Changeset 278589 in webkit

Timestamp:

Jun 7, 2021, 6:53:46 PM (4 years ago)

Author:

Alexey Shvayka

Message:

Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy
​https://bugs.webkit.org/show_bug.cgi?id=226185

JSTests:

• microbenchmarks/put-slow-no-cache-array.js: Added.
• microbenchmarks/put-slow-no-cache-function.js: Added.
• microbenchmarks/put-slow-no-cache-js-proxy.js: Added.
• microbenchmarks/put-slow-no-cache-long-prototype-chain.js: Added.
• microbenchmarks/put-slow-no-cache.js: Added.
• microbenchmarks/reflect-set-with-receiver.js: Added.
• stress/custom-get-set-proto-chain-put.js:
• stress/module-namespace-access-set-fails.js: Added.
• stress/put-non-reified-static-accessor-or-custom.js: Added.
• stress/put-non-reified-static-function-or-custom.js: Added.
• stress/put-to-primitive-non-reified-static-custom.js: Added.
• stress/put-to-primitive.js: Added.
• stress/put-to-proto-chain-overrides-put.js:

Rework to always test new objects, add JSProxy coverage, and assert that receiver has own property.

• stress/typed-array-canonical-numeric-index-string-set.js: Added.

LayoutTests/imported/w3c:

• web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any-expected.txt:
• web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver-expected.txt: Added.
• web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver.html: Added.
• web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver-expected.txt:
• web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver.html:

Source/JavaScriptCore:

The API test added in r278366 revealed a flaw in JSObject::definePropertyOnReceiver()
that caused putDirectInternal() to be performed on a JSProxy instead of it's target.
Remedies that via a type check, ensuring the test and iOS apps are functional.

The issue was originally missed because the prototype chain of a global object is immutable
and none of the global object's prototypes override put(). OpaqueJSClass::prototype() sets
the Prototype directly, ignoring the IsImmutablePrototypeExoticObject type info flag.

Also, excludes an invariant from the original patch that required put() to be overriden
when implementing custom DefineOwnProperty. It is now broken by WindowProperties object.

• API/JSCallbackObject.h:
• API/JSCallbackObjectFunctions.h:

(JSC::JSCallbackObject<Parent>::put):

• API/tests/testapiScripts/testapi.js:
• debugger/DebuggerScope.h:
• runtime/ClassInfo.h:
• runtime/ClonedArguments.h:
• runtime/CustomGetterSetter.cpp:

(JSC::callCustomSetter): Deleted.

• runtime/CustomGetterSetter.h:
• runtime/ErrorConstructor.h:
• runtime/ErrorInstance.h:
• runtime/GenericArguments.h:
• runtime/GenericArgumentsInlines.h:

(JSC::GenericArguments<Type>::put):

• runtime/GetterSetter.h:
• runtime/JSArray.cpp:

(JSC::JSArray::put):

• runtime/JSArray.h:
• runtime/JSArrayBufferView.cpp:

(JSC::JSArrayBufferView::put): Deleted.

• runtime/JSArrayBufferView.h:
• runtime/JSCJSValue.cpp:

(JSC::JSValue::putToPrimitive):

• runtime/JSCell.cpp:

(JSC::JSCell::doPutPropertySecurityCheck): Deleted.

• runtime/JSCell.h:
• runtime/JSFunction.cpp:

(JSC::JSFunction::put):

• runtime/JSFunction.h:
• runtime/JSGenericTypedArrayView.h:
• runtime/JSGlobalLexicalEnvironment.h:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::put):

• runtime/JSGlobalObject.h:
• runtime/JSLexicalEnvironment.h:
• runtime/JSModuleEnvironment.h:
• runtime/JSModuleNamespaceObject.h:
• runtime/JSObject.cpp:

(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::putInlineSlow):
(JSC::definePropertyOnReceiverSlow):
(JSC::JSObject::definePropertyOnReceiver):
(JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
(JSC::JSObject::doPutPropertySecurityCheck): Deleted.
(JSC::JSObject::prototypeChainMayInterceptStoreTo): Deleted.

• runtime/JSObject.h:

(JSC::JSObject::putByIndexInline):
(JSC::JSObject::hasNonReifiedStaticProperties):
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::putDirect):
(JSC::JSObject::doPutPropertySecurityCheck): Deleted.

• runtime/JSObjectInlines.h:

(JSC::JSObject::canPerformFastPutInlineExcludingProto):
(JSC::JSObject::putInlineForJSObject):
(JSC::JSObject::putInlineFast):
(JSC::JSObject::putDirectInternal):

• runtime/JSProxy.h:
• runtime/JSTypeInfo.h:

(JSC::TypeInfo::hasStaticPropertyTable const):
(JSC::TypeInfo::overridesPut const):
(JSC::TypeInfo::getOwnPropertySlotMayBeWrongAboutDontEnum const):
(JSC::TypeInfo::hasPutPropertySecurityCheck const): Deleted.

• runtime/Lookup.h:

(JSC::putEntry): Deleted.
(JSC::lookupPut): Deleted.

• runtime/PropertySlot.h:
• runtime/ProxyObject.cpp:

(JSC::ProxyObject::put):

• runtime/ProxyObject.h:
• runtime/PutPropertySlot.h:

(JSC::PutPropertySlot::PutPropertySlot):
(JSC::PutPropertySlot::context const):
(JSC::PutPropertySlot::isTaintedByOpaqueObject const):
(JSC::PutPropertySlot::setIsTaintedByOpaqueObject):

• runtime/ReflectObject.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

• runtime/RegExpObject.cpp:

(JSC::RegExpObject::put):

• runtime/RegExpObject.h:
• runtime/StringObject.cpp:

(JSC::StringObject::put):

• runtime/StringObject.h:
• runtime/StringPrototype.cpp:

(JSC::StringPrototype::finishCreation):
(JSC::StringPrototype::create):

• runtime/StringPrototype.h:
• runtime/Structure.cpp:

(JSC::Structure::validateFlags):

• runtime/Structure.h:

(JSC::Structure::hasNonReifiedStaticProperties const):

• tools/JSDollarVM.cpp:

Source/WebCore:

Tests: js/dom/script-tests/reflect-set-onto-dom.js

imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver.html
http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::put):
(WebCore::JSDOMWindow::doPutPropertySecurityCheck): Deleted.

• bindings/js/JSLocationCustom.cpp:

(WebCore::JSLocation::doPutPropertySecurityCheck): Deleted.

• bindings/js/JSRemoteDOMWindowCustom.cpp:

(WebCore::JSRemoteDOMWindow::put):

• bindings/scripts/CodeGeneratorJS.pm:

(GeneratePut):
(GenerateHeader):

• bindings/scripts/test/JS/*: Updated.
• bridge/objc/objc_runtime.h:
• bridge/runtime_array.h:
• bridge/runtime_object.h:

Source/WebKit:

• WebProcess/Plugins/Netscape/JSNPObject.h:

LayoutTests:

• http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt:
• http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html:
• js/dom/reflect-set-onto-dom-expected.txt:
• js/dom/script-tests/reflect-set-onto-dom.js:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/microbenchmarks/put-slow-no-cache-array.js (added)
• JSTests/microbenchmarks/put-slow-no-cache-function.js (added)
• JSTests/microbenchmarks/put-slow-no-cache-js-proxy.js (added)
• JSTests/microbenchmarks/put-slow-no-cache-long-prototype-chain.js (added)
• JSTests/microbenchmarks/put-slow-no-cache.js (added)
• JSTests/microbenchmarks/reflect-set-with-receiver.js (added)
• JSTests/stress/custom-get-set-proto-chain-put.js (modified) (2 diffs)
• JSTests/stress/module-namespace-access-set-fails.js (added)
• JSTests/stress/put-non-reified-static-accessor-or-custom.js (added)
• JSTests/stress/put-non-reified-static-function-or-custom.js (added)
• JSTests/stress/put-to-primitive-non-reified-static-custom.js (added)
• JSTests/stress/put-to-primitive.js (added)
• JSTests/stress/put-to-proto-chain-overrides-put.js (added)
• JSTests/stress/typed-array-canonical-numeric-index-string-set.js (added)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html (modified) (2 diffs)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver-expected.txt (added)
• LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver.html (added)
• LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver.html (modified) (1 diff)
• LayoutTests/js/dom/reflect-set-onto-dom-expected.txt (modified) (2 diffs)
• LayoutTests/js/dom/script-tests/reflect-set-onto-dom.js (modified) (3 diffs)
• Source/JavaScriptCore/API/JSCallbackObject.h (modified) (1 diff)
• Source/JavaScriptCore/API/JSCallbackObjectFunctions.h (modified) (1 diff)
• Source/JavaScriptCore/API/tests/testapiScripts/testapi.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/debugger/DebuggerScope.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ClassInfo.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ClonedArguments.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/CustomGetterSetter.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/CustomGetterSetter.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ErrorConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ErrorInstance.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/GenericArguments.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/GenericArgumentsInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/GetterSetter.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArray.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSArray.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArrayBufferView.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArrayBufferView.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCJSValue.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSCell.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCell.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalLexicalEnvironment.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSLexicalEnvironment.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSModuleEnvironment.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSModuleNamespaceObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (6 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (10 diffs)
• Source/JavaScriptCore/runtime/JSObjectInlines.h (modified) (5 diffs)
• Source/JavaScriptCore/runtime/JSProxy.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSTypeInfo.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/Lookup.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/PropertySlot.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ProxyObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ProxyObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/PutPropertySlot.h (modified) (5 diffs)
• Source/JavaScriptCore/runtime/ReflectObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/RegExpObject.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/RegExpObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringPrototype.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/StringPrototype.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/Structure.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Structure.h (modified) (1 diff)
• Source/JavaScriptCore/tools/JSDollarVM.cpp (modified) (4 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/JSLocationCustom.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSRemoteDOMWindowCustom.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (3 diffs)
• Source/WebCore/bindings/scripts/test/JS/JSTestDomainSecurity.h (modified) (2 diffs)
• Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestInterface.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyOverrideBuiltIns.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyOverrideBuiltIns.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeableProperties.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeableProperties.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeablePropertiesAndLegacyOverrideBuiltIns.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeablePropertiesAndLegacyOverrideBuiltIns.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.h (modified) (1 diff)
• Source/WebCore/bridge/objc/objc_runtime.h (modified) (1 diff)
• Source/WebCore/bridge/runtime_array.h (modified) (1 diff)
• Source/WebCore/bridge/runtime_object.h (modified) (1 diff)
• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/WebProcess/Plugins/Netscape/JSNPObject.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2021-06-07  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy
+        https://bugs.webkit.org/show_bug.cgi?id=226185
+
+        * microbenchmarks/put-slow-no-cache-array.js: Added.
+        * microbenchmarks/put-slow-no-cache-function.js: Added.
+        * microbenchmarks/put-slow-no-cache-js-proxy.js: Added.
+        * microbenchmarks/put-slow-no-cache-long-prototype-chain.js: Added.
+        * microbenchmarks/put-slow-no-cache.js: Added.
+        * microbenchmarks/reflect-set-with-receiver.js: Added.
+        * stress/custom-get-set-proto-chain-put.js:
+        * stress/module-namespace-access-set-fails.js: Added.
+        * stress/put-non-reified-static-accessor-or-custom.js: Added.
+        * stress/put-non-reified-static-function-or-custom.js: Added.
+        * stress/put-to-primitive-non-reified-static-custom.js: Added.
+        * stress/put-to-primitive.js: Added.
+        * stress/put-to-proto-chain-overrides-put.js:
+        Rework to always test new objects, add JSProxy coverage, and assert that receiver has own property.
+
+        * stress/typed-array-canonical-numeric-index-string-set.js: Added.
+
 2021-06-07  Saam Barati  <sbarati@apple.com>
 

trunk/JSTests/stress/custom-get-set-proto-chain-put.js

@@ -38 +38 @@
         Object.create(customTestGetterSetter),
         Object.create(Object.create(customTestGetterSetter)),
-        // FIXME: ordinarySetSlow() should handle Custom{Accessor,Value} descriptors.
-        // new Proxy(customTestGetterSetter, {}),
+        Object.create(new Proxy(customTestGetterSetter, {})),
+        Object.create($vm.createProxy(customTestGetterSetter)),
     ];
 }
@@ -86 +86 @@
 
 // CustomValue: setter returns |false|
+// FIXME: Once legacy RegExp features are implemented, there would be no use case for calling CustomValue setter if receiver is altered.
 (() => {
     for (let base of getBases()) {
         for (let i = 0; i < 100; ++i)
             base.customValue = 1;
-        // This is weird, but it isn't exposed to userland code:
         assert(!base.hasOwnProperty("customValue"));
-        assert(!Reflect.set(Object(base), "customValue", 1));
+        assert(Reflect.set(Object(base), "customValue", 1));
     }
 })();

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2021-06-07  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy
+        https://bugs.webkit.org/show_bug.cgi?id=226185
+
+        * http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt:
+        * http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html:
+        * js/dom/reflect-set-onto-dom-expected.txt:
+        * js/dom/script-tests/reflect-set-onto-dom.js:
+
 2021-06-07  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put-expected.txt

@@ -1 +1 @@
 This tests that you can't get the prototype of the window during [[Put]] operation.
 
