Changeset 107544 in webkit

Timestamp:

Feb 13, 2012 1:28:44 AM (12 years ago)

Author:

barraclough@apple.com

Message:

​https://bugs.webkit.org/show_bug.cgi?id=78434
Unreviewed - temporarily reverting r107498 will I fix a couple of testcases.

Source/JavaScriptCore:

• parser/Parser.cpp:

(JSC::::parseFunctionInfo):

• runtime/ClassInfo.h:

(MethodTable):
(JSC):

• runtime/JSCell.cpp:

(JSC):

• runtime/JSCell.h:

(JSCell):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::reset):

• runtime/JSGlobalObjectFunctions.cpp:

(JSC):

• runtime/JSGlobalObjectFunctions.h:

(JSC):

• runtime/JSObject.cpp:

(JSC::JSObject::put):
(JSC):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::defineOwnProperty):

• runtime/JSObject.h:

(JSC::JSObject::inlineGetOwnPropertySlot):
(JSC::JSValue::get):

• runtime/JSString.cpp:

(JSC::JSString::getOwnPropertySlot):

• runtime/JSValue.h:

(JSValue):

• runtime/ObjectConstructor.cpp:

(JSC::objectConstructorGetPrototypeOf):

• runtime/Structure.cpp:

(JSC::Structure::Structure):

• runtime/Structure.h:

(JSC::Structure::setHasGetterSetterProperties):
(Structure):

Source/WebCore:

• bindings/js/JSDOMWindowBase.cpp:

(WebCore):

• bindings/js/JSDOMWindowBase.h:

(JSDOMWindowBase):

LayoutTests:

• fast/js/Object-getOwnPropertyNames-expected.txt:
• fast/js/cyclic-prototypes-expected.txt:
• fast/js/parser-syntax-check-expected.txt:
• fast/js/preventExtensions-expected.txt:
• fast/js/prototypes-expected.txt:
• fast/js/script-tests/Object-getOwnPropertyNames.js:
• fast/js/script-tests/cyclic-prototypes.js:
• fast/js/script-tests/parser-syntax-check.js:
• fast/js/script-tests/preventExtensions.js:
• fast/js/script-tests/prototypes.js:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/Object-getOwnPropertyNames-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/cyclic-prototypes-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/parser-syntax-check-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/preventExtensions-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/prototypes-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/script-tests/Object-getOwnPropertyNames.js (modified) (1 diff)
• LayoutTests/fast/js/script-tests/cyclic-prototypes.js (modified) (1 diff)
• LayoutTests/fast/js/script-tests/parser-syntax-check.js (modified) (1 diff)
• LayoutTests/fast/js/script-tests/preventExtensions.js (modified) (1 diff)
• LayoutTests/fast/js/script-tests/prototypes.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/parser/Parser.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ClassInfo.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSCell.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSCell.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSString.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSValue.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Structure.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/Structure.h (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowBase.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-02-13  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=78434
+        Unreviewed - temporarily reverting r107498 will I fix a couple of testcases.
+
+        * fast/js/Object-getOwnPropertyNames-expected.txt:
+        * fast/js/cyclic-prototypes-expected.txt:
+        * fast/js/parser-syntax-check-expected.txt:
+        * fast/js/preventExtensions-expected.txt:
+        * fast/js/prototypes-expected.txt:
+        * fast/js/script-tests/Object-getOwnPropertyNames.js:
+        * fast/js/script-tests/cyclic-prototypes.js:
+        * fast/js/script-tests/parser-syntax-check.js:
+        * fast/js/script-tests/preventExtensions.js:
+        * fast/js/script-tests/prototypes.js:
+
 2012-02-13  Pavel Podivilov  <podivilov@chromium.org>
 

trunk/LayoutTests/fast/js/Object-getOwnPropertyNames-expected.txt

@@ -42 +42 @@
 PASS getSortedOwnPropertyNames(encodeURIComponent) is ['length', 'name']
 PASS getSortedOwnPropertyNames(Object) is ['create', 'defineProperties', 'defineProperty', 'freeze', 'getOwnPropertyDescriptor', 'getOwnPropertyNames', 'getPrototypeOf', 'isExtensible', 'isFrozen', 'isSealed', 'keys', 'length', 'name', 'preventExtensions', 'prototype', 'seal']
-PASS getSortedOwnPropertyNames(Object.prototype) is ['__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__', '__proto__', 'constructor', 'hasOwnProperty', 'isPrototypeOf', 'propertyIsEnumerable', 'toLocaleString', 'toString', 'valueOf']
+PASS getSortedOwnPropertyNames(Object.prototype) is ['__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__', 'constructor', 'hasOwnProperty', 'isPrototypeOf', 'propertyIsEnumerable', 'toLocaleString', 'toString', 'valueOf']
 PASS getSortedOwnPropertyNames(Function) is ['length', 'name', 'prototype']
 PASS getSortedOwnPropertyNames(Function.prototype) is ['apply', 'bind', 'call', 'constructor', 'length', 'name', 'toString']

