamedProperty):
     16        * bindings/scripts/CodeGeneratorJS.pm:
     17        (GeneratePut):
     18        (GeneratePutByIndex):
     19        (GenerateDefineOwnProperty):
     20        * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp:
     21        (WebCore::JSTestNamedAndIndexedSetterNoIdentifier::put):
     22        (WebCore::JSTestNamedAndIndexedSetterNoIdentifier::putByIndex):
     23        (WebCore::JSTestNamedAndIndexedSetterNoIdentifier::defineOwnProperty):
     24        * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp:
     25        (WebCore::JSTestNamedAndIndexedSetterThrowingException::put):
     26        (WebCore::JSTestNamedAndIndexedSetterThrowingException::putByIndex):
     27        (WebCore::JSTestNamedAndIndexedSetterThrowingException::defineOwnProperty):
     28        * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp:
     29        (WebCore::JSTestNamedAndIndexedSetterWithIdentifier::put):
     30        (WebCore::JSTestNamedAndIndexedSetterWithIdentifier::putByIndex):
     31        (WebCore::JSTestNamedAndIndexedSetterWithIdentifier::defineOwnProperty):
     32        * bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp:
     33        (WebCore::JSTestNamedSetterNoIdentifier::put):
     34        (WebCore::JSTestNamedSetterNoIdentifier::putByIndex):
     35        (WebCore::JSTestNamedSetterNoIdentifier::defineOwnProperty):
     36        * bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp:
     37        (WebCore::JSTestNamedSetterThrowingException::put):
     38        (WebCore::JSTestNamedSetterThrowingException::putByIndex):
     39        (WebCore::JSTestNamedSetterThrowingException::defineOwnProperty):
     40        * bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp:
     41        (WebCore::JSTestNamedSetterWithIdentifier::put):
     42        (WebCore::JSTestNamedSetterWithIdentifier::putByIndex):
     43        (WebCore::JSTestNamedSetterWithIdentifier::defineOwnProperty):
     44        * bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp:
     45        (WebCore::JSTestNamedSetterWithIndexedGetter::put):
     46        (WebCore::JSTestNamedSetterWithIndexedGetter::putByIndex):
     47        (WebCore::JSTestNamedSetterWithIndexedGetter::defineOwnProperty):
     48        * bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp:
     49        (WebCore::JSTestNamedSetterWithIndexedGetterAndSetter::put):
     50        (WebCore::JSTestNamedSetterWithIndexedGetterAndSetter::putByIndex):
     51        (WebCore::JSTestNamedSetterWithIndexedGetterAndSetter::defineOwnProperty):
     52        * bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.cpp:
     53        (WebCore::JSTestNamedSetterWithUnforgableProperties::put):
     54        (WebCore::JSTestNamedSetterWithUnforgableProperties::putByIndex):
     55        (WebCore::JSTestNamedSetterWithUnforgableProperties::defineOwnProperty):
     56
    1572020-07-22  Eric Carlson  <eric.carlson@apple.com>
    258

  • trunk/Source/WebCore/bindings/js/JSDOMAbstractOperations.h

    r251425 r264736  
    6060   
    6161    // 2. If O has an own property named P, then return false.
    62     JSC::PropertySlot slot { &thisObject, JSC::PropertySlot::InternalMethodType::VMInquiry };
     62    JSC::PropertySlot slot { &thisObject, JSC::PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject.vm() };
    6363    if (JSC::JSObject::getOwnPropertySlot(&thisObject, &lexicalGlobalObject, propertyName, slot))
    6464        return false;
     
    100100
    101101    // 2. If O has an own property named P, then return false.
    102     JSC::PropertySlot slot { &thisObject, JSC::PropertySlot::InternalMethodType::VMInquiry };
     102    JSC::PropertySlot slot { &thisObject, JSC::PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject.vm() };
    103103    if (JSC::JSObject::getOwnPropertySlot(&thisObject, &lexicalGlobalObject, propertyName, slot))
    104104        return WTF::nullopt;

  • trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

    r264201 r264736  
    966966        my $overrideBuiltins = $codeGenerator->InheritsExtendedAttribute($interface, "OverrideBuiltins");
    967967        if (!$overrideBuiltins) {
    968             push(@$outputArray, "        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };\n");
     968            push(@$outputArray, "        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };\n");
    969969            push(@$outputArray, "        JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));\n");
    970             push(@$outputArray, "        if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {\n");
     970            push(@$outputArray, "        bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);\n");
     971            push(@$outputArray, "        slot.disallowVMEntry.reset();\n");
     972            push(@$outputArray, "        if (!found) {\n");
    971973            $additionalIndent .= "    ";
    972974        }
     
