Changeset 264895 in webkit
- Timestamp:
- Jul 25, 2020 10:11:06 PM (4 years ago)
- Location:
- trunk/Source
- Files:
-
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r264877 r264895 1 2020-07-24 Mark Lam <mark.lam@apple.com> 2 3 pluginElementCustomGetOwnPropertySlot() should support VMInquiry requests. 4 https://bugs.webkit.org/show_bug.cgi?id=214555 5 <rdar://problem/65855400> 6 7 Reviewed by Yusuke Suzuki. 8 9 1. Add handling for VMInquiry failure in JSObject::getPropertySlot() and 10 JSObject::getNonIndexPropertySlot(). Basically, if the query isTaintedByOpaqueObject, 11 then we should treat the false result as a failed VMInquiry. 12 13 2. Fix JSModuleNamespaceObject::getOwnPropertySlotCommon() and 14 ProxyObject::getOwnPropertySlotCommon() to initialize the PropertySlot to a 15 jsUndefined() value if we have a failed VMInquiry. The client shouldn't 16 be reading the value if the VMInquiry failed, but as a defensive action, we'll 17 initialize the slot to effectively return an undefined value. 18 19 * runtime/JSModuleNamespaceObject.cpp: 20 (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon): 21 * runtime/JSObjectInlines.h: 22 (JSC::JSObject::getPropertySlot): 23 (JSC::JSObject::getNonIndexPropertySlot): 24 * runtime/ProxyObject.cpp: 25 (JSC::ProxyObject::getOwnPropertySlotCommon): 26 1 27 2020-07-24 Dean Jackson <dino@apple.com> 2 28 -
trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp
r261895 r264895 1 1 /* 2 * Copyright (C) 2015-20 19Apple Inc. All rights reserved.2 * Copyright (C) 2015-2020 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 158 158 159 159 case PropertySlot::InternalMethodType::VMInquiry: 160 slot.setValue(this, static_cast<unsigned>(JSC::PropertyAttribute::None), jsUndefined()); 160 161 return false; 161 162 } -
trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h
r264736 r264895 134 134 if (hasSlot) 135 135 return true; 136 if (UNLIKELY(slot.isVMInquiry() && slot.isTaintedByOpaqueObject())) 137 return false; 136 138 if (object->type() == ProxyObjectType && slot.internalMethodType() == PropertySlot::InternalMethodType::HasProperty) 137 139 return false; … … 175 177 if (hasSlot) 176 178 return true; 179 if (UNLIKELY(slot.isVMInquiry() && slot.isTaintedByOpaqueObject())) 180 return false; 177 181 if (object->type() == ProxyObjectType && slot.internalMethodType() == PropertySlot::InternalMethodType::HasProperty) 178 182 return false; -
trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp
r261755 r264895 1 1 /* 2 * Copyright (C) 2016-20 19Apple Inc. All Rights Reserved.2 * Copyright (C) 2016-2020 Apple Inc. All Rights Reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 333 333 slot.setIsTaintedByOpaqueObject(); 334 334 335 if (slot.internalMethodType() == PropertySlot::InternalMethodType::VMInquiry) 336 return false; 335 if (slot.isVMInquiry()) { 336 slot.setValue(this, static_cast<unsigned>(JSC::PropertyAttribute::None), jsUndefined()); 337 return false; 338 } 337 339 338 340 VM& vm = globalObject->vm(); -
trunk/Source/WebCore/ChangeLog
