Changeset 107498 in webkit

Timestamp:

Feb 11, 2012 6:47:50 PM (12 years ago)

Author:

barraclough@apple.com

Message:

Move special proto property to Object.prototype
​https://bugs.webkit.org/show_bug.cgi?id=78409

Reviewed by Oliver Hunt.

Re-implement this as a regular accessor property. This has three key benefits:
1) It makes it possible for objects to be given properties named proto.
2) Object.prototype.proto can be deleted, preventing object prototypes from being changed.
3) This largely removes the magic used the implement proto, it can just be made a regular accessor property.

Source/JavaScriptCore:

• parser/Parser.cpp:

(JSC::::parseFunctionInfo):

• No need to prohibit functions named proto.

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::reset):

• Add proto accessor to Object.prototype.

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):

• Definition of the proto accessor functions.

• runtime/JSGlobalObjectFunctions.h:
  • Declaration of the proto accessor functions.
• runtime/JSObject.cpp:

(JSC::JSObject::put):

• Remove the special handling for proto, there is still a check to allow for a fast guard for accessors excluding proto.

(JSC::JSObject::putDirectAccessor):

• Track on the structure whether an object contains accessors other than one for proto.

(JSC::JSObject::defineOwnProperty):

• No need to prohibit definition of own properties named proto.

• runtime/JSObject.h:

(JSC::JSObject::inlineGetOwnPropertySlot):

• Remove the special handling for proto.

(JSC::JSValue::get):

• Remove the special handling for proto.

• runtime/JSString.cpp:

(JSC::JSString::getOwnPropertySlot):

• Remove the special handling for proto.

• runtime/JSValue.h:

(JSValue):

• Made synthesizePrototype public (this may be needed by the proto getter).

• runtime/ObjectConstructor.cpp:

(JSC::objectConstructorGetPrototypeOf):

• Perform the security check & call prototype() directly.

• runtime/Structure.cpp:

(JSC::Structure::Structure):

• Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.

• runtime/Structure.h:

(JSC::Structure::hasGetterSetterPropertiesExcludingProto):
(JSC::Structure::setHasGetterSetterProperties):
(Structure):

• Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.

Source/WebCore:

• bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::allowsAccessFrom):
(WebCore):

• expose allowsAccessFrom check to JSC.

• bindings/js/JSDOMWindowBase.h:

(JSDOMWindowBase):

• expose allowsAccessFrom check to JSC.

LayoutTests:

• fast/js/Object-getOwnPropertyNames-expected.txt:
• fast/js/cyclic-prototypes-expected.txt:
• fast/js/parser-syntax-check-expected.txt:
• fast/js/preventExtensions-expected.txt:
• fast/js/prototypes-expected.txt:
  • Update results
• fast/js/script-tests/Object-getOwnPropertyNames.js:
  • proto is now a property of Object Prototype.
• fast/js/script-tests/cyclic-prototypes.js:
  • setting an object's prototype to null removes proto setter, future usage won't set prototype.
• fast/js/script-tests/parser-syntax-check.js:
  • Allow functions named proto
• fast/js/script-tests/preventExtensions.js:
  • Setting proto should not throw.
• fast/js/script-tests/prototypes.js:
  • Objects may contained own properties named proto, add new test cases.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/Object-getOwnPropertyNames-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/cyclic-prototypes-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/parser-syntax-check-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/preventExtensions-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/prototypes-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/script-tests/Object-getOwnPropertyNames.js (modified) (1 diff)
• LayoutTests/fast/js/script-tests/cyclic-prototypes.js (modified) (1 diff)
• LayoutTests/fast/js/script-tests/parser-syntax-check.js (modified) (1 diff)
• LayoutTests/fast/js/script-tests/preventExtensions.js (modified) (1 diff)
• LayoutTests/fast/js/script-tests/prototypes.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/parser/Parser.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ClassInfo.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSCell.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCell.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSString.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSValue.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Structure.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/Structure.h (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowBase.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-02-10  Gavin Barraclough  <barraclough@apple.com>
+
+        Move special __proto__ property to Object.prototype
+        https://bugs.webkit.org/show_bug.cgi?id=78409
+
+        Reviewed by Oliver Hunt.
+
+        Re-implement this as a regular accessor property.  This has three key benefits:
+        1) It makes it possible for objects to be given properties named __proto__.
+        2) Object.prototype.__proto__ can be deleted, preventing object prototypes from being changed.
+        3) This largely removes the magic used the implement __proto__, it can just be made a regular accessor property.
+
+        * fast/js/Object-getOwnPropertyNames-expected.txt:
+        * fast/js/cyclic-prototypes-expected.txt:
+        * fast/js/parser-syntax-check-expected.txt:
+        * fast/js/preventExtensions-expected.txt:
+        * fast/js/prototypes-expected.txt:
+            - Update results
+        * fast/js/script-tests/Object-getOwnPropertyNames.js:
+            - __proto__ is now a property of Object Prototype.
+        * fast/js/script-tests/cyclic-prototypes.js:
+            - setting an object's prototype to null removes __proto__ setter, future usage won't set prototype.
+        * fast/js/script-tests/parser-syntax-check.js:
+            - Allow functions named __proto__
+        * fast/js/script-tests/preventExtensions.js:
+            - Setting __proto__ should not throw.
+        * fast/js/script-tests/prototypes.js:
+            - Objects may contained own properties named __proto__, add new test cases.
+
 2012-02-11  Filip Pizlo  <fpizlo@apple.com>
 