    10421044        my $additionalIndent = "";
    10431045        if (!$overrideBuiltins) {
    1044             push(@$outputArray, "    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };\n");
     1046            push(@$outputArray, "    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };\n");
    10451047            push(@$outputArray, "    JSValue prototype = thisObject->getPrototypeDirect(vm);\n");
    1046             push(@$outputArray, "    if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {\n");
     1048            push(@$outputArray, "    bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);\n");
     1049            push(@$outputArray, "    slot.disallowVMEntry.reset();\n");
     1050            push(@$outputArray, "    if (!found) {\n");
    10471051            $additionalIndent .= "    ";
    10481052        }
     
    11771181            #        only look at the actual properties, and not call into our implementation of the
    11781182            #        [[GetOwnProperty]] hook?
    1179             push(@$outputArray, $additionalIndent. "        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };\n");
    1180             push(@$outputArray, $additionalIndent. "        if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {\n");
     1183            push(@$outputArray, $additionalIndent. "        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };\n");
     1184            push(@$outputArray, $additionalIndent. "        bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);\n");
     1185            push(@$outputArray, $additionalIndent. "        slot.disallowVMEntry.reset();\n");
     1186            push(@$outputArray, $additionalIndent. "        if (!found) {\n");
    11811187            $additionalIndent .= "    ";
    11821188        }

  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp

    r260992 r264736  
    235235
    236236    if (!propertyName.isSymbol()) {
    237         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     237        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
    238238        JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
    239         if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     239        bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     240        slot.disallowVMEntry.reset();
     241        if (!found) {
    240242            auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    241243            auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    264266
    265267    auto propertyName = Identifier::from(vm, index);
    266     PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     268    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
    267269    JSValue prototype = thisObject->getPrototypeDirect(vm);
    268     if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     270    bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     271    slot.disallowVMEntry.reset();
     272    if (!found) {
    269273        auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    270274        auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    293297
    294298    if (!propertyName.isSymbol()) {
    295         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
    296         if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
     299        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
     300        bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
     301        slot.disallowVMEntry.reset();
     302        if (!found) {
    297303            if (!propertyDescriptor.isDataDescriptor())
    298304                return false;

  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp

    r260992 r264736  
    235235
    236236    if (!propertyName.isSymbol()) {
    237         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     237        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
    238238        JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
    239         if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     239        bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     240        slot.disallowVMEntry.reset();
     241        if (!found) {
    240242            auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    241243            auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    264266
    265267    auto propertyName = Identifier::from(vm, index);
    266     PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     268    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
    267269    JSValue prototype = thisObject->getPrototypeDirect(vm);
    268     if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     270    bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     271    slot.disallowVMEntry.reset();
     272    if (!found) {
    269273        auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    270274        auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    293297
    294298    if (!propertyName.isSymbol()) {
    295         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
    296         if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
     299        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
     300        bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
     301        slot.disallowVMEntry.reset();
     302        if (!found) {
    297303            if (!propertyDescriptor.isDataDescriptor())
    298304                return false;

  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp

    r260992 r264736  
    244244
    245245    if (!propertyName.isSymbol()) {
    246         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     246        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
    247247        JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
    248         if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     248        bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     249        slot.disallowVMEntry.reset();
     250        if (!found) {
    249251            auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    250252            auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    273275
    274276    auto propertyName = Identifier::from(vm, index);
    275     PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     277    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
    276278    JSValue prototype = thisObject->getPrototypeDirect(vm);
    277     if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     279    bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     280    slot.disallowVMEntry.reset();
     281    if (!found) {
    278282        auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    279283        auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    302306
    303307    if (!propertyName.isSymbol()) {
    304         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
    305         if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
     308        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
     309        bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
     310        slot.disallowVMEntry.reset();
     311        if (!found) {
    306312            if (!propertyDescriptor.isDataDescriptor())
    307313                return false;

  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp

    r260992 r264736  
    208208
    209209    if (!propertyName.isSymbol()) {
    210         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     210        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
    211211        JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
    212         if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     212        bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     213        slot.disallowVMEntry.reset();
     214        if (!found) {
    213215            auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    214216            auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    229231
    230232    auto propertyName = Identifier::from(vm, index);
    231     PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     233    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
    232234    JSValue prototype = thisObject->getPrototypeDirect(vm);
    233     if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     235    bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     236    slot.disallowVMEntry.reset();
     237    if (!found) {
    234238        auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    235239        auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    248252
    249253    if (!propertyName.isSymbol()) {
    250         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
    251         if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
     254        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
     255        bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
     256        slot.disallowVMEntry.reset();
     257        if (!found) {
    252258            if (!propertyDescriptor.isDataDescriptor())
    253259                return false;