+PASS array.cocoa = cocoaValue threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
+PASS 'str'.cocoa = cocoaValue threw exception SecurityError: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a cross-origin frame. Protocols, domains, and ports must match..
 PASS: successfullyParsed should be 'true' and is.
 

trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html

@@ -16 +16 @@
         {
             targetWindow = document.getElementById("target").contentWindow;
-            var array = [];
+            array = [];
             array.__proto__.__proto__ = targetWindow;
             array[0] = 11.11;
@@ -25 +25 @@
                 }
             };
-            array["cocoa"] = {
+            cocoaValue = {
                 toString() {
                     testFailed("toString is called by cocoa setter");
                 }
             };
+            shouldThrowErrorName("array.cocoa = cocoaValue", "SecurityError");
+
+            Object.setPrototypeOf(String.prototype, targetWindow);
+            shouldThrowErrorName("'str'.cocoa = cocoaValue", "SecurityError");
             finishJSTest();
         }

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2021-06-07  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy
+        https://bugs.webkit.org/show_bug.cgi?id=226185
+
+        * web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any-expected.txt:
+        * web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver-expected.txt: Added.
+        * web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver.html: Added.
+        * web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver-expected.txt:
+        * web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver.html:
+
 2021-06-07  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/global-object-implicit-this-value.any-expected.txt

@@ -1 +1 @@
 
 PASS Global object's getter throws when called on incompatible object
-FAIL Global object's setter throws when called on incompatible object assert_throws_js: function "() => { Object.create(globalThis).origin = origin; }" did not throw
+PASS Global object's setter throws when called on incompatible object
 PASS Global object's operation throws when called on incompatible object
 PASS Global object's getter throws when called on incompatible object (document.all)

trunk/LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver-expected.txt

@@ -1 +1 @@
 
-PASS Window, Location, Navigator, HTMLDocument, and HTMLHeadElement
-PASS All window.* constructors
+PASS Direct [[Set]] preserves [[Enumerable]]: false property attribute
+PASS Prototype chain [[Set]] creates property on receiver
 

trunk/LayoutTests/imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/interface-prototype-constructor-set-receiver.html

@@ -7 +7 @@
 <script>
 "use strict";
+const testValue = Object.freeze(function() {});
 
 test(() => {
-  window.constructor = null;
+  Location.prototype.constructor = testValue;
+  assert_false(Location.prototype.propertyIsEnumerable("constructor"));
+
+  HTMLDocument.prototype.constructor = testValue;
+  assert_false(HTMLDocument.prototype.propertyIsEnumerable("constructor"));
+
+  HTMLDivElement.prototype.constructor = testValue;
+  assert_false(HTMLDivElement.prototype.propertyIsEnumerable("constructor"));
+}, "Direct [[Set]] preserves [[Enumerable]]: false property attribute");
+
+test(() => {
+  window.constructor = testValue;
+  assert_equals(window.constructor, testValue);
   assert_equals(Window.prototype.constructor, Window);
 
-  location.constructor = false;
-  assert_equals(Location.prototype.constructor, Location);
-
-  navigator.constructor = 1;
+  navigator.constructor = testValue;
+  assert_equals(navigator.constructor, testValue);
   assert_equals(Navigator.prototype.constructor, Navigator);
 
-  document.constructor = {};
-  assert_equals(HTMLDocument.prototype.constructor, HTMLDocument);
-
-  document.head.constructor = [];
-  assert_equals(HTMLHeadElement.prototype.constructor, HTMLHeadElement);
-}, "Window, Location, Navigator, HTMLDocument, and HTMLHeadElement");
-
-test(() => {
-  for (let key of Object.getOwnPropertyNames(window)) {
-    if (!/^[A-Z]/.test(key)) continue;
-
-    let desc = Object.getOwnPropertyDescriptor(window, key);
-    if (!desc || desc.enumerable) continue;
-    let {value} = desc;
-    if (typeof value !== "function") continue;
-    let {prototype} = value;
-    if (!prototype) continue;
-
-    let heir = Object.create(prototype);
-    let newConstructor = function() {};
-    heir.constructor = newConstructor;
-
-    assert_not_equals(prototype.constructor, newConstructor, key);
-    assert_own_property(heir, "constructor", key);
-    assert_equals(heir.constructor, newConstructor, key);
-  }
-}, "All window.* constructors");
+  const span = document.createElement("span");
+  span.constructor = testValue;
+  assert_equals(span.constructor, testValue);
+  assert_equals(HTMLSpanElement.prototype.constructor, HTMLSpanElement);
+}, "Prototype chain [[Set]] creates property on receiver");
 </script>

trunk/LayoutTests/js/dom/reflect-set-onto-dom-expected.txt

@@ -94 +94 @@
 PASS Reflect.set(document.body.dataset, 0, "sweet") is true
 PASS Reflect.get(document.body.dataset, 0) is "sweet"
-DOMStringMap ignores the receiver. These putDelegate only work with ::put (not ::defineOwnProperty). So they behave as the special setter, we should not fallback to the OrdinarySet.
+DOMStringMap falls back to OrdinarySet if receiver is altered.
 PASS Reflect.set(document.body.dataset, "cocoa", "ok", receiver) is true
-PASS Reflect.get(document.body.dataset, "cocoa") is "ok"
-PASS Reflect.get(receiver, "cocoa") is undefined
+PASS Reflect.get(document.body.dataset, "cocoa") is "sweet"
+PASS Reflect.get(receiver, "cocoa") is "ok"
 PASS Reflect.set(document.body.dataset, 0, "ok", receiver) is true
-PASS Reflect.get(document.body.dataset, 0) is "ok"
-PASS Reflect.get(receiver, 0) is undefined
+PASS Reflect.get(document.body.dataset, 0) is "sweet"
+PASS Reflect.get(receiver, 0) is "ok"
 CustomIndexedSetter
 PASS Reflect.get(select, 0).value is "cocoa"
@@ -112 +112 @@
 PASS Reflect.get(select, 44).value is "kilimanjaro"
 PASS Reflect.set(select, 20, "Kilimanjaro") threw exception TypeError: Type error.
-CustomIndexedSetter ignores the receiver. These methods only work with ::put (not ::defineOwnProperty). So they behave as the special setter, we should not fallback to the OrdinarySet.
+CustomIndexedSetter falls back to OrdinarySet if receiver is altered.
 PASS Reflect.set(select, 0, option3, receiver) is true
-PASS Reflect.get(receiver, 0) is undefined
-PASS Reflect.get(select, 0) is option3
+PASS Reflect.get(receiver, 0) is option3
+PASS Reflect.get(select, 0) is select.children[0]
 PASS successfullyParsed is true
 

trunk/LayoutTests/js/dom/script-tests/reflect-set-onto-dom.js

@@ -117 +117 @@
 shouldBe(`Reflect.get(document.body.dataset, 0)`, `"sweet"`);
 
-debug("DOMStringMap ignores the receiver. These putDelegate only work with ::put (not ::defineOwnProperty). So they behave as the special setter, we should not fallback to the OrdinarySet.");
+debug("DOMStringMap falls back to OrdinarySet if receiver is altered.");
 var receiver = {};
 shouldBe(`Reflect.set(document.body.dataset, "cocoa", "ok", receiver)`, `true`);
-shouldBe(`Reflect.get(document.body.dataset, "cocoa")`, `"ok"`);
-shouldBe(`Reflect.get(receiver, "cocoa")`, `undefined`);
+shouldBe(`Reflect.get(document.body.dataset, "cocoa")`, `"sweet"`);
+shouldBe(`Reflect.get(receiver, "cocoa")`, `"ok"`);
 var receiver = {};
 shouldBe(`Reflect.set(document.body.dataset, 0, "ok", receiver)`, `true`);
-shouldBe(`Reflect.get(document.body.dataset, 0)`, `"ok"`);
-shouldBe(`Reflect.get(receiver, 0)`, `undefined`);
+shouldBe(`Reflect.get(document.body.dataset, 0)`, `"sweet"`);
+shouldBe(`Reflect.get(receiver, 0)`, `"ok"`);
 
 debug("CustomIndexedSetter");
@@ -147 +147 @@
 shouldThrow(`Reflect.set(select, 20, "Kilimanjaro")`);
 
-debug("CustomIndexedSetter ignores the receiver. These methods only work with ::put (not ::defineOwnProperty). So they behave as the special setter, we should not fallback to the OrdinarySet.");
+debug("CustomIndexedSetter falls back to OrdinarySet if receiver is altered.");
 var option3 = document.createElement("option");
 option3.value = "rabbit";
@@ -153 +153 @@
 var receiver = {};
 shouldBe(`Reflect.set(select, 0, option3, receiver)`, `true`);
-shouldBe(`Reflect.get(receiver, 0)`, `undefined`);
-shouldBe(`Reflect.get(select, 0)`, `option3`);
+shouldBe(`Reflect.get(receiver, 0)`, `option3`);
+shouldBe(`Reflect.get(select, 0)`, `select.children[0]`);

trunk/Source/JavaScriptCore/API/JSCallbackObject.h

@@ -130 +130 @@
 public:
     using Base = Parent;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesGetCallData | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | ProhibitsPropertyCaching | GetOwnPropertySlotMayBeWrongAboutDontEnum;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesGetCallData | OverridesPut | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | ProhibitsPropertyCaching | GetOwnPropertySlotMayBeWrongAboutDontEnum;
     static_assert(!(StructureFlags & ImplementsDefaultHasInstance), "using customHasInstance");
 

trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h

@@ -272 +272 @@
     RefPtr<OpaqueJSString> propertyNameRef;
     JSValueRef valueRef = toRef(globalObject, value);
+
+    if (UNLIKELY(isThisValueAltered(slot, thisObject)))
+        RELEASE_AND_RETURN(scope, Parent::put(thisObject, globalObject, propertyName, value, slot));
     
     if (StringImpl* name = propertyName.uid()) {

trunk/Source/JavaScriptCore/API/tests/testapiScripts/testapi.js

@@ -247 +247 @@
 shouldBe("MyObject[Symbol.toPrimitive]('bar')", null);
 