trunk/LayoutTests/fast/js/cyclic-prototypes-expected.txt

@@ -4 +4 @@
 
 
-PASS o1.__proto__ = o3; threw exception Error: cyclic __proto__ value.
-PASS ({}).hasOwnProperty.call(o1, '__proto__') is false
-PASS ({}).hasOwnProperty.call(o1, '__proto__') is true
-PASS Object.getPrototypeOf(o1) is null
+PASS o1.__proto__ = o3 threw exception Error: cyclic __proto__ value.
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/js/parser-syntax-check-expected.txt

@@ -542 +542 @@
 PASS Invalid: "for(var a,b '"
 PASS Invalid: "function f() { for(var a,b ' }"
-PASS Valid:   "function __proto__(){}"
-PASS Valid:   "function f() { function __proto__(){} }"
-PASS Valid:   "(function __proto__(){})"
-PASS Valid:   "function f() { (function __proto__(){}) }"
-PASS Valid:   "'use strict'; function __proto__(){}"
-PASS Valid:   "function f() { 'use strict'; function __proto__(){} }"
-PASS Valid:   "'use strict'; (function __proto__(){})"
-PASS Valid:   "function f() { 'use strict'; (function __proto__(){}) }"
+PASS Invalid: "function __proto__(){}"
+PASS Invalid: "function f() { function __proto__(){} }"
+PASS Invalid: "(function __proto__(){})"
+PASS Invalid: "function f() { (function __proto__(){}) }"
+PASS Invalid: "'use strict'; function __proto__(){}"
+PASS Invalid: "function f() { 'use strict'; function __proto__(){} }"
+PASS Invalid: "'use strict'; (function __proto__(){})"
+PASS Invalid: "function f() { 'use strict'; (function __proto__(){}) }"
 PASS Valid:   "if (0) $foo; "
 PASS Valid:   "function f() { if (0) $foo;  }"

trunk/LayoutTests/fast/js/preventExtensions-expected.txt

@@ -13 +13 @@
 PASS Object.preventExtensions(Math.sin) is Math.sin
 PASS var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; o.newProp; is undefined.
-PASS "use strict"; var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; o.newProp; is undefined.
+PASS "use strict"; var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; threw exception TypeError: Attempted to assign to readonly property..
 PASS Object.preventExtensions(Math); Math.sqrt(4) is 2
 PASS successfullyParsed is true

trunk/LayoutTests/fast/js/prototypes-expected.txt

@@ -54 +54 @@
 PASS Object.__proto__.isPrototypeOf(Number) is true
 PASS Object.__proto__.isPrototypeOf(String) is true
-PASS var wasSet = false; var o = { }; o.__defineGetter__("__proto__", function() { wasSet = true }); o.__proto__; wasSet; is true
-PASS var wasSet = false; var o = { }; o.__defineSetter__("__proto__", function() { wasSet = true }); o.__proto__ = {}; wasSet; is true
-PASS var wasSet = false; var o = { }; Object.defineProperty(o, "__proto__", { "get": function() { wasSet = true } }); o.__proto__; wasSet; is true
+PASS var wasSet = false; var o = { }; o.__defineGetter__("__proto__", function() { wasSet = true }); o.__proto__; wasSet; is false
+PASS var wasSet = false; var o = { }; o.__defineSetter__("__proto__", function() { wasSet = true }); o.__proto__ = {}; wasSet; is false
+PASS var wasSet = false; var o = { }; Object.defineProperty(o, "__proto__", { "get": function() { wasSet = true } }); o.__proto__; wasSet; is false
 PASS var wasSet = false; var o = { }; Object.defineProperty(o, "__proto__", { "__proto__": function(x) { wasSet = true } }); o.__proto__ = {}; wasSet; is false
-PASS var o = {}; o.__proto__ = { x:true }; o.x is true
-PASS var o = {}; o.__proto__ = { x:true }; o.hasOwnProperty('__proto__') is false
-PASS var o = {}; o.__proto__ = { x:true }; o.x is undefined.
-PASS var o = {}; o.__proto__ = { x:true }; o.hasOwnProperty('__proto__') is true
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/js/script-tests/Object-getOwnPropertyNames.js

