Changeset 264895 in webkit


Ignore:
Timestamp:
Jul 25, 2020 10:11:06 PM (4 years ago)
Author:
mark.lam@apple.com
Message:

pluginElementCustomGetOwnPropertySlot() should support VMInquiry requests.
https://bugs.webkit.org/show_bug.cgi?id=214555
<rdar://problem/65855400>

Reviewed by Yusuke Suzuki.

Source/JavaScriptCore:

  1. Add handling for VMInquiry failure in JSObject::getPropertySlot() and JSObject::getNonIndexPropertySlot(). Basically, if the query isTaintedByOpaqueObject, then we should treat the false result as a failed VMInquiry.
  1. Fix JSModuleNamespaceObject::getOwnPropertySlotCommon() and ProxyObject::getOwnPropertySlotCommon() to initialize the PropertySlot to a jsUndefined() value if we have a failed VMInquiry. The client shouldn't be reading the value if the VMInquiry failed, but as a defensive action, we'll initialize the slot to effectively return an undefined value.
  • runtime/JSModuleNamespaceObject.cpp:

(JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):

  • runtime/JSObjectInlines.h:

(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getNonIndexPropertySlot):

  • runtime/ProxyObject.cpp:

(JSC::ProxyObject::getOwnPropertySlotCommon):

Source/WebCore:

  1. Add handling for VMInquiry failure in CodeGeneratorJS.
  1. Fix pluginElementCustomGetOwnPropertySlot() to setIsTaintedByOpaqueObject().
  1. Fix pluginElementCustomGetOwnPropertySlot() handle a VMInquiry failure case and if so, to initialize the PropertySlot to a jsUndefined() value. The client shouldn't be reading the value if the VMInquiry failed, but as a defensive action, we'll initialize the slot to effectively return an undefined value.
  • bindings/js/JSPluginElementFunctions.cpp:

(WebCore::pluginElementCustomGetOwnPropertySlot):

  • bindings/scripts/CodeGeneratorJS.pm:

(GenerateGetOwnPropertySlot):
(GenerateGetOwnPropertySlotByIndex):

  • bindings/scripts/test/JS/JSTestPluginInterface.cpp:

(WebCore::JSTestPluginInterface::getOwnPropertySlot):
(WebCore::JSTestPluginInterface::getOwnPropertySlotByIndex):

Location:
trunk/Source
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r264877 r264895  
     12020-07-24  Mark Lam  <mark.lam@apple.com>
     2
     3        pluginElementCustomGetOwnPropertySlot() should support VMInquiry requests.
     4        https://bugs.webkit.org/show_bug.cgi?id=214555
     5        <rdar://problem/65855400>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        1. Add handling for VMInquiry failure in JSObject::getPropertySlot() and
     10           JSObject::getNonIndexPropertySlot().  Basically, if the query isTaintedByOpaqueObject,
     11           then we should treat the false result as a failed VMInquiry.
     12
     13        2. Fix JSModuleNamespaceObject::getOwnPropertySlotCommon() and
     14           ProxyObject::getOwnPropertySlotCommon() to initialize the PropertySlot to a
     15           jsUndefined() value if we have a failed VMInquiry.  The client shouldn't
     16           be reading the value if the VMInquiry failed, but as a defensive action, we'll
     17           initialize the slot to effectively return an undefined value.
     18
     19        * runtime/JSModuleNamespaceObject.cpp:
     20        (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
     21        * runtime/JSObjectInlines.h:
     22        (JSC::JSObject::getPropertySlot):
     23        (JSC::JSObject::getNonIndexPropertySlot):
     24        * runtime/ProxyObject.cpp:
     25        (JSC::ProxyObject::getOwnPropertySlotCommon):
     26
    1272020-07-24  Dean Jackson  <dino@apple.com>
    228
  • trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp

    r261895 r264895  
    11/*
    2  * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    158158
    159159    case PropertySlot::InternalMethodType::VMInquiry:
     160        slot.setValue(this, static_cast<unsigned>(JSC::PropertyAttribute::None), jsUndefined());
    160161        return false;
    161162    }
  • trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h

    r264736 r264895  
    134134        if (hasSlot)
    135135            return true;
     136        if (UNLIKELY(slot.isVMInquiry() && slot.isTaintedByOpaqueObject()))
     137            return false;
    136138        if (object->type() == ProxyObjectType && slot.internalMethodType() == PropertySlot::InternalMethodType::HasProperty)
    137139            return false;
     
