Changeset 274308 in webkit

Timestamp:

Mar 11, 2021 4:08:05 PM (17 months ago)

Author:

Alexey Shvayka

Message:

Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes
​https://bugs.webkit.org/show_bug.cgi?id=203456

Reviewed by Robin Morisset.

JSTests:

• microbenchmarks/global-var-put-to-scope.js: Added.
• stress/eval-func-decl-in-frozen-global.js:

Object.freeze() redefines all global variables as ReadOnly, including hoisted var error.
Aligns with V8.

• stress/global-object-define-own-property-put-to-scope.js: Added.
• stress/global-object-define-own-property.js: Added.
• stress/to-this-before-arrow-function-closes-over-this-that-starts-as-lexical-environment.js:

Fix unwanted name conflict, which was an error in the original test, not an intended part of it.
Also, remove misleading comment on defineProperty and assert accessors are created on global object.
Aligns with V8.

LayoutTests/imported/w3c:

• web-platform-tests/html/browsers/the-windowproxy-exotic-object/windowproxy-define-own-property-unforgeable-same-origin-expected.txt: Added.
• web-platform-tests/html/browsers/the-windowproxy-exotic-object/windowproxy-define-own-property-unforgeable-same-origin.html: Added.

Source/JavaScriptCore:

Per spec, top-level var bindings are non-configurable properties of the global
object [1], while undefined / NaN / Infinity are also non-writable [2].

Prior to this change, redefining global var binding with accessor descriptor
failed silently (rather than throwing a TypeError); redefining with data or
generic descriptor created a structure property, which took precedence over
symbol table entry in JSGlobalObject::getOwnPropertySlot(), effectively
destroying live binding between global.foo and var foo.

This patch re-engineers JSGlobalObject::defineOwnProperty(), fixing both issues
mentioned above. If defineOwnProperty() override is removed, there is no way
a live binding can be maintained.

In a follow-up change, JSGlobalObject::getOwnPropertySlot() will be updated to
search symbol table first, aligning it with the spec [3], put(), and
defineOwnProperty(). Apart from consistency, this will bring a mild speed-up.

To accomodate global var binding reassignment right after it becomes read-only
(in the same scope), this patch introduces a watchpoint that can be fired by
JSGlobalObject::defineOwnProperty(). put_to_scope performance is neutral.

Also, this patch removes unused symbolTableGet() overload and orphaned
JSGlobalObject::defineGetter() / JSGlobalObject::defineSetter() declarations.

[1]: ​https://tc39.es/ecma262/#sec-object-environment-records-createmutablebinding-n-d
[2]: ​https://tc39.es/ecma262/#sec-value-properties-of-the-global-object
[3]: ​https://tc39.es/ecma262/#sec-global-environment-records-getbindingvalue-n-s

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::needsDynamicLookup):
(JSC::DFG::ByteCodeParser::parseBlock):

• jit/JIT.cpp:

(JSC::JIT::emitVarReadOnlyCheck):

• jit/JIT.h:
• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_put_to_scope):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_put_to_scope):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::defineOwnProperty):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::varReadOnlyWatchpoint):

• runtime/JSSymbolTableObject.h:

(JSC::symbolTableGet):

Source/WebCore:

This patch removes location special-casing, which a) incorrectly returned
false if new descriptor was the same as the current one and b) failed
silently otherwise (rather than throwing a TypeError).

However, this change introduces window / document special-casing because
they exist on the structure and as symbol table entries (for performance reasons).
Aligns WebKit with Blink and partly with Gecko.