trunk/LayoutTests/fast/js/Object-getOwnPropertyNames-expected.txt

@@ -42 +42 @@
 PASS getSortedOwnPropertyNames(encodeURIComponent) is ['length', 'name']
 PASS getSortedOwnPropertyNames(Object) is ['create', 'defineProperties', 'defineProperty', 'freeze', 'getOwnPropertyDescriptor', 'getOwnPropertyNames', 'getPrototypeOf', 'isExtensible', 'isFrozen', 'isSealed', 'keys', 'length', 'name', 'preventExtensions', 'prototype', 'seal']
-PASS getSortedOwnPropertyNames(Object.prototype) is ['__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__', 'constructor', 'hasOwnProperty', 'isPrototypeOf', 'propertyIsEnumerable', 'toLocaleString', 'toString', 'valueOf']
+PASS getSortedOwnPropertyNames(Object.prototype) is ['__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__', '__proto__', 'constructor', 'hasOwnProperty', 'isPrototypeOf', 'propertyIsEnumerable', 'toLocaleString', 'toString', 'valueOf']
 PASS getSortedOwnPropertyNames(Function) is ['length', 'name', 'prototype']
 PASS getSortedOwnPropertyNames(Function.prototype) is ['apply', 'bind', 'call', 'constructor', 'length', 'name', 'toString']

trunk/LayoutTests/fast/js/cyclic-prototypes-expected.txt

@@ -4 +4 @@
 
 
-PASS o1.__proto__ = o3 threw exception Error: cyclic __proto__ value.
+PASS o1.__proto__ = o3; threw exception Error: cyclic __proto__ value.
+PASS ({}).hasOwnProperty.call(o1, '__proto__') is false
+PASS ({}).hasOwnProperty.call(o1, '__proto__') is true
+PASS Object.getPrototypeOf(o1) is null
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/js/parser-syntax-check-expected.txt