+var MyObjectHeir = Object.create(MyObject);
+MyObjectHeir.throwOnSet = 22;
+var MyObjectHeirThrowOnSetDescriptor = Object.getOwnPropertyDescriptor(MyObjectHeir, "throwOnSet");
+shouldBe("typeof MyObjectHeirThrowOnSetDescriptor", "object");
+shouldBe("MyObjectHeirThrowOnSetDescriptor.value", 22);
+shouldBe("MyObjectHeirThrowOnSetDescriptor.writable", true);
+shouldBe("MyObjectHeirThrowOnSetDescriptor.enumerable", true);
+shouldBe("MyObjectHeirThrowOnSetDescriptor.configurable", true);
+shouldThrow("MyObject.throwOnSet = 22");
+
 derived = new Derived();
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-06-07  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy
+        https://bugs.webkit.org/show_bug.cgi?id=226185
+
+        The API test added in r278366 revealed a flaw in JSObject::definePropertyOnReceiver()
+        that caused putDirectInternal() to be performed on a JSProxy instead of it's target.
+        Remedies that via a type check, ensuring the test and iOS apps are functional.
+
+        The issue was originally missed because the prototype chain of a global object is immutable
+        and none of the global object's prototypes override put(). OpaqueJSClass::prototype() sets
+        the [[Prototype]] directly, ignoring the IsImmutablePrototypeExoticObject type info flag.
+
+        Also, excludes an invariant from the original patch that required put() to be overriden
+        when implementing custom [[DefineOwnProperty]]. It is now broken by WindowProperties object.
+
+        * API/JSCallbackObject.h:
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject<Parent>::put):
+        * API/tests/testapiScripts/testapi.js:
+        * debugger/DebuggerScope.h:
+        * runtime/ClassInfo.h:
+        * runtime/ClonedArguments.h:
+        * runtime/CustomGetterSetter.cpp:
+        (JSC::callCustomSetter): Deleted.
+        * runtime/CustomGetterSetter.h:
+        * runtime/ErrorConstructor.h:
+        * runtime/ErrorInstance.h:
+        * runtime/GenericArguments.h:
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments<Type>::put):
+        * runtime/GetterSetter.h:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::put):
+        * runtime/JSArray.h:
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::put): Deleted.
+        * runtime/JSArrayBufferView.h:
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::doPutPropertySecurityCheck): Deleted.
+        * runtime/JSCell.h:
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::put):
+        * runtime/JSFunction.h:
+        * runtime/JSGenericTypedArrayView.h:
+        * runtime/JSGlobalLexicalEnvironment.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::put):
+        * runtime/JSGlobalObject.h:
+        * runtime/JSLexicalEnvironment.h:
+        * runtime/JSModuleEnvironment.h:
+        * runtime/JSModuleNamespaceObject.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnPropertySlot):
+        (JSC::JSObject::putInlineSlow):
+        (JSC::definePropertyOnReceiverSlow):
+        (JSC::JSObject::definePropertyOnReceiver):
+        (JSC::JSObject::putInlineFastReplacingStaticPropertyIfNeeded):
+        (JSC::JSObject::doPutPropertySecurityCheck): Deleted.
+        (JSC::JSObject::prototypeChainMayInterceptStoreTo): Deleted.
+        * runtime/JSObject.h:
+        (JSC::JSObject::putByIndexInline):
+        (JSC::JSObject::hasNonReifiedStaticProperties):
+        (JSC::JSObject::getOwnPropertySlot):
+        (JSC::JSObject::putDirect):
+        (JSC::JSObject::doPutPropertySecurityCheck): Deleted.
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::canPerformFastPutInlineExcludingProto):
+        (JSC::JSObject::putInlineForJSObject):
+        (JSC::JSObject::putInlineFast):
+        (JSC::JSObject::putDirectInternal):
+        * runtime/JSProxy.h:
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::hasStaticPropertyTable const):
+        (JSC::TypeInfo::overridesPut const):
+        (JSC::TypeInfo::getOwnPropertySlotMayBeWrongAboutDontEnum const):
+        (JSC::TypeInfo::hasPutPropertySecurityCheck const): Deleted.
+        * runtime/Lookup.h:
+        (JSC::putEntry): Deleted.
+        (JSC::lookupPut): Deleted.
+        * runtime/PropertySlot.h:
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::put):
+        * runtime/ProxyObject.h:
+        * runtime/PutPropertySlot.h:
+        (JSC::PutPropertySlot::PutPropertySlot):
+        (JSC::PutPropertySlot::context const):
+        (JSC::PutPropertySlot::isTaintedByOpaqueObject const):
+        (JSC::PutPropertySlot::setIsTaintedByOpaqueObject):
+        * runtime/ReflectObject.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * runtime/RegExpObject.cpp:
+        (JSC::RegExpObject::put):
+        * runtime/RegExpObject.h:
+        * runtime/StringObject.cpp:
+        (JSC::StringObject::put):
+        * runtime/StringObject.h:
+        * runtime/StringPrototype.cpp:
+        (JSC::StringPrototype::finishCreation):
+        (JSC::StringPrototype::create):
+        * runtime/StringPrototype.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::validateFlags):
+        * runtime/Structure.h:
+        (JSC::Structure::hasNonReifiedStaticProperties const):
+        * tools/JSDollarVM.cpp:
+
 2021-06-07  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/Source/JavaScriptCore/debugger/DebuggerScope.h

@@ -37 +37 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesPut;
 
     template<typename CellType, SubspaceAccess mode>

trunk/Source/JavaScriptCore/runtime/ClassInfo.h

@@ -68 +68 @@
     using GetOwnPropertySlotByIndexFunctionPtr = bool (*)(JSObject*, JSGlobalObject*, unsigned, PropertySlot&);
     GetOwnPropertySlotByIndexFunctionPtr METHOD_TABLE_ENTRY(getOwnPropertySlotByIndex);
-
-    using DoPutPropertySecurityCheckFunctionPtr = void (*)(JSObject*, JSGlobalObject*, PropertyName, PutPropertySlot&);
-    DoPutPropertySecurityCheckFunctionPtr METHOD_TABLE_ENTRY(doPutPropertySecurityCheck);
 
     using ToThisFunctionPtr = JSValue (*)(JSCell*, JSGlobalObject*, ECMAMode);
@@ -156 +153 @@
         &ClassName::getOwnPropertySlot, \
         &ClassName::getOwnPropertySlotByIndex, \
-        &ClassName::doPutPropertySecurityCheck, \
         &ClassName::toThis, \
         &ClassName::getOwnPropertyNames, \

trunk/Source/JavaScriptCore/runtime/ClonedArguments.h

@@ -41 +41 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut;
 
     template<typename CellType, SubspaceAccess mode>

trunk/Source/JavaScriptCore/runtime/CustomGetterSetter.cpp

@@ -27 +27 @@
 #include "CustomGetterSetter.h"
 
-#include "JSCJSValueInlines.h"
-#include <wtf/Assertions.h>
-
 namespace JSC {
 
@@ -36 +33 @@
 const ClassInfo CustomGetterSetter::s_info = { "CustomGetterSetter", nullptr, nullptr, nullptr, CREATE_METHOD_TABLE(CustomGetterSetter) };
 
-TriState callCustomSetter(JSGlobalObject* globalObject, CustomGetterSetter::CustomSetter setter, bool isAccessor, JSObject* slotBase, JSValue thisValue, JSValue value, PropertyName propertyName)
-{
-    if (isAccessor) {
-        if (!setter)
-            return TriState::False;
-        setter(globalObject, JSValue::encode(thisValue), JSValue::encode(value), propertyName);
-        // Always return true if there is a setter and it is observed as an accessor to users.
-        return TriState::True;
-    }
-
-    if (!setter)
-        return TriState::Indeterminate;
-    return triState(setter(globalObject, JSValue::encode(slotBase), JSValue::encode(value), propertyName));
-}
-
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/CustomGetterSetter.h

@@ -77 +77 @@
 };
 
-JS_EXPORT_PRIVATE TriState callCustomSetter(JSGlobalObject*, CustomGetterSetter::CustomSetter, bool isAccessor, JSObject* slotBase, JSValue thisValue, JSValue, PropertyName);
-
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/ErrorConstructor.h

@@ -31 +31 @@
 public:
     using Base = InternalFunction;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesPut;
 
     static ErrorConstructor* create(VM& vm, Structure* structure, ErrorPrototype* errorPrototype, GetterSetter*)

trunk/Source/JavaScriptCore/runtime/ErrorInstance.h

@@ -31 +31 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut;
     static constexpr bool needsDestruction = true;
 

trunk/Source/JavaScriptCore/runtime/GenericArguments.h

@@ -37 +37 @@
 public:
     typedef JSNonFinalObject Base;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesPut | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
 
 protected:

trunk/Source/JavaScriptCore/runtime/GenericArgumentsInlines.h

@@ -135 +135 @@
     // https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-set-p-v-receiver
     // Fall back to the OrdinarySet when the receiver is altered from the thisObject.
-    if (UNLIKELY(isThisValueAltered(slot, thisObject)))
-        RELEASE_AND_RETURN(scope, ordinarySetSlow(globalObject, thisObject, ident, value, slot.thisValue(), slot.isStrictMode()));
+    if (UNLIKELY(slot.thisValue() != thisObject))
+        RELEASE_AND_RETURN(scope, Base::put(thisObject, globalObject, ident, value, slot));
     
     std::optional<uint32_t> index = parseIndex(ident);
@@ -144 +144 @@
     }
 
-    auto result = Base::put(thisObject, globalObject, ident, value, slot);
-    RETURN_IF_EXCEPTION(scope, false);
-    RELEASE_AND_RETURN(scope, result);
+    RELEASE_AND_RETURN(scope, Base::put(thisObject, globalObject, ident, value, slot));
 }
 

trunk/Source/JavaScriptCore/runtime/GetterSetter.h

@@ -55 +55 @@
 public:
 
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | StructureIsImmortal;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesPut | StructureIsImmortal;
 
     template<typename CellType, SubspaceAccess>

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -239 +239 @@
 
     JSArray* thisObject = jsCast<JSArray*>(cell);
-
-    if (UNLIKELY(isThisValueAltered(slot, thisObject)))
-        RELEASE_AND_RETURN(scope, ordinarySetSlow(globalObject, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode()));
-
     thisObject->ensureWritable(vm);
 
@@ -251 +247 @@
             return false;
         }
+
+        if (UNLIKELY(slot.thisValue() != thisObject))
+            RELEASE_AND_RETURN(scope, JSObject::definePropertyOnReceiver(globalObject, propertyName, value, slot));
 
         unsigned newLength = value.toUInt32(globalObject);

trunk/Source/JavaScriptCore/runtime/JSArray.h

@@ -41 +41 @@
 public:
     typedef JSNonFinalObject Base;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut;
 
     static size_t allocationSize(Checked<size_t> inlineCapacity)

trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp

@@ -173 +173 @@
 DEFINE_VISIT_CHILDREN(JSArrayBufferView);
 
-bool JSArrayBufferView::put(
-    JSCell* cell, JSGlobalObject* globalObject, PropertyName propertyName, JSValue value,
-    PutPropertySlot& slot)
-{
-    JSArrayBufferView* thisObject = jsCast<JSArrayBufferView*>(cell);
-
-    if (UNLIKELY(isThisValueAltered(slot, thisObject)))
-        return ordinarySetSlow(globalObject, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode());
-    
-    return Base::put(thisObject, globalObject, propertyName, value, slot);
-}
-
 ArrayBuffer* JSArrayBufferView::unsharedBuffer()
 {

trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h

@@ -170 +170 @@
     JS_EXPORT_PRIVATE JSArrayBufferView(VM&, ConstructionContext&);
     JS_EXPORT_PRIVATE void finishCreation(VM&);
-    
-    static bool put(JSCell*, JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&);
 