Test: imported/w3c/web-platform-tests/html/browsers/the-windowproxy-exotic-object/windowproxy-define-own-property-unforgeable-same-origin.html

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::defineOwnProperty):

LayoutTests:

• fast/dom/Window/Location/window-override-location-using-defineGetter-expected.txt:
• fast/dom/Window/Location/window-override-location-using-defineGetter.html:
• fast/dom/Window/Location/window-override-window-using-defineGetter-expected.txt:
• fast/dom/Window/Location/window-override-window-using-defineGetter.html:
• fast/dom/getter-on-window-object2-expected.txt:
• fast/dom/getter-on-window-object2.html:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/microbenchmarks/global-var-put-to-scope.js (added)
• JSTests/stress/eval-func-decl-in-frozen-global.js (modified) (1 diff)
• JSTests/stress/global-object-define-own-property-put-to-scope.js (added)
• JSTests/stress/global-object-define-own-property.js (added)
• JSTests/stress/to-this-before-arrow-function-closes-over-this-that-starts-as-lexical-environment.js (modified) (3 diffs)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Window/Location/window-override-location-using-defineGetter-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/Window/Location/window-override-location-using-defineGetter.html (modified) (1 diff)
• LayoutTests/fast/dom/Window/Location/window-override-window-using-defineGetter-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/Window/Location/window-override-window-using-defineGetter.html (modified) (1 diff)
• LayoutTests/fast/dom/getter-on-window-object2-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/getter-on-window-object2.html (modified) (2 diffs)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/browsers/the-windowproxy-exotic-object/windowproxy-define-own-property-unforgeable-same-origin-expected.txt (added)
• LayoutTests/imported/w3c/web-platform-tests/html/browsers/the-windowproxy-exotic-object/windowproxy-define-own-property-unforgeable-same-origin.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JIT.h (modified) (1 diff)
• Source/JavaScriptCore/jit/JITPropertyAccess.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (2 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSSymbolTableObject.h (modified) (3 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2021-03-11  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes
+        https://bugs.webkit.org/show_bug.cgi?id=203456
+
+        Reviewed by Robin Morisset.
+
+        * microbenchmarks/global-var-put-to-scope.js: Added.
+        * stress/eval-func-decl-in-frozen-global.js:
+        Object.freeze() redefines all global variables as ReadOnly, including hoisted `var error`.
+        Aligns with V8.
+
+        * stress/global-object-define-own-property-put-to-scope.js: Added.
+        * stress/global-object-define-own-property.js: Added.
+        * stress/to-this-before-arrow-function-closes-over-this-that-starts-as-lexical-environment.js:
+        Fix unwanted name conflict, which was an error in the original test, not an intended part of it.
+        Also, remove misleading comment on `defineProperty` and assert accessors are created on global object.
+        Aligns with V8.
+
 2021-03-11  Commit Queue  <commit-queue@webkit.org>
 

trunk/JSTests/stress/eval-func-decl-in-frozen-global.js

@@ -37 +37 @@
 Object.freeze(this);
 {
-  var error = false;
+  let error = false;
   try {
     eval('{ function boo() {} }');

trunk/JSTests/stress/to-this-before-arrow-function-closes-over-this-that-starts-as-lexical-environment.js

@@ -18 +18 @@
     function wrapper() {
         let x = () => {
-            // This should not defineProperty on a JSLexicalEnvironment! That's a huge bug.
-            Object.defineProperty(this, "foo", {
+            Object.defineProperty(this, "baz", {
                 get: function() { },
                 set: function() { }
@@ -38 +37 @@
     function wrapper() {
         let x = () => {
-            // This should not defineProperty on a JSLexicalEnvironment! That's a huge bug.
-            Object.defineProperty(this, "foo", {
+            Object.defineProperty(this, "baz2", {
                 get: function() { },
                 set: function() { }
             });
+            assert(this === globalThis);
         }
 
@@ -57 +56 @@
 }
 foo2();
+
+assert(this.hasOwnProperty("baz"));
+assert(this.hasOwnProperty("baz2"));