@@ -542 +542 @@
 PASS Invalid: "for(var a,b '"
 PASS Invalid: "function f() { for(var a,b ' }"
-PASS Invalid: "function __proto__(){}"
-PASS Invalid: "function f() { function __proto__(){} }"
-PASS Invalid: "(function __proto__(){})"
-PASS Invalid: "function f() { (function __proto__(){}) }"
-PASS Invalid: "'use strict'; function __proto__(){}"
-PASS Invalid: "function f() { 'use strict'; function __proto__(){} }"
-PASS Invalid: "'use strict'; (function __proto__(){})"
-PASS Invalid: "function f() { 'use strict'; (function __proto__(){}) }"
+PASS Valid:   "function __proto__(){}"
+PASS Valid:   "function f() { function __proto__(){} }"
+PASS Valid:   "(function __proto__(){})"
+PASS Valid:   "function f() { (function __proto__(){}) }"
+PASS Valid:   "'use strict'; function __proto__(){}"
+PASS Valid:   "function f() { 'use strict'; function __proto__(){} }"
+PASS Valid:   "'use strict'; (function __proto__(){})"
+PASS Valid:   "function f() { 'use strict'; (function __proto__(){}) }"
 PASS Valid:   "if (0) $foo; "
 PASS Valid:   "function f() { if (0) $foo;  }"

trunk/LayoutTests/fast/js/preventExtensions-expected.txt

@@ -13 +13 @@
 PASS Object.preventExtensions(Math.sin) is Math.sin
 PASS var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; o.newProp; is undefined.
-PASS "use strict"; var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; threw exception TypeError: Attempted to assign to readonly property..
+PASS "use strict"; var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; o.newProp; is undefined.
 PASS Object.preventExtensions(Math); Math.sqrt(4) is 2
 PASS successfullyParsed is true

trunk/LayoutTests/fast/js/prototypes-expected.txt

@@ -54 +54 @@
 PASS Object.__proto__.isPrototypeOf(Number) is true
 PASS Object.__proto__.isPrototypeOf(String) is true
-PASS var wasSet = false; var o = { }; o.__defineGetter__("__proto__", function() { wasSet = true }); o.__proto__; wasSet; is false
-PASS var wasSet = false; var o = { }; o.__defineSetter__("__proto__", function() { wasSet = true }); o.__proto__ = {}; wasSet; is false
-PASS var wasSet = false; var o = { }; Object.defineProperty(o, "__proto__", { "get": function() { wasSet = true } }); o.__proto__; wasSet; is false
+PASS var wasSet = false; var o = { }; o.__defineGetter__("__proto__", function() { wasSet = true }); o.__proto__; wasSet; is true
+PASS var wasSet = false; var o = { }; o.__defineSetter__("__proto__", function() { wasSet = true }); o.__proto__ = {}; wasSet; is true
+PASS var wasSet = false; var o = { }; Object.defineProperty(o, "__proto__", { "get": function() { wasSet = true } }); o.__proto__; wasSet; is true
 PASS var wasSet = false; var o = { }; Object.defineProperty(o, "__proto__", { "__proto__": function(x) { wasSet = true } }); o.__proto__ = {}; wasSet; is false
+PASS var o = {}; o.__proto__ = { x:true }; o.x is true
+PASS var o = {}; o.__proto__ = { x:true }; o.hasOwnProperty('__proto__') is false
+PASS var o = {}; o.__proto__ = { x:true }; o.x is undefined.
+PASS var o = {}; o.__proto__ = { x:true }; o.hasOwnProperty('__proto__') is true
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/js/script-tests/Object-getOwnPropertyNames.js

@@ -50 +50 @@
 // Built-in ECMA objects
     "Object": "['create', 'defineProperties', 'defineProperty', 'freeze', 'getOwnPropertyDescriptor', 'getOwnPropertyNames', 'getPrototypeOf', 'isExtensible', 'isFrozen', 'isSealed', 'keys', 'length', 'name', 'preventExtensions', 'prototype', 'seal']",
-    "Object.prototype": "['__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__', 'constructor', 'hasOwnProperty', 'isPrototypeOf', 'propertyIsEnumerable', 'toLocaleString', 'toString', 'valueOf']",
+    "Object.prototype": "['__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__', '__proto__', 'constructor', 'hasOwnProperty', 'isPrototypeOf', 'propertyIsEnumerable', 'toLocaleString', 'toString', 'valueOf']",
     "Function": "['length', 'name', 'prototype']",
     "Function.prototype": "['apply', 'bind', 'call', 'constructor', 'length', 'name', 'toString']",

trunk/LayoutTests/fast/js/script-tests/cyclic-prototypes.js

@@ -7 +7 @@
 o3.__proto__ = o2;
 