     DECLARE_VISIT_CHILDREN;

trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp

@@ -213 +213 @@
 }
 
-// ECMA 8.7.2
+// https://tc39.es/ecma262/#sec-ordinaryset
 bool JSValue::putToPrimitive(JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {
@@ -222 +222 @@
         RELEASE_AND_RETURN(scope, putToPrimitiveByIndex(globalObject, index.value(), value, slot.isStrictMode()));
 
+    if (isString() && propertyName.uid() == vm.propertyNames->length.impl())
+        return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
     // Check if there are any setters or getters in the prototype chain
     JSObject* obj = synthesizePrototype(globalObject);
@@ -227 +229 @@
     if (UNLIKELY(!obj))
         return false;
-    JSValue prototype;
-    if (propertyName != vm.propertyNames->underscoreProto) {
-        while (true) {
-            Structure* structure = obj->structure(vm);
-            if (structure->hasReadOnlyOrGetterSetterPropertiesExcludingProto() || structure->typeInfo().hasPutPropertySecurityCheck())
-                break;
-            if (obj->type() == ProxyObjectType) {
-                auto* proxy = jsCast<ProxyObject*>(obj);
-                RELEASE_AND_RETURN(scope, proxy->ProxyObject::put(proxy, globalObject, propertyName, value, slot));
-            }
-            prototype = obj->getPrototype(vm, globalObject);
-            RETURN_IF_EXCEPTION(scope, false);
-
-            if (prototype.isNull())
-                return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
-            obj = asObject(prototype);
-        }
-    }
-
-    for (; ; obj = asObject(prototype)) {
-        Structure* structure = obj->structure(vm);
-        if (UNLIKELY(structure->typeInfo().hasPutPropertySecurityCheck())) {
-            obj->methodTable(vm)->doPutPropertySecurityCheck(obj, globalObject, propertyName, slot);
-            RETURN_IF_EXCEPTION(scope, false);
-        }
-        unsigned attributes;
-        PropertyOffset offset = structure->get(vm, propertyName, attributes);
-        if (offset != invalidOffset) {
-            if (attributes & PropertyAttribute::ReadOnly)
-                return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
-
-            JSValue gs = obj->getDirect(offset);
-            if (gs.isGetterSetter())
-                RELEASE_AND_RETURN(scope, jsCast<GetterSetter*>(gs)->callSetter(globalObject, *this, value, slot.isStrictMode()));
-
-            if (gs.isCustomGetterSetter()) {
-                auto setter = jsCast<CustomGetterSetter*>(gs.asCell())->setter();
-                bool isAccessor = attributes & PropertyAttribute::CustomAccessor;
-                auto result = callCustomSetter(globalObject, setter, isAccessor, obj, slot.thisValue(), value, propertyName);
-                if (result != TriState::Indeterminate)
-                    RELEASE_AND_RETURN(scope, result == TriState::True);
-            }
-
-            // If there's an existing property on the object or one of its 
-            // prototypes it should be replaced, so break here.
-            break;
-        }
-        if (obj->type() == ProxyObjectType) {
-            auto* proxy = jsCast<ProxyObject*>(obj);
-            RELEASE_AND_RETURN(scope, proxy->ProxyObject::put(proxy, globalObject, propertyName, value, slot));
-        }
-        prototype = obj->getPrototype(vm, globalObject);
-        RETURN_IF_EXCEPTION(scope, false);
-        if (prototype.isNull())
-            break;
-    }
-    
-    return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
+    RELEASE_AND_RETURN(scope, obj->methodTable(vm)->put(obj, globalObject, propertyName, value, slot));
 }
 

trunk/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -201 +201 @@
 }
 
-void JSCell::doPutPropertySecurityCheck(JSObject*, JSGlobalObject*, PropertyName, PutPropertySlot&)
-{
-    RELEASE_ASSERT_NOT_REACHED();
-}
-
 void JSCell::getOwnPropertyNames(JSObject*, JSGlobalObject*, PropertyNameArray&, DontEnumPropertiesMode)
 {

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -258 +258 @@
     static bool getOwnPropertySlot(JSObject*, JSGlobalObject*, PropertyName, PropertySlot&);
     static bool getOwnPropertySlotByIndex(JSObject*, JSGlobalObject*, unsigned propertyName, PropertySlot&);
-    static NO_RETURN_DUE_TO_CRASH void doPutPropertySecurityCheck(JSObject*, JSGlobalObject*, PropertyName, PutPropertySlot&);
 
 private:

trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

@@ -546 +546 @@
     }
 
-    if (UNLIKELY(isThisValueAltered(slot, thisObject)))
-        RELEASE_AND_RETURN(scope, ordinarySetSlow(globalObject, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode()));
-
-
     if (thisObject->isHostOrBuiltinFunction()) {
         PropertyStatus propertyType = thisObject->reifyLazyPropertyForHostOrBuiltinIfNeeded(vm, globalObject, propertyName);

trunk/Source/JavaScriptCore/runtime/JSFunction.h

@@ -71 +71 @@
     
     typedef JSCallee Base;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesGetCallData;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesGetCallData | OverridesPut;
 
     static size_t allocationSize(Checked<size_t> inlineCapacity)

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h

@@ -100 +100 @@
     static constexpr TypedArrayContentType contentType = Adaptor::contentType;
 
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesPut | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
 
     static constexpr unsigned elementSize = sizeof(typename Adaptor::Type);

trunk/Source/JavaScriptCore/runtime/JSGlobalLexicalEnvironment.h

@@ -34 +34 @@
     using Base = JSSegmentedVariableObject;
 
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesPut;
 
     template<typename CellType, SubspaceAccess mode>

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -1577 +1577 @@
     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(thisObject));
 
-    if (UNLIKELY(isThisValueAltered(slot, thisObject)))
-        RELEASE_AND_RETURN(scope, ordinarySetSlow(globalObject, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode()));
+    if (UNLIKELY(isThisValueAltered(slot, thisObject))) {
+        SymbolTableEntry::Fast entry = thisObject->symbolTable()->get(propertyName.uid());
+        if (!entry.isNull()) {
+            if (entry.isReadOnly())
+                return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
+            RELEASE_AND_RETURN(scope, JSObject::definePropertyOnReceiver(globalObject, propertyName, value, slot));
+        }
+        RELEASE_AND_RETURN(scope, Base::put(thisObject, globalObject, propertyName, value, slot));
+    }
 
     bool shouldThrowReadOnlyError = slot.isStrictMode();

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -597 +597 @@
 public:
     using Base = JSSegmentedVariableObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | HasStaticPropertyTable | OverridesGetOwnPropertySlot | IsImmutablePrototypeExoticObject;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | HasStaticPropertyTable | OverridesGetOwnPropertySlot | OverridesPut | IsImmutablePrototypeExoticObject;
 
     static constexpr bool needsDestruction = true;

trunk/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h

@@ -49 +49 @@
 
     using Base = JSSymbolTableObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut;
 
     WriteBarrierBase<Unknown>* variables()

trunk/Source/JavaScriptCore/runtime/JSModuleEnvironment.h

@@ -41 +41 @@
 public:
     using Base = JSLexicalEnvironment;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut;
 
     static JSModuleEnvironment* create(VM& vm, JSGlobalObject* globalObject, JSScope* currentScope, SymbolTable* symbolTable, JSValue initialValue, AbstractModuleRecord* moduleRecord)

trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.h

@@ -35 +35 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | GetOwnPropertySlotIsImpureForPropertyAbsence | IsImmutablePrototypeExoticObject;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesPut | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | GetOwnPropertySlotIsImpureForPropertyAbsence | IsImmutablePrototypeExoticObject;
 
     static constexpr bool needsDestruction = true;

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -647 +647 @@
     return getOwnPropertySlotImpl(object, globalObject, propertyName, slot);
 }
-
-void JSObject::doPutPropertySecurityCheck(JSObject*, JSGlobalObject*, PropertyName, PutPropertySlot&)
-{
-}
 #endif // ASSERT_ENABLED
 
@@ -759 +755 @@
 }
 
-// ECMA 8.6.2.2
+// https://tc39.es/ecma262/#sec-ordinaryset
 bool JSObject::put(JSCell* cell, JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {
@@ -767 +763 @@
 bool JSObject::putInlineSlow(JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {
-    ASSERT(!isThisValueAltered(slot, this));
+    ASSERT(!parseIndex(propertyName));
 
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (UNLIKELY(!vm.isSafeToRecurseSoft())) {
+        throwStackOverflowError(globalObject, scope);
+        return false;
+    }
 