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-03-11  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes
+        https://bugs.webkit.org/show_bug.cgi?id=203456
+
+        Reviewed by Robin Morisset.
+
+        * fast/dom/Window/Location/window-override-location-using-defineGetter-expected.txt:
+        * fast/dom/Window/Location/window-override-location-using-defineGetter.html:
+        * fast/dom/Window/Location/window-override-window-using-defineGetter-expected.txt:
+        * fast/dom/Window/Location/window-override-window-using-defineGetter.html:
+        * fast/dom/getter-on-window-object2-expected.txt:
+        * fast/dom/getter-on-window-object2.html:
+
 2021-03-11  Aditya Keerthi  <akeerthi@apple.com>
 

trunk/LayoutTests/fast/dom/Window/Location/window-override-location-using-defineGetter-expected.txt

@@ +1 @@
+PASS function () {
+        window.__defineGetter__("location", () => "haxored");
+    } threw exception TypeError: Attempting to change configurable attribute of unconfigurable property..
 PASS result is correctValue
 PASS successfullyParsed is true

trunk/LayoutTests/fast/dom/Window/Location/window-override-location-using-defineGetter.html

@@ -6 +6 @@
 <body>
 <script>
-    window.__defineGetter__("location", function() { return "haxored"; });
+    shouldThrowErrorName(function() {
+        window.__defineGetter__("location", () => "haxored");
+    }, "TypeError");
 
     var result = normalizeURL(String(window.location));

trunk/LayoutTests/fast/dom/Window/Location/window-override-window-using-defineGetter-expected.txt

@@ +1 @@
+PASS function () {
+        window.__defineGetter__("window", () => ({ location: "haxored" }));
+    } threw exception TypeError: Attempting to change configurable attribute of unconfigurable property..
 PASS result is correctValue
 PASS successfullyParsed is true

trunk/LayoutTests/fast/dom/Window/Location/window-override-window-using-defineGetter.html

@@ -6 +6 @@
 <body>
 <script>
-    window.__defineGetter__("window", function() {
-        return { location: "haxored" };
-    });
+    shouldThrowErrorName(function() {
+        window.__defineGetter__("window", () => ({ location: "haxored" }));
+    }, "TypeError");
 
     var result = normalizeURL(String(window.location));

trunk/LayoutTests/fast/dom/getter-on-window-object2-expected.txt

@@ -4 +4 @@
 
 
+PASS function () {
+    window.__defineGetter__("x", function() { return "window.x __getter__"; });
+} threw exception TypeError: Attempting to change configurable attribute of unconfigurable property..
 PASS window.x is 1
 PASS typeof window.__lookupGetter__('x') is 'undefined'
 PASS typeof Object.getOwnPropertyDescriptor(window, 'x').get is 'undefined'
 
+PASS function () {
+window.__defineSetter__("x", function() { debug("window.x __setter__ called"); });
+} threw exception TypeError: Attempting to change configurable attribute of unconfigurable property..
 PASS window.x is 2
 PASS typeof window.__lookupGetter__('x') is 'undefined'

trunk/LayoutTests/fast/dom/getter-on-window-object2.html

@@ -5 +5 @@
 
 var x = 1;
-try {
+shouldThrowErrorName(function() {
     window.__defineGetter__("x", function() { return "window.x __getter__"; });
-} catch(e) { debug(e); }
+}, "TypeError");
 