-o1.__proto__ = null;  // just for sanity's sake
+// Try to create a cyclical prototype chain.
+shouldThrow("o1.__proto__ = o3;");
 
-shouldThrow("o1.__proto__ = o3");
+// This changes behaviour, since __proto__ is an accessor on Object.prototype.
+o1.__proto__ = null;
+
+shouldBeFalse("({}).hasOwnProperty.call(o1, '__proto__')");
+o1.__proto__ = o3;
+shouldBeTrue("({}).hasOwnProperty.call(o1, '__proto__')");
+shouldBe("Object.getPrototypeOf(o1)", "null");

trunk/LayoutTests/fast/js/script-tests/parser-syntax-check.js

@@ -348 +348 @@
 invalid("for(var a,b '");
 
-invalid("function __proto__(){}")
-invalid("(function __proto__(){})")
-invalid("'use strict'; function __proto__(){}")
-invalid("'use strict'; (function __proto__(){})")
+valid("function __proto__(){}")
+valid("(function __proto__(){})")
+valid("'use strict'; function __proto__(){}")
+valid("'use strict'; (function __proto__(){})")
 
 valid("if (0) $foo; ")

trunk/LayoutTests/fast/js/script-tests/preventExtensions.js

@@ -70 +70 @@
 
 shouldBeUndefined('var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; o.newProp;');
-shouldThrow('"use strict"; var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" };');
+shouldBeUndefined('"use strict"; var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; o.newProp;');
 
 // check that we can still access static properties on an object after calling preventExtensions.

trunk/LayoutTests/fast/js/script-tests/prototypes.js

@@ -56 +56 @@
 shouldBeTrue("Object.__proto__.isPrototypeOf(String)");
 
-shouldBeFalse("var wasSet = false; var o = { }; o.__defineGetter__(\"__proto__\", function() { wasSet = true }); o.__proto__; wasSet;");
-shouldBeFalse("var wasSet = false; var o = { }; o.__defineSetter__(\"__proto__\", function() { wasSet = true }); o.__proto__ = {}; wasSet;");
-shouldBeFalse("var wasSet = false; var o = { }; Object.defineProperty(o, \"__proto__\", { \"get\": function() { wasSet = true } }); o.__proto__; wasSet;");
+shouldBeTrue("var wasSet = false; var o = { }; o.__defineGetter__(\"__proto__\", function() { wasSet = true }); o.__proto__; wasSet;");
+shouldBeTrue("var wasSet = false; var o = { }; o.__defineSetter__(\"__proto__\", function() { wasSet = true }); o.__proto__ = {}; wasSet;");
+shouldBeTrue("var wasSet = false; var o = { }; Object.defineProperty(o, \"__proto__\", { \"get\": function() { wasSet = true } }); o.__proto__; wasSet;");
 shouldBeFalse("var wasSet = false; var o = { }; Object.defineProperty(o, \"__proto__\", { \"__proto__\": function(x) { wasSet = true } }); o.__proto__ = {}; wasSet;");
+
+// Deleting Object.prototype.__proto__ removes the ability to set the object's prototype.
+shouldBeTrue("var o = {}; o.__proto__ = { x:true }; o.x");
+shouldBeFalse("var o = {}; o.__proto__ = { x:true }; o.hasOwnProperty('__proto__')");
+delete Object.prototype.__proto__;
+shouldBeUndefined("var o = {}; o.__proto__ = { x:true }; o.x");
+shouldBeTrue("var o = {}; o.__proto__ = { x:true }; o.hasOwnProperty('__proto__')");