     JSObject* obj = this;
     for (;;) {
         Structure* structure = obj->structure(vm);
-        if (UNLIKELY(structure->typeInfo().hasPutPropertySecurityCheck())) {
-            obj->methodTable(vm)->doPutPropertySecurityCheck(obj, globalObject, propertyName, slot);
-            RETURN_IF_EXCEPTION(scope, false);
-        }
+        if (obj != this && structure->typeInfo().overridesPut())
+            RELEASE_AND_RETURN(scope, obj->methodTable(vm)->put(obj, globalObject, propertyName, value, slot));
+
+        bool hasProperty = false;
         unsigned attributes;
+        PutPropertySlot::PutValueFunc customSetter = nullptr;
         PropertyOffset offset = structure->get(vm, propertyName, attributes);
         if (isValidOffset(offset)) {
-            if (attributes & PropertyAttribute::ReadOnly) {
-                ASSERT(this->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this);
+            hasProperty = true;
+            if (attributes & PropertyAttribute::CustomAccessorOrValue)
+                customSetter = jsCast<CustomGetterSetter*>(obj->getDirect(offset))->setter();
+        } else if (structure->hasNonReifiedStaticProperties()) {
+            if (auto entry = structure->findPropertyHashEntry(propertyName)) {
+                hasProperty = true;
+                attributes = entry->value->attributes();
+
+                // FIXME: Remove this after writable accessors are introduced to static hash tables.
+                if (attributes & PropertyAttribute::Accessor)
+                    attributes |= PropertyAttribute::ReadOnly;
+                // FIXME: Remove this after we stop defaulting to CustomValue in static hash tables.
+                if (!(attributes & (PropertyAttribute::CustomAccessor | PropertyAttribute::BuiltinOrFunctionOrAccessorOrLazyPropertyOrConstant)))
+                    attributes |= PropertyAttribute::CustomValue;
+
+                if (attributes & PropertyAttribute::CustomAccessorOrValue)
+                    customSetter = entry->value->propertyPutter();
+            }
+        }
+
+        if (hasProperty) {
+            if (attributes & PropertyAttribute::ReadOnly)
                 return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
-            }
-
-            JSValue gs = obj->getDirect(offset);
-            if (gs.isGetterSetter()) {
+            if (attributes & PropertyAttribute::Accessor) {
+                ASSERT(isValidOffset(offset));
                 // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
                 if (!this->structure(vm)->isUncacheableDictionary())
@@ -794 +814 @@
                 RELEASE_AND_RETURN(scope, jsCast<GetterSetter*>(obj->getDirect(offset))->callSetter(globalObject, slot.thisValue(), value, slot.isStrictMode()));
             }
-            if (gs.isCustomGetterSetter()) {
-                bool isAccessor = attributes & PropertyAttribute::CustomAccessor;
-                auto setter = jsCast<CustomGetterSetter*>(gs.asCell())->setter();
+            if (attributes & PropertyAttribute::CustomAccessor) {
+                // FIXME: Remove this after WebIDL generator is fixed to set ReadOnly for [RuntimeConditionallyReadWrite] attributes.
+                if (!customSetter)
+                    return false;
+                ASSERT(customSetter);
                 // FIXME: We should only be caching these if we're not an uncacheable dictionary:
                 // https://bugs.webkit.org/show_bug.cgi?id=215347
-
-                // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
-                if (isAccessor)
-                    slot.setCustomAccessor(obj, setter);
-                else
-                    slot.setCustomValue(obj, setter);
-
-                auto result = callCustomSetter(globalObject, setter, isAccessor, obj, slot.thisValue(), value, propertyName);
-                RETURN_IF_EXCEPTION(scope, false);
-                if (result != TriState::Indeterminate)
-                    return result == TriState::True;
+                slot.setCustomAccessor(obj, customSetter);
+                scope.release();
+                customSetter(globalObject, JSValue::encode(slot.thisValue()), JSValue::encode(value), propertyName);
+                return true;
             }
-            ASSERT(!(attributes & PropertyAttribute::Accessor));
-
-            // If there's an existing property on the base object, or on one of its 
-            // prototypes, we should store the property on the *base* object.
+            if (attributes & PropertyAttribute::CustomValue) {
+                // FIXME: Once legacy RegExp features are implemented, there would be no use case for calling CustomValue setter if receiver is altered.
+                if (customSetter && !(isThisValueAltered(slot, obj) && slot.context() == PutPropertySlot::ReflectSet)) {
+                    // FIXME: We should only be caching these if we're not an uncacheable dictionary:
+                    // https://bugs.webkit.org/show_bug.cgi?id=215347
+                    slot.setCustomValue(obj, customSetter);
+                    RELEASE_AND_RETURN(scope, customSetter(globalObject, JSValue::encode(obj), JSValue::encode(value), propertyName));
+                }
+                if (!isThisValueAltered(slot, obj)) {
+                    // Avoid PutModePut because it fails for non-extensible structures.
+                    obj->putDirect(vm, propertyName, value, attributesForStructure(attributes) & ~PropertyAttribute::CustomValue, slot);
+                    return true;
+                }
+            }
+            if (attributes & PropertyAttribute::BuiltinOrFunctionOrLazyProperty) {
+                if (!isThisValueAltered(slot, obj)) {
+                    // Avoid PutModePut because it fails for non-extensible structures.
+                    obj->putDirect(vm, propertyName, value, attributesForStructure(attributes), slot);
+                    return true;
+                }
+            }
+            // If there's an existing writable property on the base object, or on one of its 
+            // prototypes, we should attempt to store the property on the receiver.
             break;
         }
-        if (!obj->staticPropertiesReified(vm)) {
-            if (obj->classInfo(vm)->hasStaticSetterOrReadonlyProperties()) {
-                if (auto entry = obj->findPropertyHashEntry(vm, propertyName))
-                    RELEASE_AND_RETURN(scope, putEntry(globalObject, entry->table->classForThis, entry->value, obj, this, propertyName, value, slot));
-            }
-        }
-        if (obj->type() == ProxyObjectType) {
-            auto* proxy = jsCast<ProxyObject*>(obj);
-            RELEASE_AND_RETURN(scope, proxy->ProxyObject::put(proxy, globalObject, propertyName, value, slot));
-        }
+
         JSValue prototype = obj->getPrototype(vm, globalObject);
         RETURN_IF_EXCEPTION(scope, false);
@@ -834 +859 @@
     }
 
-    if (!putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot))
+    scope.release();
+    if (UNLIKELY(isThisValueAltered(slot, this)))
+        return definePropertyOnReceiver(globalObject, propertyName, value, slot);
+    return putInlineFast(globalObject, propertyName, value, slot);
+}
+
+static NEVER_INLINE bool definePropertyOnReceiverSlow(JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, JSObject* receiver, bool shouldThrow)
+{
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    PropertySlot slot(receiver, PropertySlot::InternalMethodType::GetOwnProperty);
+    bool hasProperty = receiver->methodTable(vm)->getOwnPropertySlot(receiver, globalObject, propertyName, slot);
+    RETURN_IF_EXCEPTION(scope, false);
+
+    PropertyDescriptor descriptor;
+    if (hasProperty) {
+        // FIXME: For an accessor with setter, the error message is misleading.
+        if (slot.attributes() & PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessor)
+            return typeError(globalObject, scope, shouldThrow, ReadonlyPropertyWriteError);
+        descriptor.setValue(value);
+    } else
+        descriptor.setDescriptor(value, static_cast<unsigned>(PropertyAttribute::None));
+
+    RELEASE_AND_RETURN(scope, receiver->methodTable(vm)->defineOwnProperty(receiver, globalObject, propertyName, descriptor, shouldThrow));
+}
+
+// https://tc39.es/ecma262/#sec-ordinaryset (step 3)
+bool JSObject::definePropertyOnReceiver(JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+{
+    ASSERT(!parseIndex(propertyName));
+
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    JSObject* receiver = slot.thisValue().getObject();
+    // FIXME: For a failure due to primitive receiver, the error message is misleading.
+    if (!receiver)
         return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
-    return true;
+    scope.release();
+    if (receiver->type() == PureForwardingProxyType)
+        receiver = jsCast<JSProxy*>(receiver)->target();
+
+    if (slot.isTaintedByOpaqueObject() || slot.context() == PutPropertySlot::ReflectSet) {
+        if (receiver->methodTable(vm)->defineOwnProperty != JSObject::defineOwnProperty)
+            return definePropertyOnReceiverSlow(globalObject, propertyName, value, receiver, slot.isStrictMode());
+    }
+
+    if (UNLIKELY(receiver->hasNonReifiedStaticProperties(vm)))
+        return receiver->putInlineFastReplacingStaticPropertyIfNeeded(globalObject, propertyName, value, slot);
+    return receiver->putInlineFast(globalObject, propertyName, value, slot);
+}
+
+bool JSObject::putInlineFastReplacingStaticPropertyIfNeeded(JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+{
+    ASSERT(!parseIndex(propertyName));
+
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    Structure* structure = this->structure(vm);
+    ASSERT(structure->hasNonReifiedStaticProperties());
+    if (!isValidOffset(structure->get(vm, propertyName))) {
+        if (auto entry = structure->findPropertyHashEntry(propertyName)) {
+            if (entry->value->attributes() & PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessor) {
+                ASSERT(slot.context() == PutPropertySlot::ReflectSet);
+                // FIXME: For an accessor with setter, the error message is misleading.
+                return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
+            }
+            // Avoid PutModePut because it fails for non-extensible structures.
+            putDirect(vm, propertyName, value, attributesForStructure(entry->value->attributes()) & ~PropertyAttribute::CustomValue, slot);
+            return true;
+        }
+    }
+
+    RELEASE_AND_RETURN(scope, putInlineFast(globalObject, propertyName, value, slot));
 }
 
@@ -3845 +3943 @@
 }
 
-bool JSObject::prototypeChainMayInterceptStoreTo(VM& vm, PropertyName propertyName)
-{
-    if (parseIndex(propertyName))
-        return anyObjectInChainMayInterceptIndexedAccesses(vm);
-    
-    for (JSObject* current = this; ;) {
-        JSValue prototype = current->getPrototypeDirect(vm);
-        if (prototype.isNull())
-            return false;
-        
-        current = asObject(prototype);
-        
-        unsigned attributes;
-        PropertyOffset offset = current->structure(vm)->get(vm, propertyName, attributes);
-        if (!JSC::isValidOffset(offset))
-            continue;
-        
-        if (attributes & (PropertyAttribute::ReadOnly | PropertyAttribute::Accessor))
-            return true;
-        
-        return false;
-    }
-}
-
 bool JSObject::needsSlowPutIndexing(VM& vm) const
 {

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -172 +172 @@
     JS_EXPORT_PRIVATE static bool getOwnPropertySlotByIndex(JSObject*, JSGlobalObject*, unsigned propertyName, PropertySlot&);
     bool getOwnPropertySlotInline(JSGlobalObject*, PropertyName, PropertySlot&);
-    JS_EXPORT_PRIVATE_IF_ASSERT_ENABLED static void doPutPropertySecurityCheck(JSObject*, JSGlobalObject*, PropertyName, PutPropertySlot&);
 
     // The key difference between this and getOwnPropertySlot is that getOwnPropertySlot
@@ -205 +204 @@
     
     JS_EXPORT_PRIVATE static bool put(JSCell*, JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&);
+    JS_EXPORT_PRIVATE NEVER_INLINE static bool definePropertyOnReceiver(JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&);
     // putByIndex assumes that the receiver is this JSCell object.
     JS_EXPORT_PRIVATE static bool putByIndex(JSCell*, JSGlobalObject*, unsigned propertyName, JSValue, bool shouldThrow);
@@ -221 +221 @@
     ALWAYS_INLINE bool putByIndexInline(JSGlobalObject* globalObject, uint64_t propertyName, JSValue value, bool shouldThrow)
     {
+        VM& vm = getVM(globalObject);
         if (LIKELY(propertyName <= MAX_ARRAY_INDEX))
             return putByIndexInline(globalObject, static_cast<uint32_t>(propertyName), value, shouldThrow);
@@ -226 +227 @@
         ASSERT(propertyName <= maxSafeInteger());
         PutPropertySlot slot(this, shouldThrow);
-        return putInlineForJSObject(this, globalObject, Identifier::from(getVM(globalObject), propertyName), value, slot);
+        return methodTable(vm)->put(this, globalObject, Identifier::from(vm, propertyName), value, slot);
     }
         
@@ -645 +646 @@
     //  - the property name is assumed to not be an index.
     bool putDirect(VM&, PropertyName, JSValue, unsigned attributes = 0);
+    bool putDirect(VM&, PropertyName, JSValue, unsigned attributes, PutPropertySlot&);
     bool putDirect(VM&, PropertyName, JSValue, PutPropertySlot&);
     void putDirectWithoutTransition(VM&, PropertyName, JSValue, unsigned attributes = 0);
@@ -770 +772 @@
     bool hasGetterSetterProperties(VM& vm) { return structure(vm)->hasGetterSetterProperties(); }
     bool hasCustomGetterSetterProperties(VM& vm) { return structure(vm)->hasCustomGetterSetterProperties(); }
+
+    bool hasNonReifiedStaticProperties(VM& vm)
+    {
+        return TypeInfo::hasStaticPropertyTable(inlineTypeFlags()) && !structure(vm)->staticPropertiesReified();
+    }
 
     // putOwnDataProperty has 'put' like semantics, however this method:
@@ -817 +824 @@
 
     JS_EXPORT_PRIVATE bool anyObjectInChainMayInterceptIndexedAccesses(VM&) const;
-    JS_EXPORT_PRIVATE bool prototypeChainMayInterceptStoreTo(VM&, PropertyName);
     bool needsSlowPutIndexing(VM&) const;
 
@@ -1110 +1116 @@
 
     JS_EXPORT_PRIVATE NEVER_INLINE bool putInlineSlow(JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&);
+    JS_EXPORT_PRIVATE NEVER_INLINE bool putInlineFastReplacingStaticPropertyIfNeeded(JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&);
+    bool putInlineFast(JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&);
 
     bool getNonIndexPropertySlot(JSGlobalObject*, PropertyName, PropertySlot&);
@@ -1441 +1449 @@
 {
     return getOwnPropertySlotImpl(object, globalObject, propertyName, slot);
-}
-
-ALWAYS_INLINE void JSObject::doPutPropertySecurityCheck(JSObject*, JSGlobalObject*, PropertyName, PutPropertySlot&)
-{
 }
 #endif
@@ -1541 +1545 @@
 }
 
+inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes, PutPropertySlot& slot)
+{
+    ASSERT(!value.isGetterSetter());
+    ASSERT(!value.isCustomGetterSetter());
+    return putDirectInternal<PutModeDefineOwnProperty>(vm, propertyName, value, attributes, slot);
+}
+
 inline bool JSObject::putDirect(VM& vm, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {

trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h

@@ -69 +69 @@
         Structure* structure = obj->structure(vm);
         if (structure->hasReadOnlyOrGetterSetterPropertiesExcludingProto() || structure->typeInfo().overridesGetPrototype())
+            return false;
+        if (obj != this && structure->typeInfo().overridesPut())
             return false;
 
@@ -250 +252 @@
 }
 
-// ECMA 8.6.2.2
+// https://tc39.es/ecma262/#sec-ordinaryset
 ALWAYS_INLINE bool JSObject::putInlineForJSObject(JSCell* cell, JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {
     VM& vm = getVM(globalObject);
-    auto scope = DECLARE_THROW_SCOPE(vm);
 
     JSObject* thisObject = jsCast<JSObject*>(cell);
@@ -260 +261 @@
     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(thisObject));
 
-    if (UNLIKELY(isThisValueAltered(slot, thisObject)))
-        RELEASE_AND_RETURN(scope, ordinarySetSlow(globalObject, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode()));
-
     // Try indexed put first. This is required for correctness, since loads on property names that appear like
     // valid indices will never look in the named property storage.
-    if (std::optional<uint32_t> index = parseIndex(propertyName))
-        RELEASE_AND_RETURN(scope, putByIndex(thisObject, globalObject, index.value(), value, slot.isStrictMode()));
-
-    if (thisObject->canPerformFastPutInline(vm, propertyName)) {
-        ASSERT(!thisObject->prototypeChainMayInterceptStoreTo(vm, propertyName));
-        if (!thisObject->putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot))
-            return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
-        return true;
-    }
-
-    RELEASE_AND_RETURN(scope, thisObject->putInlineSlow(globalObject, propertyName, value, slot));
+    if (std::optional<uint32_t> index = parseIndex(propertyName)) {
+        if (UNLIKELY(isThisValueAltered(slot, thisObject)))
+            return ordinarySetSlow(globalObject, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode());
+        return thisObject->methodTable(vm)->putByIndex(thisObject, globalObject, index.value(), value, slot.isStrictMode());
+    }
+
+    if (!thisObject->canPerformFastPutInline(vm, propertyName))
+        return thisObject->putInlineSlow(globalObject, propertyName, value, slot);
+    if (UNLIKELY(isThisValueAltered(slot, thisObject)))
+        return definePropertyOnReceiver(globalObject, propertyName, value, slot);
+    if (UNLIKELY(thisObject->hasNonReifiedStaticProperties(vm)))
+        return thisObject->putInlineFastReplacingStaticPropertyIfNeeded(globalObject, propertyName, value, slot);
+    return thisObject->putInlineFast(globalObject, propertyName, value, slot);
+}
+
+ALWAYS_INLINE bool JSObject::putInlineFast(JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+{
+    VM& vm = getVM(globalObject);
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    // FIXME: For a failure due to non-extensible structure, the error message is misleading.
+    if (!putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot))
+        return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
+    return true;
 }
 
@@ -318 +329 @@
         PropertyOffset offset = structure->get(vm, propertyName, currentAttributes);
         if (offset != invalidOffset) {
-            if ((mode == PutModePut) && currentAttributes & PropertyAttribute::ReadOnly)
+            if ((mode == PutModePut) && currentAttributes & PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessor)
                 return false;
 
@@ -377 +388 @@
     offset = structure->get(vm, propertyName, currentAttributes);
     if (offset != invalidOffset) {
-        if ((mode == PutModePut) && currentAttributes & PropertyAttribute::ReadOnly)
+        if ((mode == PutModePut) && currentAttributes & PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessor)
             return false;
 

trunk/Source/JavaScriptCore/runtime/JSProxy.h

@@ -33 +33 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesGetPrototype | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesPut | OverridesGetPrototype | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
 
     template<typename CellType, SubspaceAccess>

trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h

@@ -58 +58 @@
 static constexpr unsigned InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero = 1 << 16;
 static constexpr unsigned StructureIsImmortal = 1 << 17;
-static constexpr unsigned HasPutPropertySecurityCheck = 1 << 18;
+static constexpr unsigned OverridesPut = 1 << 18;
 static constexpr unsigned OverridesGetPrototype = 1 << 19;
 static constexpr unsigned GetOwnPropertySlotMayBeWrongAboutDontEnum = 1 << 20;
@@ -95 +95 @@
     bool overridesGetCallData() const { return isSetOnFlags1<OverridesGetCallData>(); }
     bool overridesGetOwnPropertySlot() const { return overridesGetOwnPropertySlot(inlineTypeFlags()); }
+    bool hasStaticPropertyTable() const { return isSetOnFlags1<HasStaticPropertyTable>(); }
     static bool overridesGetOwnPropertySlot(InlineTypeFlags flags) { return flags & OverridesGetOwnPropertySlot; }
     static bool hasStaticPropertyTable(InlineTypeFlags flags) { return flags & HasStaticPropertyTable; }
@@ -103 +104 @@
     bool overridesGetOwnSpecialPropertyNames() const { return isSetOnFlags2<OverridesGetOwnSpecialPropertyNames>(); }
     bool overridesAnyFormOfGetOwnPropertyNames() const { return overridesGetOwnPropertyNames() || overridesGetOwnSpecialPropertyNames(); }
+    bool overridesPut() const { return isSetOnFlags2<OverridesPut>(); }
     bool overridesGetPrototype() const { return isSetOnFlags2<OverridesGetPrototype>(); }
     bool prohibitsPropertyCaching() const { return isSetOnFlags2<ProhibitsPropertyCaching>(); }
@@ -108 +110 @@
     bool getOwnPropertySlotIsImpureForPropertyAbsence() const { return isSetOnFlags2<GetOwnPropertySlotIsImpureForPropertyAbsence>(); }
     bool getOwnPropertySlotMayBeWrongAboutDontEnum() const { return isSetOnFlags2<GetOwnPropertySlotMayBeWrongAboutDontEnum>(); }
-    bool hasPutPropertySecurityCheck() const { return isSetOnFlags2<HasPutPropertySecurityCheck>(); }
     bool newImpurePropertyFiresWatchpoints() const { return isSetOnFlags2<NewImpurePropertyFiresWatchpoints>(); }
     bool isImmutablePrototypeExoticObject() const { return isSetOnFlags2<IsImmutablePrototypeExoticObject>(); }

trunk/Source/JavaScriptCore/runtime/Lookup.h

@@ -263 +263 @@
 }
 
-// 'base' means the object holding the property (possibly in the prototype chain of the object put was called on).
-// 'thisValue' is the object that put is being applied to (in the case of a proxy, the proxy target).
-// 'slot.thisValue()' is the object the put was originally performed on (in the case of a proxy, the proxy itself).
-inline bool putEntry(JSGlobalObject* globalObject, const ClassInfo*, const HashTableValue* entry, JSObject* base, JSObject* thisValue, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
-{
-    VM& vm = getVM(globalObject);
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
-    if (entry->attributes() & PropertyAttribute::BuiltinOrFunctionOrLazyProperty) {
-        if (!(entry->attributes() & PropertyAttribute::ReadOnly)) {
-            // If this is a function or lazy property put then we just do the put because
-            // logically the object already had the property, so this is just a replace.
-            // FIXME: thisValue may be an object with non-extensible structure we must throw for.
-            if (JSObject* thisObject = jsDynamicCast<JSObject*>(vm, thisValue))
-                thisObject->putDirect(vm, propertyName, value);
-            return true;
-        }
-        return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
-    }
-
-    if (entry->attributes() & PropertyAttribute::Accessor)
-        return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
-
-    if (!(entry->attributes() & PropertyAttribute::ReadOnly)) {
-        ASSERT_WITH_MESSAGE(!(entry->attributes() & PropertyAttribute::DOMJITAttribute), "DOMJITAttribute supports readonly attributes currently.");
-        bool isAccessor = entry->attributes() & PropertyAttribute::CustomAccessor;
-        // FIXME: We should only be caching these if we're not an uncacheable dictionary:
-        // https://bugs.webkit.org/show_bug.cgi?id=215347
-        // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
-        if (isAccessor)
-            slot.setCustomAccessor(base, entry->propertyPutter());
-        else
-            slot.setCustomValue(base, entry->propertyPutter());
-
-        auto result = callCustomSetter(globalObject, entry->propertyPutter(), isAccessor, base, slot.thisValue(), value, propertyName);
-        RETURN_IF_EXCEPTION(scope, false);
-        if (result != TriState::Indeterminate)
-            return result == TriState::True;
-
-        // FIXME: thisValue may be an object with non-extensible structure we must throw for.
-        if (JSObject* thisObject = jsDynamicCast<JSObject*>(vm, thisValue))
-            thisObject->putDirect(vm, propertyName, value);
-        return true;
-    }
-
-    return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
-}
-
-/**
- * This one is for "put".
- * It looks up a hash entry for the property to be set.  If an entry
- * is found it sets the value and returns true, else it returns false.
- */
-inline bool lookupPut(JSGlobalObject* globalObject, PropertyName propertyName, JSObject* base, JSValue value, const HashTable& table, PutPropertySlot& slot, bool& putResult)
-{
-    const HashTableValue* entry = table.entry(propertyName);
-
-    if (!entry)
-        return false;
-
-    putResult = putEntry(globalObject, table.classForThis, entry, base, base, propertyName, value, slot);
-    return true;
-}
-
 inline void reifyStaticProperty(VM& vm, const ClassInfo* classInfo, const PropertyName& propertyName, const HashTableValue& value, JSObject& thisObj)
 {

trunk/Source/JavaScriptCore/runtime/PropertySlot.h

@@ -48 +48 @@
     CustomAccessorOrValue = CustomAccessor | CustomValue,
     AccessorOrCustomAccessorOrValue = Accessor | CustomAccessor | CustomValue,
+    ReadOnlyOrAccessorOrCustomAccessor = ReadOnly | Accessor | CustomAccessor,
 
     // Things that are used by static hashtables are not in the attributes byte in PropertyMapEntry.

trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp

@@ -465 +465 @@
     VM& vm = globalObject->vm();
     slot.disableCaching();
+    slot.setIsTaintedByOpaqueObject();
 
     ProxyObject* thisObject = jsCast<ProxyObject*>(cell);

trunk/Source/JavaScriptCore/runtime/ProxyObject.h

@@ -35 +35 @@
     typedef JSNonFinalObject Base;
 
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesGetPrototype | OverridesGetCallData | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesGetPrototype | OverridesGetCallData | OverridesPut | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ProhibitsPropertyCaching;
 
     template<typename CellType, SubspaceAccess mode>

trunk/Source/JavaScriptCore/runtime/PutPropertySlot.h

@@ -38 +38 @@
 public:
     enum Type : uint8_t { Uncachable, ExistingProperty, NewProperty, SetterProperty, CustomValue, CustomAccessor };
-    enum Context { UnknownContext, PutById, PutByIdEval };
+    enum Context : uint8_t { UnknownContext, PutById, PutByIdEval, ReflectSet };
     using PutValueFunc = JSC::PutValueFunc;
     using PutValueFuncWithPtr = JSC::PutValueFuncWithPtr;
@@ -48 +48 @@
         , m_isStrictMode(isStrictMode)
         , m_isInitialization(isInitialization)
+        , m_isTaintedByOpaqueObject(false)
         , m_type(Uncachable)
         , m_context(context)
@@ -105 +106 @@
     }
 