 shouldBe("window.x", "1");
@@ -15 +15 @@
 
 
-try {
+shouldThrowErrorName(function() {
 window.__defineSetter__("x", function() { debug("window.x __setter__ called"); });
-} catch(e) { debug(e); }
+}, "TypeError");
 x = 2;
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2021-03-11  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes
+        https://bugs.webkit.org/show_bug.cgi?id=203456
+
+        Reviewed by Robin Morisset.
+
+        * web-platform-tests/html/browsers/the-windowproxy-exotic-object/windowproxy-define-own-property-unforgeable-same-origin-expected.txt: Added.
+        * web-platform-tests/html/browsers/the-windowproxy-exotic-object/windowproxy-define-own-property-unforgeable-same-origin.html: Added.
+
 2021-03-10  Antoine Quint  <graouts@webkit.org>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-03-11  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes
+        https://bugs.webkit.org/show_bug.cgi?id=203456
+
+        Reviewed by Robin Morisset.
+
+        Per spec, top-level `var` bindings are non-configurable properties of the global
+        object [1], while `undefined` / `NaN` / `Infinity` are also non-writable [2].
+
+        Prior to this change, redefining global `var` binding with accessor descriptor
+        failed silently (rather than throwing a TypeError); redefining with data or
+        generic descriptor created a structure property, which took precedence over
+        symbol table entry in JSGlobalObject::getOwnPropertySlot(), effectively
+        destroying live binding between `global.foo` and `var foo`.
+
+        This patch re-engineers JSGlobalObject::defineOwnProperty(), fixing both issues
+        mentioned above. If defineOwnProperty() override is removed, there is no way
+        a live binding can be maintained.
+
+        In a follow-up change, JSGlobalObject::getOwnPropertySlot() will be updated to
+        search symbol table first, aligning it with the spec [3], put(), and
+        defineOwnProperty(). Apart from consistency, this will bring a mild speed-up.
+
+        To accomodate global `var` binding reassignment right after it becomes read-only
+        (in the same scope), this patch introduces a watchpoint that can be fired by
+        JSGlobalObject::defineOwnProperty(). put_to_scope performance is neutral.
+
+        Also, this patch removes unused symbolTableGet() overload and orphaned
+        JSGlobalObject::defineGetter() / JSGlobalObject::defineSetter() declarations.
+
+        [1]: https://tc39.es/ecma262/#sec-object-environment-records-createmutablebinding-n-d
+        [2]: https://tc39.es/ecma262/#sec-value-properties-of-the-global-object
+        [3]: https://tc39.es/ecma262/#sec-global-environment-records-getbindingvalue-n-s
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::needsDynamicLookup):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * jit/JIT.cpp:
+        (JSC::JIT::emitVarReadOnlyCheck):
+        * jit/JIT.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_to_scope):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_to_scope):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        (JSC::JSGlobalObject::defineOwnProperty):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::varReadOnlyWatchpoint):
+        * runtime/JSSymbolTableObject.h:
+        (JSC::symbolTableGet):
+
 2021-03-11  BJ Burg  <bburg@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -4216 +4216 @@
 
     switch (type) {
-    case GlobalProperty:
     case GlobalVar:
+    case GlobalVarWithVarInjectionChecks: {
+        if (opcode == op_put_to_scope && globalObject->varReadOnlyWatchpoint()->hasBeenInvalidated())
+            return true;
+
+        return false;
+    }
+
+    case GlobalProperty:    
     case GlobalLexicalVar:
     case ClosureVar:
@@ -4252 +4259 @@
 
     case GlobalPropertyWithVarInjectionChecks:
-    case GlobalVarWithVarInjectionChecks:
     case GlobalLexicalVarWithVarInjectionChecks:
     case ClosureVarWithVarInjectionChecks:
@@ -7926 +7932 @@
                     addToGraph(CheckNotEmpty, value);
                 }
+                if (resolveType == GlobalVar || resolveType == GlobalVarWithVarInjectionChecks)
+                    m_graph.watchpoints().addLazily(globalObject->varReadOnlyWatchpoint());
 
                 JSSegmentedVariableObject* scopeObject = jsCast<JSSegmentedVariableObject*>(JSScope::constantScopeForCodeBlock(resolveType, m_inlineStackTop->m_codeBlock));

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -116 +116 @@
 {
     addSlowCase(branch8(NotEqual, Address(pointerToSet, WatchpointSet::offsetOfState()), TrustedImm32(IsInvalidated)));
+}
+
+void JIT::emitVarReadOnlyCheck(ResolveType resolveType)
+{
+    if (resolveType == GlobalVar || resolveType == GlobalVarWithVarInjectionChecks)
+        addSlowCase(branch8(Equal, AbsoluteAddress(m_codeBlock->globalObject()->varReadOnlyWatchpoint()->addressOfState()), TrustedImm32(IsInvalidated)));
 }
 