@@ -50 +50 @@
 // Built-in ECMA objects
     "Object": "['create', 'defineProperties', 'defineProperty', 'freeze', 'getOwnPropertyDescriptor', 'getOwnPropertyNames', 'getPrototypeOf', 'isExtensible', 'isFrozen', 'isSealed', 'keys', 'length', 'name', 'preventExtensions', 'prototype', 'seal']",
-    "Object.prototype": "['__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__', '__proto__', 'constructor', 'hasOwnProperty', 'isPrototypeOf', 'propertyIsEnumerable', 'toLocaleString', 'toString', 'valueOf']",
+    "Object.prototype": "['__defineGetter__', '__defineSetter__', '__lookupGetter__', '__lookupSetter__', 'constructor', 'hasOwnProperty', 'isPrototypeOf', 'propertyIsEnumerable', 'toLocaleString', 'toString', 'valueOf']",
     "Function": "['length', 'name', 'prototype']",
     "Function.prototype": "['apply', 'bind', 'call', 'constructor', 'length', 'name', 'toString']",

trunk/LayoutTests/fast/js/script-tests/cyclic-prototypes.js

@@ -7 +7 @@
 o3.__proto__ = o2;
 
-// Try to create a cyclical prototype chain.
-shouldThrow("o1.__proto__ = o3;");
+o1.__proto__ = null;  // just for sanity's sake
 
-// This changes behaviour, since __proto__ is an accessor on Object.prototype.
-o1.__proto__ = null;
-
-shouldBeFalse("({}).hasOwnProperty.call(o1, '__proto__')");
-o1.__proto__ = o3;
-shouldBeTrue("({}).hasOwnProperty.call(o1, '__proto__')");
-shouldBe("Object.getPrototypeOf(o1)", "null");
+shouldThrow("o1.__proto__ = o3");

trunk/LayoutTests/fast/js/script-tests/parser-syntax-check.js

@@ -348 +348 @@
 invalid("for(var a,b '");
 
-valid("function __proto__(){}")
-valid("(function __proto__(){})")
-valid("'use strict'; function __proto__(){}")
-valid("'use strict'; (function __proto__(){})")
+invalid("function __proto__(){}")
+invalid("(function __proto__(){})")
+invalid("'use strict'; function __proto__(){}")
+invalid("'use strict'; (function __proto__(){})")
 
 valid("if (0) $foo; ")

trunk/LayoutTests/fast/js/script-tests/preventExtensions.js

@@ -70 +70 @@
 
 shouldBeUndefined('var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; o.newProp;');
-shouldBeUndefined('"use strict"; var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" }; o.newProp;');
+shouldThrow('"use strict"; var o = {}; Object.preventExtensions(o); o.__proto__ = { newProp: "Should not see this" };');
 
 // check that we can still access static properties on an object after calling preventExtensions.

trunk/LayoutTests/fast/js/script-tests/prototypes.js

@@ -56 +56 @@
 shouldBeTrue("Object.__proto__.isPrototypeOf(String)");
 
-shouldBeTrue("var wasSet = false; var o = { }; o.__defineGetter__(\"__proto__\", function() { wasSet = true }); o.__proto__; wasSet;");
-shouldBeTrue("var wasSet = false; var o = { }; o.__defineSetter__(\"__proto__\", function() { wasSet = true }); o.__proto__ = {}; wasSet;");
-shouldBeTrue("var wasSet = false; var o = { }; Object.defineProperty(o, \"__proto__\", { \"get\": function() { wasSet = true } }); o.__proto__; wasSet;");
+shouldBeFalse("var wasSet = false; var o = { }; o.__defineGetter__(\"__proto__\", function() { wasSet = true }); o.__proto__; wasSet;");
+shouldBeFalse("var wasSet = false; var o = { }; o.__defineSetter__(\"__proto__\", function() { wasSet = true }); o.__proto__ = {}; wasSet;");
+shouldBeFalse("var wasSet = false; var o = { }; Object.defineProperty(o, \"__proto__\", { \"get\": function() { wasSet = true } }); o.__proto__; wasSet;");
 shouldBeFalse("var wasSet = false; var o = { }; Object.defineProperty(o, \"__proto__\", { \"__proto__\": function(x) { wasSet = true } }); o.__proto__ = {}; wasSet;");
-
-// Deleting Object.prototype.__proto__ removes the ability to set the object's prototype.
-shouldBeTrue("var o = {}; o.__proto__ = { x:true }; o.x");
-shouldBeFalse("var o = {}; o.__proto__ = { x:true }; o.hasOwnProperty('__proto__')");
-delete Object.prototype.__proto__;
-shouldBeUndefined("var o = {}; o.__proto__ = { x:true }; o.x");
-shouldBeTrue("var o = {}; o.__proto__ = { x:true }; o.hasOwnProperty('__proto__')");