r264893 r264895 1 2020-07-24 Mark Lam <mark.lam@apple.com> 2 3 pluginElementCustomGetOwnPropertySlot() should support VMInquiry requests. 4 https://bugs.webkit.org/show_bug.cgi?id=214555 5 <rdar://problem/65855400> 6 7 Reviewed by Yusuke Suzuki. 8 9 1. Add handling for VMInquiry failure in CodeGeneratorJS. 10 11 2. Fix pluginElementCustomGetOwnPropertySlot() to setIsTaintedByOpaqueObject(). 12 13 3. Fix pluginElementCustomGetOwnPropertySlot() handle a VMInquiry failure case 14 and if so, to initialize the PropertySlot to a jsUndefined() value. The client 15 shouldn't be reading the value if the VMInquiry failed, but as a defensive 16 action, we'll initialize the slot to effectively return an undefined value. 17 18 * bindings/js/JSPluginElementFunctions.cpp: 19 (WebCore::pluginElementCustomGetOwnPropertySlot): 20 * bindings/scripts/CodeGeneratorJS.pm: 21 (GenerateGetOwnPropertySlot): 22 (GenerateGetOwnPropertySlotByIndex): 23 * bindings/scripts/test/JS/JSTestPluginInterface.cpp: 24 (WebCore::JSTestPluginInterface::getOwnPropertySlot): 25 (WebCore::JSTestPluginInterface::getOwnPropertySlotByIndex): 26 1 27 2020-07-25 Wenson Hsieh <wenson_hsieh@apple.com> 2 28 -
trunk/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp
r260744 r264895 1 1 /* 2 2 * Copyright (C) 1999-2000 Harri Porten (porten@kde.org) 3 * Copyright (C) 2004-20 19Apple Inc. All rights reserved.3 * Copyright (C) 2004-2020 Apple Inc. All rights reserved. 4 4 * 5 5 * This library is free software; you can redistribute it and/or … … 112 112 bool pluginElementCustomGetOwnPropertySlot(JSHTMLElement* element, JSGlobalObject* lexicalGlobalObject, PropertyName propertyName, PropertySlot& slot) 113 113 { 114 slot.setIsTaintedByOpaqueObject(); 115 114 116 if (!element->globalObject()->world().isNormal()) { 115 117 JSC::JSValue proto = element->getPrototypeDirect(lexicalGlobalObject->vm()); 116 118 if (proto.isObject() && JSC::jsCast<JSC::JSObject*>(asObject(proto))->hasProperty(lexicalGlobalObject, propertyName)) 117 119 return false; 120 } 121 122 if (slot.isVMInquiry()) { 123 slot.setValue(element, static_cast<unsigned>(JSC::PropertyAttribute::None), jsUndefined()); 124 return false; // Can't execute stuff below because they can call back into JS. 118 125 } 119 126 -
trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
r264855 r264895 707 707 push(@$outputArray, " if (pluginElementCustomGetOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot))\n"); 708 708 push(@$outputArray, " return true;\n"); 709 push(@$outputArray, " ASSERT(slot.isTaintedByOpaqueObject());\n"); 710 push(@$outputArray, " if (slot.isVMInquiry())\n"); 711 push(@$outputArray, " return false;\n"); 709 712 } 710 713 … … 820 823 push(@$outputArray, " if (pluginElementCustomGetOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot))\n"); 821 824 push(@$outputArray, " return true;\n"); 825 push(@$outputArray, " ASSERT(slot.isTaintedByOpaqueObject());\n"); 826 push(@$outputArray, " if (slot.isVMInquiry())\n"); 827 push(@$outputArray, " return false;\n"); 822 828 } 823 829 -
trunk/Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.cpp
r260992 r264895 157 157 if (pluginElementCustomGetOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) 158 158 return true; 159 ASSERT(slot.isTaintedByOpaqueObject()); 160 if (slot.isVMInquiry()) 161 return false; 159 162 return JSObject::getOwnPropertySlot(object, lexicalGlobalObject, propertyName, slot); 160 163 } … … 168 171 if (pluginElementCustomGetOwnPropertySlot(thisObject, lexicalGlobalObject, propertyName, slot)) 169 172 return true; 173 ASSERT(slot.isTaintedByOpaqueObject()); 174 if (slot.isVMInquiry()) 175 return false; 170 176 return JSObject::getOwnPropertySlotByIndex(object, lexicalGlobalObject, index, slot); 171 177 }
Note: See TracChangeset
for help on using the changeset viewer.