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -753 +753 @@
         void emitNewFuncExprCommon(const Instruction*);
         void emitVarInjectionCheck(bool needsVarInjectionChecks);
+        void emitVarReadOnlyCheck(ResolveType);
         void emitResolveClosure(VirtualRegister dst, VirtualRegister scope, bool needsVarInjectionChecks, unsigned depth);
         void emitLoadWithStructureCheck(VirtualRegister scope, Structure** structureSlot);

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -1228 +1228 @@
             RELEASE_ASSERT(constantScope);
             emitVarInjectionCheck(needsVarInjectionChecks(resolveType));
+            emitVarReadOnlyCheck(resolveType);
             if (!isInitialization(getPutInfo.initializationMode()) && (resolveType == GlobalLexicalVar || resolveType == GlobalLexicalVarWithVarInjectionChecks)) {
                 // We need to do a TDZ check here because we can't always prove we need to emit TDZ checks statically.

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -1244 +1244 @@
             emitWriteBarrier(constantScope, value, ShouldFilterValue);
             emitVarInjectionCheck(needsVarInjectionChecks(resolveType));
+            emitVarReadOnlyCheck(resolveType);
             if (!isInitialization(getPutInfo.initializationMode()) && (resolveType == GlobalLexicalVar || resolveType == GlobalLexicalVarWithVarInjectionChecks)) {
                 // We need to do a TDZ check here because we can't always prove we need to emit TDZ checks statically.

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -1342 +1342 @@
 end
 
+macro varReadOnlyCheck(slowPath, scratch)
+    loadp CodeBlock[cfr], scratch
+    loadp CodeBlock::m_globalObject[scratch], scratch
+    loadp JSGlobalObject::m_varReadOnlyWatchpoint[scratch], scratch
+    bbeq WatchpointSet::m_state[scratch], IsInvalidated, slowPath
+end
+
 macro checkSwitchToJIT(increment, action)
     loadp CodeBlock[cfr], t0

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -2626 +2626 @@
 .pGlobalVar:
     bineq t0, GlobalVar, .pGlobalLexicalVar
+    varReadOnlyCheck(.pDynamic, t2)
     putGlobalVariable()
     writeBarrierOnGlobalObject(size, get, m_value)
@@ -2653 +2654 @@
 .pGlobalVarWithVarInjectionChecks:
     bineq t0, GlobalVarWithVarInjectionChecks, .pGlobalLexicalVarWithVarInjectionChecks
+    # FIXME: Avoid loading m_globalObject twice
+    # https://bugs.webkit.org/show_bug.cgi?id=223097
     varInjectionCheck(.pDynamic)
+    varReadOnlyCheck(.pDynamic, t2)
     putGlobalVariable()
     writeBarrierOnGlobalObject(size, get, m_value)

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -2728 +2728 @@
 .pGlobalVar:
     bineq t0, GlobalVar, .pGlobalLexicalVar
+    varReadOnlyCheck(.pDynamic, t2)
     putGlobalVariable()
     writeBarrierOnGlobalObject(size, get, m_value)
@@ -2755 +2756 @@
 .pGlobalVarWithVarInjectionChecks:
     bineq t0, GlobalVarWithVarInjectionChecks, .pGlobalLexicalVarWithVarInjectionChecks
+    # FIXME: Avoid loading m_globalObject twice
+    # https://bugs.webkit.org/show_bug.cgi?id=223097
     varInjectionCheck(.pDynamic, t2)
+    varReadOnlyCheck(.pDynamic, t2)
     putGlobalVariable()
     writeBarrierOnGlobalObject(size, get, m_value)