-    Context context() const { return static_cast<Context>(m_context); }
-
     Type type() const { return m_type; }
+    Context context() const { return m_context; }
     JSObject* base() const { return m_base; }
     JSValue thisValue() const { return m_thisValue; }
@@ -117 +117 @@
     bool isCustomAccessor() const { return isCacheable() && m_type == CustomAccessor; }
     bool isInitialization() const { return m_isInitialization; }
+    bool isTaintedByOpaqueObject() const { return m_isTaintedByOpaqueObject; }
+    void setIsTaintedByOpaqueObject() { m_isTaintedByOpaqueObject = true; }
 
     PropertyOffset cachedOffset() const
@@ -136 +138 @@
     bool m_isStrictMode : 1;
     bool m_isInitialization : 1;
+    bool m_isTaintedByOpaqueObject : 1;
     Type m_type;
-    uint8_t m_context;
+    Context m_context;
     CacheabilityType m_cacheability;
     FunctionPtr<CustomAccessorPtrTag> m_putFunction;

trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp

@@ -261 +261 @@
     // Do not raise any readonly errors that happen in strict mode.
     bool shouldThrowIfCantSet = false;
-    PutPropertySlot slot(receiver, shouldThrowIfCantSet);
+    PutPropertySlot slot(receiver, shouldThrowIfCantSet, PutPropertySlot::ReflectSet);
     RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(targetObject->methodTable(vm)->put(targetObject, globalObject, propertyName, callFrame->argument(2), slot))));
 }

trunk/Source/JavaScriptCore/runtime/RegExpObject.cpp

@@ -135 +135 @@
 {
     VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
     RegExpObject* thisObject = jsCast<RegExpObject*>(cell);
 
-    if (UNLIKELY(isThisValueAltered(slot, thisObject)))
-        return ordinarySetSlow(globalObject, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode());
+    if (propertyName == vm.propertyNames->lastIndex) {
+        if (!thisObject->lastIndexIsWritable())
+            return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
 
-    if (propertyName == vm.propertyNames->lastIndex) {
+        if (UNLIKELY(slot.thisValue() != thisObject))
+            RELEASE_AND_RETURN(scope, JSObject::definePropertyOnReceiver(globalObject, propertyName, value, slot));
+
         bool result = thisObject->setLastIndex(globalObject, value, slot.isStrictMode());
+        RETURN_IF_EXCEPTION(scope, false);
         slot.setCustomValue(thisObject, slot.isStrictMode()
             ? regExpObjectSetLastIndexStrict
@@ -147 +152 @@
         return result;
     }
-    return Base::put(cell, globalObject, propertyName, value, slot);
+    RELEASE_AND_RETURN(scope, Base::put(cell, globalObject, propertyName, value, slot));
 }
 

trunk/Source/JavaScriptCore/runtime/RegExpObject.h

@@ -31 +31 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnSpecialPropertyNames | OverridesPut;
 
     template<typename CellType, SubspaceAccess mode>

trunk/Source/JavaScriptCore/runtime/StringObject.cpp

@@ -69 +69 @@
     StringObject* thisObject = jsCast<StringObject*>(cell);
 
-    if (UNLIKELY(isThisValueAltered(slot, thisObject))) 
-        RELEASE_AND_RETURN(scope, ordinarySetSlow(globalObject, thisObject, propertyName, value, slot.thisValue(), slot.isStrictMode()));
-
     if (propertyName == vm.propertyNames->length)
         return typeError(globalObject, scope, slot.isStrictMode(), ReadonlyPropertyWriteError);
+    if (UNLIKELY(slot.thisValue() != thisObject))
+        RELEASE_AND_RETURN(scope, JSObject::put(cell, globalObject, propertyName, value, slot));
     if (std::optional<uint32_t> index = parseIndex(propertyName)) 
         RELEASE_AND_RETURN(scope, putByIndex(cell, globalObject, index.value(), value, slot.isStrictMode()));

trunk/Source/JavaScriptCore/runtime/StringObject.h

@@ -29 +29 @@
 public:
     using Base = JSWrapperObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesPut | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
 
     template<typename, SubspaceAccess mode>

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

@@ -122 +122 @@
 }
 
-void StringPrototype::finishCreation(VM& vm, JSGlobalObject* globalObject, JSString* nameAndMessage)
-{
-    Base::finishCreation(vm, nameAndMessage);
+void StringPrototype::finishCreation(VM& vm, JSGlobalObject* globalObject)
+{
+    Base::finishCreation(vm, jsEmptyString(vm));
     ASSERT(inherits(vm, info()));
 
@@ -166 +166 @@
 
     // The constructor will be added later, after StringConstructor has been built
-    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(0), PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum);
 }
 
 StringPrototype* StringPrototype::create(VM& vm, JSGlobalObject* globalObject, Structure* structure)
 {
-    JSString* empty = jsEmptyString(vm);
     StringPrototype* prototype = new (NotNull, allocateCell<StringPrototype>(vm.heap)) StringPrototype(vm, structure);
-    prototype->finishCreation(vm, globalObject, empty);
+    prototype->finishCreation(vm, globalObject);
     return prototype;
 }

trunk/Source/JavaScriptCore/runtime/StringPrototype.h

@@ -46 +46 @@
 private:
     StringPrototype(VM&, Structure*);
-    void finishCreation(VM&, JSGlobalObject*, JSString*);
+    void finishCreation(VM&, JSGlobalObject*);
 };
 STATIC_ASSERT_ISO_SUBSPACE_SHARABLE(StringPrototype, StringObject);

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -191 +191 @@
         RELEASE_ASSERT(typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero());
 
-    bool overridesPutPropertySecurityCheck =
-        methodTable.doPutPropertySecurityCheck != JSObject::doPutPropertySecurityCheck
-        && methodTable.doPutPropertySecurityCheck != JSCell::doPutPropertySecurityCheck;
-    RELEASE_ASSERT(overridesPutPropertySecurityCheck == typeInfo().hasPutPropertySecurityCheck());
-
     bool overridesGetOwnPropertyNames =
         methodTable.getOwnPropertyNames != JSObject::getOwnPropertyNames
@@ -210 +205 @@
         && methodTable.getPrototype != JSCell::getPrototype;
     RELEASE_ASSERT(overridesGetPrototype == typeInfo().overridesGetPrototype());
+
+    bool overridesPut =
+        methodTable.put != JSObject::put
+        && methodTable.put != JSCell::put;
+    RELEASE_ASSERT(overridesPut == typeInfo().overridesPut());
 }
 #else

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -269 +269 @@
         return typeInfo().getOwnPropertySlotIsImpure();
     }
+
+    bool hasNonReifiedStaticProperties() const
+    {
+        return typeInfo().hasStaticPropertyTable() && !staticPropertiesReified();
+    }
     
     // Type accessors.

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -691 +691 @@
 }
 
-static const struct CompactHashIndex staticCustomAccessorTableIndex[2] = {
-    { 0, -1 },
-    { -1, -1 },
-};
-
 static JSC_DECLARE_CUSTOM_GETTER(testStaticAccessorGetter);
 static JSC_DECLARE_CUSTOM_SETTER(testStaticAccessorPutter);
@@ -720 +715 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     
-    JSObject* thisObject = jsDynamicCast<JSObject*>(vm, JSValue::decode(thisValue));
-    if (!thisObject)
-        return throwVMTypeError(globalObject, scope);
+    JSValue receiver = JSValue::decode(thisValue);
+    JSObject* thisObject = receiver.isObject() ? asObject(receiver) : receiver.synthesizePrototype(globalObject);
+    RETURN_IF_EXCEPTION(scope, false);
+    RELEASE_ASSERT(thisObject);
 
     return thisObject->putDirect(vm, PropertyName(Identifier::fromString(vm, "testField")), JSValue::decode(value));
 }
 
-static const struct HashTableValue staticCustomAccessorTableValues[1] = {
+static const struct CompactHashIndex staticCustomAccessorTableIndex[9] = {
+    { -1, -1 },
+    { -1, -1 },
+    { 2, -1 },
+    { -1, -1 },
+    { 0, 8 },
+    { -1, -1 },
+    { -1, -1 },
+    { -1, -1 },
+    { 1, -1 },
+};
+
+static const struct HashTableValue staticCustomAccessorTableValues[3] = {
     { "testStaticAccessor", static_cast<unsigned>(PropertyAttribute::CustomAccessor), NoIntrinsic, { (intptr_t)static_cast<PropertySlot::GetValueFunc>(testStaticAccessorGetter), (intptr_t)static_cast<PutPropertySlot::PutValueFunc>(testStaticAccessorPutter) } },
+    { "testStaticAccessorDontEnum", PropertyAttribute::CustomAccessor | PropertyAttribute::DontEnum, NoIntrinsic, { (intptr_t)static_cast<GetValueFunc>(testStaticAccessorGetter), (intptr_t)static_cast<PutValueFunc>(testStaticAccessorPutter) } },
+    { "testStaticAccessorReadOnly", PropertyAttribute::CustomAccessor | PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly, NoIntrinsic, { (intptr_t)static_cast<GetValueFunc>(testStaticAccessorGetter), 0 } },
 };
 
 static const struct HashTable staticCustomAccessorTable =
-    { 1, 1, true, nullptr, staticCustomAccessorTableValues, staticCustomAccessorTableIndex };
+    { 3, 7, true, nullptr, staticCustomAccessorTableValues, staticCustomAccessorTableIndex };
 
 class StaticCustomAccessor : public JSNonFinalObject {
@@ -799 +809 @@
 }
 
-static const struct CompactHashIndex staticCustomValueTableIndex[2] = {
+static const struct CompactHashIndex staticCustomValueTableIndex[8] = {
+    { 1, -1 },
+    { -1, -1 },
+    { -1, -1 },
+    { -1, -1 },
+    { -1, -1 },
+    { 2, -1 },
     { 0, -1 },
     { -1, -1 },
 };
 
-static const struct HashTableValue staticCustomValueTableValues[1] = {
-    { "testStaticValue", static_cast<unsigned>(PropertyAttribute::CustomAccessor), NoIntrinsic, { (intptr_t)static_cast<PropertySlot::GetValueFunc>(testStaticValueGetter), (intptr_t)static_cast<PutPropertySlot::PutValueFunc>(testStaticValuePutter) } },
+static const struct HashTableValue staticCustomValueTableValues[3] = {
+    { "testStaticValue", static_cast<unsigned>(PropertyAttribute::CustomValue), NoIntrinsic, { (intptr_t)static_cast<GetValueFunc>(testStaticValueGetter), (intptr_t)static_cast<PutValueFunc>(testStaticValuePutter) } },
+    { "testStaticValueNoSetter", PropertyAttribute::CustomValue | PropertyAttribute::DontEnum, NoIntrinsic, { (intptr_t)static_cast<GetValueFunc>(testStaticValueGetter), 0 } },
+    { "testStaticValueReadOnly", PropertyAttribute::CustomValue | PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly, NoIntrinsic, { (intptr_t)static_cast<GetValueFunc>(testStaticValueGetter), 0 } },
 };
 
 static const struct HashTable staticCustomValueTable =
-    { 1, 1, true, nullptr, staticCustomValueTableValues, staticCustomValueTableIndex };
+    { 3, 7, true, nullptr, staticCustomValueTableValues, staticCustomValueTableIndex };
 
 class StaticCustomValue : public JSNonFinalObject {
@@ -847 +865 @@
 class ObjectDoingSideEffectPutWithoutCorrectSlotStatus : public JSNonFinalObject {
     using Base = JSNonFinalObject;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesPut;
 public:
     template<typename CellType, SubspaceAccess>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2021-06-07  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy
+        https://bugs.webkit.org/show_bug.cgi?id=226185
+
+        Tests: js/dom/script-tests/reflect-set-onto-dom.js
+               imported/w3c/web-platform-tests/WebIDL/ecmascript-binding/interface-object-set-receiver.html
+               http/tests/security/cross-frame-access-object-getPrototypeOf-in-put.html
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::put):
+        (WebCore::JSDOMWindow::doPutPropertySecurityCheck): Deleted.
+        * bindings/js/JSLocationCustom.cpp:
+        (WebCore::JSLocation::doPutPropertySecurityCheck): Deleted.
+        * bindings/js/JSRemoteDOMWindowCustom.cpp:
+        (WebCore::JSRemoteDOMWindow::put):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GeneratePut):
+        (GenerateHeader):
+        * bindings/scripts/test/JS/*: Updated.
+        * bridge/objc/objc_runtime.h:
+        * bridge/runtime_array.h:
+        * bridge/runtime_object.h:
+
 2021-06-07  Devin Rousso  <drousso@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -257 +257 @@
 }
 