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-02-11  Gavin Barraclough  <barraclough@apple.com>
+
+        Move special __proto__ property to Object.prototype
+        https://bugs.webkit.org/show_bug.cgi?id=78409
+
+        Reviewed by Oliver Hunt.
+
+        Re-implement this as a regular accessor property.  This has three key benefits:
+        1) It makes it possible for objects to be given properties named __proto__.
+        2) Object.prototype.__proto__ can be deleted, preventing object prototypes from being changed.
+        3) This largely removes the magic used the implement __proto__, it can just be made a regular accessor property.
+
+        * parser/Parser.cpp:
+        (JSC::::parseFunctionInfo):
+            - No need to prohibit functions named __proto__.
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::reset):
+            - Add __proto__ accessor to Object.prototype.
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncProtoGetter):
+        (JSC::globalFuncProtoSetter):
+            - Definition of the __proto__ accessor functions.
+        * runtime/JSGlobalObjectFunctions.h:
+            - Declaration of the __proto__ accessor functions.
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::put):
+            - Remove the special handling for __proto__, there is still a check to allow for a fast guard for accessors excluding __proto__.
+        (JSC::JSObject::putDirectAccessor):
+            - Track on the structure whether an object contains accessors other than one for __proto__.
+        (JSC::JSObject::defineOwnProperty):
+            - No need to prohibit definition of own properties named __proto__.
+        * runtime/JSObject.h:
+        (JSC::JSObject::inlineGetOwnPropertySlot):
+            - Remove the special handling for __proto__.
+        (JSC::JSValue::get):
+            - Remove the special handling for __proto__.
+        * runtime/JSString.cpp:
+        (JSC::JSString::getOwnPropertySlot):
+            - Remove the special handling for __proto__.
+        * runtime/JSValue.h:
+        (JSValue):
+            - Made synthesizePrototype public (this may be needed by the __proto__ getter).
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorGetPrototypeOf):
+            - Perform the security check & call prototype() directly.
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+            - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.
+        * runtime/Structure.h:
+        (JSC::Structure::hasGetterSetterPropertiesExcludingProto):
+        (JSC::Structure::setHasGetterSetterProperties):
+        (Structure):
+            - Added 'ExcludingProto' variant of the 'hasGetterSetterProperties' state.
+
 2012-02-11  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/parser/Parser.cpp

@@ -775 +775 @@
     if (match(IDENT)) {
         name = m_token.m_data.ident;
-        failIfTrueWithMessage(*name == m_globalData->propertyNames->underscoreProto, "Cannot name a function __proto__");
         next();
         if (!nameIsInContainingScope)

trunk/Source/JavaScriptCore/runtime/ClassInfo.h

@@ -90 +90 @@
         typedef bool (*GetOwnPropertyDescriptorFunctionPtr)(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&);
         GetOwnPropertyDescriptorFunctionPtr getOwnPropertyDescriptor;
+
+        typedef bool (*AllowsAccessFromFunctionPtr)(JSObject*, ExecState*);
+        AllowsAccessFromFunctionPtr allowsAccessFrom;
     };
 
@@ -131 +134 @@
         &ClassName::defineOwnProperty, \
         &ClassName::getOwnPropertyDescriptor, \
+        &ClassName::allowsAccessFrom, \
     }, \
     sizeof(ClassName), \

trunk/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -192 +192 @@
 }
 
+bool JSCell::allowsAccessFrom(JSObject*, ExecState*)
+{
+    ASSERT_NOT_REACHED();
+    return false;
+}
+
 bool JSCell::defineOwnProperty(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&, bool)
 {

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -162 +162 @@
         static bool defineOwnProperty(JSObject*, ExecState*, const Identifier& propertyName, PropertyDescriptor&, bool shouldThrow);
         static bool getOwnPropertyDescriptor(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&);
+        static bool allowsAccessFrom(JSObject*, ExecState*);
 
     private:

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -206 +206 @@
     m_applyFunction.set(exec->globalData(), this, applyFunction);
     m_objectPrototype.set(exec->globalData(), this, ObjectPrototype::create(exec, this, ObjectPrototype::createStructure(exec->globalData(), this, jsNull())));
+    GetterSetter* protoAccessor = GetterSetter::create(exec);
+    protoAccessor->setGetter(exec->globalData(), JSFunction::create(exec, this, 0, Identifier(), globalFuncProtoGetter));
+    protoAccessor->setSetter(exec->globalData(), JSFunction::create(exec, this, 0, Identifier(), globalFuncProtoSetter));
+    m_objectPrototype->putDirectAccessor(exec->globalData(), exec->propertyNames().underscoreProto, protoAccessor, Accessor | DontEnum);
     m_functionPrototype->structure()->setPrototypeWithoutTransition(exec->globalData(), m_objectPrototype.get());
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -715 +715 @@
 }
 