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -496 +496 @@
     , m_havingABadTimeWatchpoint(WatchpointSet::create(IsWatched))
     , m_varInjectionWatchpoint(WatchpointSet::create(IsWatched))
+    , m_varReadOnlyWatchpoint(WatchpointSet::create(IsWatched))
     , m_weakRandom(Options::forceWeakRandomSeed() ? Options::forcedWeakRandomSeed() : static_cast<unsigned>(randomNumber() * (std::numeric_limits<unsigned>::max() + 1.0)))
     , m_arrayIteratorProtocolWatchpointSet(IsWatched)
@@ -1481 +1482 @@
 {
     VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     JSGlobalObject* thisObject = jsCast<JSGlobalObject*>(object);
-    PropertySlot slot(thisObject, PropertySlot::InternalMethodType::VMInquiry, &vm);
-    // silently ignore attempts to add accessors aliasing vars.
-    if (descriptor.isAccessorDescriptor() && symbolTableGet(thisObject, propertyName, slot))
-        return false;
-    slot.disallowVMEntry.reset();
-    return Base::defineOwnProperty(thisObject, globalObject, propertyName, descriptor, shouldThrow);
+
+    SymbolTableEntry entry;
+    PropertyDescriptor currentDescriptor;
+    if (symbolTableGet(thisObject, propertyName, entry, currentDescriptor)) {
+        bool isExtensible = false; // ignored since current descriptor is present
+        bool isCurrentDefined = true;
+        bool isCompatibleDescriptor = validateAndApplyPropertyDescriptor(globalObject, nullptr, propertyName, isExtensible, descriptor, isCurrentDefined, currentDescriptor, shouldThrow);
+        EXCEPTION_ASSERT(!!scope.exception() == !isCompatibleDescriptor);
+        if (!isCompatibleDescriptor)
+            return false;
+
+        if (descriptor.value()) {
+            bool ignoreReadOnlyErrors = true;
+            bool putResult = false;
+            if (symbolTablePutTouchWatchpointSet(thisObject, globalObject, propertyName, descriptor.value(), shouldThrow, ignoreReadOnlyErrors, putResult))
+                ASSERT(putResult);
+            scope.assertNoException();
+        }
+        if (descriptor.writablePresent() && !descriptor.writable() && !entry.isReadOnly()) {
+            entry.setAttributes(static_cast<unsigned>(PropertyAttribute::ReadOnly));
+            thisObject->symbolTable()->set(propertyName.uid(), entry);
+            thisObject->varReadOnlyWatchpoint()->fireAll(vm, "GlobalVar was redefined as ReadOnly");
+        }
+        return true;
+    }
+
+    RELEASE_AND_RETURN(scope, Base::defineOwnProperty(thisObject, globalObject, propertyName, descriptor, shouldThrow));
 }
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -475 +475 @@
     RefPtr<WatchpointSet> m_havingABadTimeWatchpoint;
     RefPtr<WatchpointSet> m_varInjectionWatchpoint;
+    RefPtr<WatchpointSet> m_varReadOnlyWatchpoint;
 
     std::unique_ptr<JSGlobalObjectRareData> m_rareData;
@@ -624 +625 @@
     JS_EXPORT_PRIVATE static bool getOwnPropertySlot(JSObject*, JSGlobalObject*, PropertyName, PropertySlot&);
     JS_EXPORT_PRIVATE static bool put(JSCell*, JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&);
-
-    JS_EXPORT_PRIVATE static void defineGetter(JSObject*, JSGlobalObject*, PropertyName, JSObject* getterFunc, unsigned attributes);
-    JS_EXPORT_PRIVATE static void defineSetter(JSObject*, JSGlobalObject*, PropertyName, JSObject* setterFunc, unsigned attributes);
     JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, JSGlobalObject*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
 
@@ -999 +997 @@
     WatchpointSet* havingABadTimeWatchpoint() { return m_havingABadTimeWatchpoint.get(); }
     WatchpointSet* varInjectionWatchpoint() { return m_varInjectionWatchpoint.get(); }
+    WatchpointSet* varReadOnlyWatchpoint() { return m_varReadOnlyWatchpoint.get(); }
         
     bool isHavingABadTime() const

trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h

@@ -100 +100 @@
 template<typename SymbolTableObjectType>
 inline bool symbolTableGet(
-    SymbolTableObjectType* object, PropertyName propertyName, PropertyDescriptor& descriptor)
+    SymbolTableObjectType* object, PropertyName propertyName, SymbolTableEntry& entry, PropertyDescriptor& descriptor)
 {
     SymbolTable& symbolTable = *object->symbolTable();
@@ -107 +107 @@
     if (iter == symbolTable.end(locker))
         return false;
-    SymbolTableEntry::Fast entry = iter->value;
+    entry = iter->value;
     ASSERT(!entry.isNull());
 