  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp

    r260992 r264736  
    208208
    209209    if (!propertyName.isSymbol()) {
    210         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     210        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
    211211        JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
    212         if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     212        bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     213        slot.disallowVMEntry.reset();
     214        if (!found) {
    213215            auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    214216            auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    229231
    230232    auto propertyName = Identifier::from(vm, index);
    231     PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     233    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
    232234    JSValue prototype = thisObject->getPrototypeDirect(vm);
    233     if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     235    bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     236    slot.disallowVMEntry.reset();
     237    if (!found) {
    234238        auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    235239        auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    248252
    249253    if (!propertyName.isSymbol()) {
    250         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
    251         if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
     254        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
     255        bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
     256        slot.disallowVMEntry.reset();
     257        if (!found) {
    252258            if (!propertyDescriptor.isDataDescriptor())
    253259                return false;

  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp

    r260992 r264736  
    214214
    215215    if (!propertyName.isSymbol()) {
    216         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     216        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
    217217        JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
    218         if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     218        bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     219        slot.disallowVMEntry.reset();
     220        if (!found) {
    219221            auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    220222            auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    235237
    236238    auto propertyName = Identifier::from(vm, index);
    237     PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     239    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
    238240    JSValue prototype = thisObject->getPrototypeDirect(vm);
    239     if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     241    bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     242    slot.disallowVMEntry.reset();
     243    if (!found) {
    240244        auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    241245        auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    254258
    255259    if (!propertyName.isSymbol()) {
    256         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
    257         if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
     260        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
     261        bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
     262        slot.disallowVMEntry.reset();
     263        if (!found) {
    258264            if (!propertyDescriptor.isDataDescriptor())
    259265                return false;

  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp

    r260992 r264736  
    236236
    237237    if (!propertyName.isSymbol()) {
    238         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     238        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
    239239        JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
    240         if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     240        bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     241        slot.disallowVMEntry.reset();
     242        if (!found) {
    241243            auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    242244            auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    257259
    258260    auto propertyName = Identifier::from(vm, index);
    259     PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     261    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
    260262    JSValue prototype = thisObject->getPrototypeDirect(vm);
    261     if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     263    bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     264    slot.disallowVMEntry.reset();
     265    if (!found) {
    262266        auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    263267        auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    279283
    280284    if (!propertyName.isSymbol()) {
    281         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
    282         if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
     285        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
     286        bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
     287        slot.disallowVMEntry.reset();
     288        if (!found) {
    283289            if (!propertyDescriptor.isDataDescriptor())
    284290                return false;

  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp

    r260992 r264736  
    244244
    245245    if (!propertyName.isSymbol()) {
    246         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     246        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
    247247        JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
    248         if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     248        bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     249        slot.disallowVMEntry.reset();
     250        if (!found) {
    249251            auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    250252            auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    273275
    274276    auto propertyName = Identifier::from(vm, index);
    275     PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     277    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
    276278    JSValue prototype = thisObject->getPrototypeDirect(vm);
    277     if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     279    bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     280    slot.disallowVMEntry.reset();
     281    if (!found) {
    278282        auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    279283        auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    302306
    303307    if (!propertyName.isSymbol()) {
    304         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
    305         if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
     308        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
     309        bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
     310        slot.disallowVMEntry.reset();
     311        if (!found) {
    306312            if (!propertyDescriptor.isDataDescriptor())
    307313                return false;

  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.cpp

    r260992 r264736  
    232232
    233233    if (!propertyName.isSymbol()) {
    234         PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     234        PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
    235235        JSValue prototype = thisObject->getPrototypeDirect(JSC::getVM(lexicalGlobalObject));
    236         if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     236        bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     237        slot.disallowVMEntry.reset();
     238        if (!found) {
    237239            auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    238240            auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    253255
    254256    auto propertyName = Identifier::from(vm, index);
    255     PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
     257    PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm };
    256258    JSValue prototype = thisObject->getPrototypeDirect(vm);
    257     if (!(prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot))) {
     259    bool found = prototype.isObject() && asObject(prototype)->getPropertySlot(lexicalGlobalObject, propertyName, slot);
     260    slot.disallowVMEntry.reset();
     261    if (!found) {
    258262        auto throwScope = DECLARE_THROW_SCOPE(JSC::getVM(lexicalGlobalObject));
    259263        auto nativeValue = convert<IDLDOMString>(*lexicalGlobalObject, value);
     
    278282
    279283        if (!isUnforgeablePropertyName(propertyName)) {
    280             PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry };
    281             if (!JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) {
     284            PropertySlot slot { thisObject, PropertySlot::InternalMethodType::VMInquiry, &lexicalGlobalObject->vm() };
     285            bool found = JSObject::getOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot);
     286            slot.disallowVMEntry.reset();
     287            if (!found) {
    282288                if (!propertyDescriptor.isDataDescriptor())
    283289                    return false;
Note: See TracChangeset for help on using the changeset viewer.