+EncodedJSValue JSC_HOST_CALL globalFuncProtoGetter(ExecState* exec)
+{
+    if (!exec->thisValue().isObject())
+        return JSValue::encode(exec->thisValue().synthesizePrototype(exec));
+
+    JSObject* thisObject = asObject(exec->thisValue());
+    if (!thisObject->methodTable()->allowsAccessFrom(thisObject, exec))
+        return JSValue::encode(jsUndefined());
+
+    return JSValue::encode(thisObject->prototype());
+}
+
+EncodedJSValue JSC_HOST_CALL globalFuncProtoSetter(ExecState* exec)
+{
+    JSValue value = exec->argument(0);
+
+    // Setting __proto__ of a primitive should have no effect.
+    if (!exec->thisValue().isObject())
+        return JSValue::encode(jsUndefined());
+
+    JSObject* thisObject = asObject(exec->thisValue());
+    if (!thisObject->methodTable()->allowsAccessFrom(thisObject, exec))
+        return JSValue::encode(jsUndefined());
+
+    // Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla.
+    if (!value.isObject() && !value.isNull())
+        return JSValue::encode(jsUndefined());
+
+    if (!thisObject->isExtensible())
+        return JSValue::encode(jsUndefined());
+
+    if (!thisObject->setPrototypeWithCycleCheck(exec->globalData(), value))
+        throwError(exec, createError(exec, "cyclic __proto__ value"));
+
+    return JSValue::encode(jsUndefined());
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h

@@ -49 +49 @@
     EncodedJSValue JSC_HOST_CALL globalFuncUnescape(ExecState*);
     EncodedJSValue JSC_HOST_CALL globalFuncThrowTypeError(ExecState*);
+    EncodedJSValue JSC_HOST_CALL globalFuncProtoGetter(ExecState*);
+    EncodedJSValue JSC_HOST_CALL globalFuncProtoSetter(ExecState*);
 
     static const double mantissaOverflowLowerBound = 9007199254740992.0;

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -133 +133 @@
     JSGlobalData& globalData = exec->globalData();
 
-    if (propertyName == exec->propertyNames().underscoreProto) {
-        // Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla.
-        if (!value.isObject() && !value.isNull())
-            return;
-
-        if (!thisObject->isExtensible()) {
-            if (slot.isStrictMode())
-                throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
-            return;
-        }
-            
-        if (!thisObject->setPrototypeWithCycleCheck(globalData, value))
-            throwError(exec, createError(exec, "cyclic __proto__ value"));
-        return;
-    }
-
     // Check if there are any setters or getters in the prototype chain
     JSValue prototype;
-    for (JSObject* obj = thisObject; !obj->structure()->hasGetterSetterProperties(); obj = asObject(prototype)) {
-        prototype = obj->prototype();
-        if (prototype.isNull()) {
-            if (!thisObject->putDirectInternal<PutModePut>(globalData, propertyName, value, 0, slot, getJSFunction(value)) && slot.isStrictMode())
-                throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
-            return;
-        }
-    }
-    
+    if (propertyName != exec->propertyNames().underscoreProto) {
+        for (JSObject* obj = thisObject; !obj->structure()->hasGetterSetterPropertiesExcludingProto(); obj = asObject(prototype)) {
+            prototype = obj->prototype();
+            if (prototype.isNull()) {
+                if (!thisObject->putDirectInternal<PutModePut>(globalData, propertyName, value, 0, slot, getJSFunction(value)) && slot.isStrictMode())
+                    throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
+                return;
+            }
+        }
+    }
+
     unsigned attributes;
     JSCell* specificValue;
@@ -216 +202 @@
 }
 