@@ -116 +116 @@
 
     descriptor.setDescriptor(object->variableAt(offset).get(), entry.getAttributes() | PropertyAttribute::DontDelete);
-    return true;
-}
-
-template<typename SymbolTableObjectType>
-inline bool symbolTableGet(
-    SymbolTableObjectType* object, PropertyName propertyName, PropertySlot& slot,
-    bool& slotIsWriteable)
-{
-    SymbolTable& symbolTable = *object->symbolTable();
-    ConcurrentJSLocker locker(symbolTable.m_lock);
-    SymbolTable::Map::iterator iter = symbolTable.find(locker, propertyName.uid());
-    if (iter == symbolTable.end(locker))
-        return false;
-    SymbolTableEntry::Fast entry = iter->value;
-    ASSERT(!entry.isNull());
-
-    ScopeOffset offset = entry.scopeOffset();
-    // Defend against the inspector asking for a var after it has been optimized out.
-    if (!object->isValidScopeOffset(offset))
-        return false;
-
-    slot.setValue(object, entry.getAttributes() | PropertyAttribute::DontDelete, object->variableAt(offset).get());
-    slotIsWriteable = !entry.isReadOnly();
     return true;
 }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-03-11  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes
+        https://bugs.webkit.org/show_bug.cgi?id=203456
+
+        Reviewed by Robin Morisset.
+
+        This patch removes `location` special-casing, which a) incorrectly returned
+        `false` if new descriptor was the same as the current one and b) failed
+        silently otherwise (rather than throwing a TypeError).
+
+        However, this change introduces `window` / `document` special-casing because
+        they exist on the structure and as symbol table entries (for performance reasons).
+        Aligns WebKit with Blink and partly with Gecko.
+
+        Test: imported/w3c/web-platform-tests/html/browsers/the-windowproxy-exotic-object/windowproxy-define-own-property-unforgeable-same-origin.html
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::defineOwnProperty):
+
 2021-03-11  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -476 +476 @@
 bool JSDOMWindow::defineOwnProperty(JSC::JSObject* object, JSC::JSGlobalObject* lexicalGlobalObject, JSC::PropertyName propertyName, const JSC::PropertyDescriptor& descriptor, bool shouldThrow)
 {
-    JSC::VM& vm = lexicalGlobalObject->vm();
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
     JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
     // Only allow defining properties in this way by frames in the same origin, as it allows setters to be introduced.
     if (!BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, thisObject->wrapped(), ThrowSecurityError))
-        RELEASE_AND_RETURN(scope, false);
-
-    EXCEPTION_ASSERT(!scope.exception());
-    // Don't allow shadowing location using accessor properties.
-    if (descriptor.isAccessorDescriptor() && propertyName == Identifier::fromString(vm, "location"))
         return false;
 
-    RELEASE_AND_RETURN(scope, Base::defineOwnProperty(thisObject, lexicalGlobalObject, propertyName, descriptor, shouldThrow));
+    auto& builtinNames = static_cast<JSVMClientData*>(lexicalGlobalObject->vm().clientData)->builtinNames();
+    if (propertyName == builtinNames.documentPublicName() || propertyName == builtinNames.windowPublicName())
+        return JSObject::defineOwnProperty(thisObject, lexicalGlobalObject, propertyName, descriptor, shouldThrow);
+
+    return Base::defineOwnProperty(thisObject, lexicalGlobalObject, propertyName, descriptor, shouldThrow);
 }