    175177            if (hasSlot)
    176178                return true;
     179            if (UNLIKELY(slot.isVMInquiry() && slot.isTaintedByOpaqueObject()))
     180                return false;
    177181            if (object->type() == ProxyObjectType && slot.internalMethodType() == PropertySlot::InternalMethodType::HasProperty)
    178182                return false;
  • trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp

    r261755 r264895  
    11/*
    2  * Copyright (C) 2016-2019 Apple Inc. All Rights Reserved.
     2 * Copyright (C) 2016-2020 Apple Inc. All Rights Reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    333333    slot.setIsTaintedByOpaqueObject();
    334334
    335     if (slot.internalMethodType() == PropertySlot::InternalMethodType::VMInquiry)
    336         return false;
     335    if (slot.isVMInquiry()) {
     336        slot.setValue(this, static_cast<unsigned>(JSC::PropertyAttribute::None), jsUndefined());
     337        return false;
     338    }
    337339
    338340    VM& vm = globalObject->vm();
  • trunk/Source/WebCore/ChangeLog

    r264893 r264895  
     12020-07-24  Mark Lam  <mark.lam@apple.com>
     2
     3        pluginElementCustomGetOwnPropertySlot() should support VMInquiry requests.
     4        https://bugs.webkit.org/show_bug.cgi?id=214555
     5        <rdar://problem/65855400>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        1. Add handling for VMInquiry failure in CodeGeneratorJS.
     10
     11        2. Fix pluginElementCustomGetOwnPropertySlot() to setIsTaintedByOpaqueObject().
     12
     13        3. Fix pluginElementCustomGetOwnPropertySlot() handle a VMInquiry failure case
     14           and if so, to initialize the PropertySlot to a jsUndefined() value.  The client
     15           shouldn't be reading the value if the VMInquiry failed, but as a defensive
     16           action, we'll initialize the slot to effectively return an undefined value.
     17
     18        * bindings/js/JSPluginElementFunctions.cpp:
     19        (WebCore::pluginElementCustomGetOwnPropertySlot):
     20        * bindings/scripts/CodeGeneratorJS.pm:
     21        (GenerateGetOwnPropertySlot):
     22        (GenerateGetOwnPropertySlotByIndex):
     23        * bindings/scripts/test/JS/JSTestPluginInterface.cpp:
     24        (WebCore::JSTestPluginInterface::getOwnPropertySlot):
     25        (WebCore::JSTestPluginInterface::getOwnPropertySlotByIndex):
     26
    1272020-07-25  Wenson Hsieh  <wenson_hsieh@apple.com>
    228
  • trunk/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp

    r260744 r264895  
    11/*
    22 *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2004-2019 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2004-2020 Apple Inc. All rights reserved.
    44 *
    55 *  This library is free software; you can redistribute it and/or
     
    112112bool pluginElementCustomGetOwnPropertySlot(JSHTMLElement* element, JSGlobalObject* lexicalGlobalObject, PropertyName propertyName, PropertySlot& slot)
    113113{
     114    slot.setIsTaintedByOpaqueObject();
     115
    114116    if (!element->globalObject()->world().isNormal()) {
    115117        JSC::JSValue proto = element->getPrototypeDirect(lexicalGlobalObject->vm());
    116118        if (proto.isObject() && JSC::jsCast<JSC::JSObject*>(asObject(proto))->hasProperty(lexicalGlobalObject, propertyName))
    117119            return false;
     120    }
     121
     122    if (slot.isVMInquiry()) {
     123        slot.setValue(element, static_cast<unsigned>(JSC::PropertyAttribute::None), jsUndefined());
     124        return false; // Can't execute stuff below because they can call back into JS.
    118125    }
    119126
  • trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

    r264855 r264895  
    707707        push(@$outputArray, "    if (pluginElementCustomGetOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot))\n");
    708708        push(@$outputArray, "        return true;\n");
     709        push(@$outputArray, "    ASSERT(slot.isTaintedByOpaqueObject());\n");
     710        push(@$outputArray, "    if (slot.isVMInquiry())\n");
     711        push(@$outputArray, "        return false;\n");
    709712    }
    710713
     
    820823        push(@$outputArray, "    if (pluginElementCustomGetOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot))\n");
    821824        push(@$outputArray, "        return true;\n");
     825        push(@$outputArray, "    ASSERT(slot.isTaintedByOpaqueObject());\n");
     826        push(@$outputArray, "    if (slot.isVMInquiry())\n");
     827        push(@$outputArray, "        return false;\n");
    822828    }
    823829
  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.cpp

    r260992 r264895  
    157157    if (pluginElementCustomGetOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot))
    158158        return true;
     159    ASSERT(slot.isTaintedByOpaqueObject());
     160    if (slot.isVMInquiry())
     161        return false;
    159162    return JSObject::getOwnPropertySlot(object, lexicalGlobalObject, propertyName, slot);
    160163}
     
    168171    if (pluginElementCustomGetOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot))
    169172        return true;
     173    ASSERT(slot.isTaintedByOpaqueObject());
     174    if (slot.isVMInquiry())
     175        return false;
    170176    return JSObject::getOwnPropertySlotByIndex(object, lexicalGlobalObject, index, slot);
    171177}
Note: See TracChangeset for help on using the changeset viewer.