+bool JSObject::allowsAccessFrom(JSObject*, ExecState*)
+{
+    return true;
+}
+
 void JSObject::putDirectAccessor(JSGlobalData& globalData, const Identifier& propertyName, JSValue value, unsigned attributes)
 {
     ASSERT(value.isGetterSetter() && (attributes & Accessor));
-    ASSERT(propertyName != globalData.propertyNames->underscoreProto);
 
     PutPropertySlot slot;
@@ -230 +220 @@
         setStructure(globalData, Structure::attributeChangeTransition(globalData, structure(), propertyName, attributes));
 
-    structure()->setHasGetterSetterProperties(true);
+    structure()->setHasGetterSetterProperties(propertyName == globalData.propertyNames->underscoreProto);
 }
 
@@ -630 +620 @@
 bool JSObject::defineOwnProperty(JSObject* object, ExecState* exec, const Identifier& propertyName, PropertyDescriptor& descriptor, bool throwException)
 {
-    // __proto__ is magic; we don't currently support setting it as a regular property.
-    // Silent filter out calls to set __proto__ at an early stage; pretend all is okay.
-    if (propertyName == exec->propertyNames().underscoreProto)
-        return true;
-
     // If we have a new property we can just put it on normally
     PropertyDescriptor current;

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -105 +105 @@
         JS_EXPORT_PRIVATE static bool getOwnPropertySlotByIndex(JSCell*, ExecState*, unsigned propertyName, PropertySlot&);
         JS_EXPORT_PRIVATE static bool getOwnPropertyDescriptor(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&);
+        JS_EXPORT_PRIVATE static bool allowsAccessFrom(JSObject*, ExecState*);
 
         JS_EXPORT_PRIVATE static void put(JSCell*, ExecState*, const Identifier& propertyName, JSValue, PutPropertySlot&);
@@ -548 +549 @@
         else
             slot.setValue(this, location->get(), offsetForLocation(location));
-        return true;
-    }
-
-    // non-standard Netscape extension
-    if (propertyName == exec->propertyNames().underscoreProto) {
-        slot.setValue(prototype());
         return true;
     }
@@ -804 +799 @@
     if (UNLIKELY(!isCell())) {
         JSObject* prototype = synthesizePrototype(exec);
-        if (propertyName == exec->propertyNames().underscoreProto)
-            return prototype;
         if (!prototype->getPropertySlot(exec, propertyName, slot))
             return jsUndefined();

trunk/Source/JavaScriptCore/runtime/JSString.cpp

@@ -254 +254 @@
     if (thisObject->getStringPropertySlot(exec, propertyName, slot))
         return true;
-    if (propertyName == exec->propertyNames().underscoreProto) {
-        slot.setValue(exec->lexicalGlobalObject()->stringPrototype());
-        return true;
-    }
     slot.setBase(thisObject);
     JSObject* object;

trunk/Source/JavaScriptCore/runtime/JSValue.h

@@ -235 +235 @@
         char* description();
 
+        JS_EXPORT_PRIVATE JSObject* synthesizePrototype(ExecState*) const;
+
     private:
         template <class T> JSValue(WriteBarrierBase<T>);
@@ -247 +249 @@
         JS_EXPORT_PRIVATE JSObject* toThisObjectSlowCase(ExecState*) const;
 
-        JS_EXPORT_PRIVATE JSObject* synthesizePrototype(ExecState*) const;
         JSObject* synthesizeObject(ExecState*) const;
 

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -139 +139 @@
     if (!exec->argument(0).isObject())
         return throwVMError(exec, createTypeError(exec, "Requested prototype of a value that is not an object."));
-        
-    // This uses JSValue::get() instead of directly accessing the prototype from the object
-    // (using JSObject::prototype()) in order to allow objects to override the behavior, such
-    // as returning jsUndefined() for cross-origin access.
-    return JSValue::encode(exec->argument(0).get(exec, exec->propertyNames().underscoreProto));
+    JSObject* object = asObject(exec->argument(0));
+
+    if (!object->methodTable()->allowsAccessFrom(object, exec))
+        return JSValue::encode(jsUndefined());
+
+    return JSValue::encode(object->prototype());
 }
 