-void JSDOMWindow::doPutPropertySecurityCheck(JSObject* cell, JSGlobalObject* lexicalGlobalObject, PropertyName propertyName, PutPropertySlot&)
+bool JSDOMWindow::put(JSCell* cell, JSGlobalObject* lexicalGlobalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {
     VM& vm = lexicalGlobalObject->vm();
@@ -264 +264 @@
     auto* thisObject = jsCast<JSDOMWindow*>(cell);
 
-    String errorMessage;
-    if (!BindingSecurity::shouldAllowAccessToDOMWindow(*lexicalGlobalObject, thisObject->wrapped(), errorMessage)) {
+    if (propertyName != static_cast<JSVMClientData*>(vm.clientData)->builtinNames().locationPublicName()) {
         // We only allow setting "location" attribute cross-origin.
-        if (propertyName == static_cast<JSVMClientData*>(vm.clientData)->builtinNames().locationPublicName())
-            return;
-        throwSecurityError(*lexicalGlobalObject, scope, errorMessage);
-        return;
-    }
-}
-
-bool JSDOMWindow::put(JSCell* cell, JSGlobalObject* lexicalGlobalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
-{
-    VM& vm = lexicalGlobalObject->vm();
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
-    auto* thisObject = jsCast<JSDOMWindow*>(cell);
-
-    String errorMessage;
-    if (!BindingSecurity::shouldAllowAccessToDOMWindow(*lexicalGlobalObject, thisObject->wrapped(), errorMessage)) {
-        // We only allow setting "location" attribute cross-origin.
-        if (propertyName == static_cast<JSVMClientData*>(vm.clientData)->builtinNames().locationPublicName()) {
-            bool putResult = false;
-            if (lookupPut(lexicalGlobalObject, propertyName, thisObject, value, *s_info.staticPropHashTable, slot, putResult))
-                return putResult;
+        if (!BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, thisObject->wrapped(), ThrowSecurityError))
             return false;
-        }
-        throwSecurityError(*lexicalGlobalObject, scope, errorMessage);
-        return false;
     }
 

trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp

@@ -109 +109 @@
 }
 
-void JSLocation::doPutPropertySecurityCheck(JSObject* object, JSGlobalObject* lexicalGlobalObject, PropertyName propertyName, PutPropertySlot&)
-{
-    auto* thisObject = jsCast<JSLocation*>(object);
-    ASSERT_GC_OBJECT_INHERITS(thisObject, info());
-
-    VM& vm = lexicalGlobalObject->vm();
-
-    // Always allow assigning to the whole location.
-    // However, alllowing assigning of pieces might inadvertently disclose parts of the original location.
-    // So fall through to the access check for those.
-    if (propertyName == static_cast<JSVMClientData*>(vm.clientData)->builtinNames().hrefPublicName())
-        return;
-
-    // Block access and throw if there is a security error.
-    BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, thisObject->wrapped().window(), ThrowSecurityError);
-}
-
 bool JSLocation::put(JSCell* cell, JSGlobalObject* lexicalGlobalObject, PropertyName propertyName, JSValue value, PutPropertySlot& putPropertySlot)
 {

trunk/Source/WebCore/bindings/js/JSRemoteDOMWindowCustom.cpp

@@ -69 +69 @@
     // We only allow setting "location" attribute cross-origin.
     if (propertyName == static_cast<JSVMClientData*>(vm.clientData)->builtinNames().locationPublicName()) {
-        bool putResult = false;
-        if (lookupPut(lexicalGlobalObject, propertyName, thisObject, value, *s_info.staticPropHashTable, slot, putResult))
-            return putResult;
-        return false;
+        auto* setter = s_info.staticPropHashTable->entry(propertyName)->propertyPutter();
+        scope.release();
+        setter(lexicalGlobalObject, JSValue::encode(slot.thisValue()), JSValue::encode(value), propertyName);
+        return true;
     }
+
     throwSecurityError(*lexicalGlobalObject, scope, errorMessage);
     return false;

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -1174 +1174 @@
     push(@$outputArray, "    auto* thisObject = jsCast<${className}*>(cell);\n");
     push(@$outputArray, "    ASSERT_GC_OBJECT_INHERITS(thisObject, info());\n\n");
+    push(@$outputArray, "    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))\n");
+    push(@$outputArray, "        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);\n");
 
     push(@$outputArray, "    auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());\n\n");
@@ -2950 +2952 @@
     }
 
-    if ($interface->extendedAttributes->{CheckSecurity}) {
-        push(@headerContent, "    static void doPutPropertySecurityCheck(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PutPropertySlot&);\n");
-        $structureFlags{"JSC::HasPutPropertySecurityCheck"} = 1;
-    }
-
     if ($interface->extendedAttributes->{Plugin} || GetNamedSetterOperation($interface)) {
         $structureFlags{"JSC::ProhibitsPropertyCaching"} = 1;
@@ -2967 +2964 @@
         push(@headerContent, "    static bool put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&);\n");
         push(@headerContent, "    static bool putByIndex(JSC::JSCell*, JSC::JSGlobalObject*, unsigned propertyName, JSC::JSValue, bool shouldThrow);\n");
+        $structureFlags{"JSC::OverridesPut"} = 1;
     }
     

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestDomainSecurity.h

@@ -40 +40 @@
     static JSC::JSObject* prototype(JSC::VM&, JSDOMGlobalObject&);
     static TestDomainSecurity* toWrapped(JSC::VM&, JSC::JSValue);
-    static void doPutPropertySecurityCheck(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PutPropertySlot&);
     static void destroy(JSC::JSCell*);
 
@@ -60 +59 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::HasPutPropertySecurityCheck | JSC::HasStaticPropertyTable;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::HasStaticPropertyTable;
 protected:
     JSTestDomainSecurity(JSC::Structure*, JSDOMGlobalObject&, Ref<TestDomainSecurity>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.cpp

@@ -200 +200 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut;
 protected:
     JSTestIndexedSetterNoIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestIndexedSetterNoIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.cpp

@@ -200 +200 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut;
 protected:
     JSTestIndexedSetterThrowingException(JSC::Structure*, JSDOMGlobalObject&, Ref<TestIndexedSetterThrowingException>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.cpp

@@ -209 +209 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut;
 protected:
     JSTestIndexedSetterWithIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestIndexedSetterWithIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestInterface.h

@@ -84 +84 @@
     JSC::JSValue supplementalMethod3(JSC::JSGlobalObject&, JSC::CallFrame&);
 #endif
+public:
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::OverridesPut;
 protected:
     JSTestInterface(JSC::Structure*, JSDOMGlobalObject&, Ref<TestInterface>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp

@@ -226 +226 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedAndIndexedSetterNoIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedAndIndexedSetterNoIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp

@@ -226 +226 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedAndIndexedSetterThrowingException(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedAndIndexedSetterThrowingException>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp

@@ -237 +237 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedAndIndexedSetterWithIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedAndIndexedSetterWithIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp

@@ -205 +205 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterNoIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterNoIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp

@@ -205 +205 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterThrowingException.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterThrowingException(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterThrowingException>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp

@@ -213 +213 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithIdentifier(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithIdentifier>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp

@@ -237 +237 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithIndexedGetter(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithIndexedGetter>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp

@@ -237 +237 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithIndexedGetterAndSetter(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithIndexedGetterAndSetter>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyOverrideBuiltIns.cpp

@@ -205 +205 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyOverrideBuiltIns.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithLegacyOverrideBuiltIns(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithLegacyOverrideBuiltIns>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeableProperties.cpp

@@ -231 +231 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeableProperties.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithLegacyUnforgeableProperties(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithLegacyUnforgeableProperties>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeablePropertiesAndLegacyOverrideBuiltIns.cpp

@@ -231 +231 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestNamedSetterWithLegacyUnforgeablePropertiesAndLegacyOverrideBuiltIns.h

@@ -65 +65 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpure | JSC::HasStaticPropertyTable | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestNamedSetterWithLegacyUnforgeablePropertiesAndLegacyOverrideBuiltIns(JSC::Structure*, JSDOMGlobalObject&, Ref<TestNamedSetterWithLegacyUnforgeablePropertiesAndLegacyOverrideBuiltIns>&&);

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.cpp

@@ -182 +182 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
 
+    if (UNLIKELY(thisObject != putPropertySlot.thisValue()))
+        return JSObject::put(thisObject, lexicalGlobalObject, propertyName, value, putPropertySlot);
     auto throwScope = DECLARE_THROW_SCOPE(lexicalGlobalObject->vm());
 

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestPluginInterface.h

@@ -68 +68 @@
     static void analyzeHeap(JSCell*, JSC::HeapAnalyzer&);
 public:
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetCallData | JSC::OverridesGetOwnPropertySlot | JSC::ProhibitsPropertyCaching;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetCallData | JSC::OverridesGetOwnPropertySlot | JSC::OverridesPut | JSC::ProhibitsPropertyCaching;
 protected:
     JSTestPluginInterface(JSC::Structure*, JSDOMGlobalObject&, Ref<TestPluginInterface>&&);

trunk/Source/WebCore/bridge/objc/objc_runtime.h

@@ -92 +92 @@
 public:
     using Base = JSDestructibleObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetCallData | OverridesPut;
     static constexpr bool needsDestruction = true;
 

trunk/Source/WebCore/bridge/runtime_array.h

@@ -36 +36 @@
 public:
     using Base = JSArray;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesPut | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero;
     static constexpr bool needsDestruction = true;
 

trunk/Source/WebCore/bridge/runtime_object.h

@@ -38 +38 @@
 public:
     using Base = JSNonFinalObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesGetCallData | GetOwnPropertySlotMayBeWrongAboutDontEnum;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesGetCallData | OverridesPut | GetOwnPropertySlotMayBeWrongAboutDontEnum;
     static constexpr bool needsDestruction = true;
 

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2021-06-07  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Unreviewed, reland r276592 with a fix for put() override in prototype chain of a JSProxy
+        https://bugs.webkit.org/show_bug.cgi?id=226185
+
+        * WebProcess/Plugins/Netscape/JSNPObject.h:
+
 2021-06-07  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebKit/WebProcess/Plugins/Netscape/JSNPObject.h

@@ -45 +45 @@
 public:
     using Base = JSC::JSDestructibleObject;
-    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetCallData | JSC::GetOwnPropertySlotMayBeWrongAboutDontEnum;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::OverridesGetOwnPropertySlot | JSC::OverridesGetOwnPropertyNames | JSC::OverridesGetCallData | JSC::OverridesPut | JSC::GetOwnPropertySlotMayBeWrongAboutDontEnum;
 
     template<typename CellType, JSC::SubspaceAccess>