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -168 +168 @@
     , m_isPinnedPropertyTable(false)
     , m_hasGetterSetterProperties(false)
+    , m_hasGetterSetterPropertiesExcludingProto(false)
     , m_hasNonEnumerableProperties(false)
     , m_attributesInPrevious(0)
@@ -189 +190 @@
     , m_isPinnedPropertyTable(false)
     , m_hasGetterSetterProperties(false)
+    , m_hasGetterSetterPropertiesExcludingProto(false)
     , m_hasNonEnumerableProperties(false)
     , m_attributesInPrevious(0)
@@ -208 +210 @@
     , m_isPinnedPropertyTable(false)
     , m_hasGetterSetterProperties(previous->m_hasGetterSetterProperties)
+    , m_hasGetterSetterPropertiesExcludingProto(previous->m_hasGetterSetterPropertiesExcludingProto)
     , m_hasNonEnumerableProperties(previous->m_hasNonEnumerableProperties)
     , m_attributesInPrevious(0)

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -146 +146 @@
 
         bool hasGetterSetterProperties() const { return m_hasGetterSetterProperties; }
-        void setHasGetterSetterProperties(bool hasGetterSetterProperties) { m_hasGetterSetterProperties = hasGetterSetterProperties; }
+        bool hasGetterSetterPropertiesExcludingProto() const { return m_hasGetterSetterPropertiesExcludingProto; }
+        void setHasGetterSetterProperties(bool isProto)
+        {
+            m_hasGetterSetterProperties = true;
+            if (!isProto)
+                m_hasGetterSetterPropertiesExcludingProto = true;
+        }
 
         bool hasNonEnumerableProperties() const { return m_hasNonEnumerableProperties; }
@@ -283 +289 @@
         bool m_isPinnedPropertyTable : 1;
         bool m_hasGetterSetterProperties : 1;
+        bool m_hasGetterSetterPropertiesExcludingProto : 1;
         bool m_hasNonEnumerableProperties : 1;
         unsigned m_attributesInPrevious : 7;

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-02-11  Gavin Barraclough  <barraclough@apple.com>
+
+        Move special __proto__ property to Object.prototype
+        https://bugs.webkit.org/show_bug.cgi?id=78409
+
+        Reviewed by Oliver Hunt.
+
+        Re-implement this as a regular accessor property.  This has three key benefits:
+        1) It makes it possible for objects to be given properties named __proto__.
+        2) Object.prototype.__proto__ can be deleted, preventing object prototypes from being changed.
+        3) This largely removes the magic used the implement __proto__, it can just be made a regular accessor property.
+
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::JSDOMWindowBase::allowsAccessFrom):
+        (WebCore):
+            - expose allowsAccessFrom check to JSC.
+        * bindings/js/JSDOMWindowBase.h:
+        (JSDOMWindowBase):
+            - expose allowsAccessFrom check to JSC.
+
 2012-02-11  Benjamin Poulain  <benjamin@webkit.org>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

@@ -93 +93 @@
 }
 
+bool JSDOMWindowBase::allowsAccessFrom(JSObject* thisObject, ExecState* exec)
+{
+    return static_cast<JSDOMWindowBase*>(thisObject)->allowsAccessFrom(exec);
+}
+
 bool JSDOMWindowBase::supportsProfiling(const JSGlobalObject* object)
 {

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h

@@ -64 +64 @@
         static bool supportsRichSourceInfo(const JSC::JSGlobalObject*);
         static bool shouldInterruptScript(const JSC::JSGlobalObject*);
-
+        static bool allowsAccessFrom(JSC::JSObject*, JSC::ExecState*);
+        
         bool allowsAccessFrom(JSC::ExecState*) const;
         bool allowsAccessFromNoErrorMessage(JSC::ExecState*) const;