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-02-13  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=78434
+        Unreviewed - temporarily reverting r107498 will I fix a couple of testcases.
+
+        * parser/Parser.cpp:
+        (JSC::::parseFunctionInfo):
+        * runtime/ClassInfo.h:
+        (MethodTable):
+        (JSC):
+        * runtime/JSCell.cpp:
+        (JSC):
+        * runtime/JSCell.h:
+        (JSCell):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::reset):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC):
+        * runtime/JSGlobalObjectFunctions.h:
+        (JSC):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::put):
+        (JSC):
+        (JSC::JSObject::putDirectAccessor):
+        (JSC::JSObject::defineOwnProperty):
+        * runtime/JSObject.h:
+        (JSC::JSObject::inlineGetOwnPropertySlot):
+        (JSC::JSValue::get):
+        * runtime/JSString.cpp:
+        (JSC::JSString::getOwnPropertySlot):
+        * runtime/JSValue.h:
+        (JSValue):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorGetPrototypeOf):
+        * runtime/Structure.cpp:
+        (JSC::Structure::Structure):
+        * runtime/Structure.h:
+        (JSC::Structure::setHasGetterSetterProperties):
+        (Structure):
+
 2012-02-12  Ashod Nakashian  <ashodnakashian@yahoo.com>
 

trunk/Source/JavaScriptCore/parser/Parser.cpp

@@ -775 +775 @@
     if (match(IDENT)) {
         name = m_token.m_data.ident;
+        failIfTrueWithMessage(*name == m_globalData->propertyNames->underscoreProto, "Cannot name a function __proto__");
         next();
         if (!nameIsInContainingScope)

trunk/Source/JavaScriptCore/runtime/ClassInfo.h

@@ -90 +90 @@
         typedef bool (*GetOwnPropertyDescriptorFunctionPtr)(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&);
         GetOwnPropertyDescriptorFunctionPtr getOwnPropertyDescriptor;
-
-        typedef bool (*AllowsAccessFromFunctionPtr)(JSObject*, ExecState*);
-        AllowsAccessFromFunctionPtr allowsAccessFrom;
     };
 
@@ -134 +131 @@
         &ClassName::defineOwnProperty, \
         &ClassName::getOwnPropertyDescriptor, \
-        &ClassName::allowsAccessFrom, \
     }, \
     sizeof(ClassName), \

trunk/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -192 +192 @@
 }
 
-bool JSCell::allowsAccessFrom(JSObject*, ExecState*)
+bool JSCell::defineOwnProperty(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&, bool)
 {
     ASSERT_NOT_REACHED();
@@ -198 +198 @@
 }
 
-bool JSCell::defineOwnProperty(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&, bool)
+bool JSCell::getOwnPropertyDescriptor(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&)
 {
     ASSERT_NOT_REACHED();
@@ -204 +204 @@
 }
 
-bool JSCell::getOwnPropertyDescriptor(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&)
-{
-    ASSERT_NOT_REACHED();
-    return false;
-}
-
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -162 +162 @@
         static bool defineOwnProperty(JSObject*, ExecState*, const Identifier& propertyName, PropertyDescriptor&, bool shouldThrow);
         static bool getOwnPropertyDescriptor(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&);
-        static bool allowsAccessFrom(JSObject*, ExecState*);
 
     private:

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -206 +206 @@
     m_applyFunction.set(exec->globalData(), this, applyFunction);
     m_objectPrototype.set(exec->globalData(), this, ObjectPrototype::create(exec, this, ObjectPrototype::createStructure(exec->globalData(), this, jsNull())));
-    GetterSetter* protoAccessor = GetterSetter::create(exec);
-    protoAccessor->setGetter(exec->globalData(), JSFunction::create(exec, this, 0, Identifier(), globalFuncProtoGetter));
-    protoAccessor->setSetter(exec->globalData(), JSFunction::create(exec, this, 0, Identifier(), globalFuncProtoSetter));
-    m_objectPrototype->putDirectAccessor(exec->globalData(), exec->propertyNames().underscoreProto, protoAccessor, Accessor | DontEnum);
     m_functionPrototype->structure()->setPrototypeWithoutTransition(exec->globalData(), m_objectPrototype.get());
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -715 +715 @@
 }
 
-EncodedJSValue JSC_HOST_CALL globalFuncProtoGetter(ExecState* exec)
-{
-    if (!exec->thisValue().isObject())
-        return JSValue::encode(exec->thisValue().synthesizePrototype(exec));
-
-    JSObject* thisObject = asObject(exec->thisValue());
-    if (!thisObject->methodTable()->allowsAccessFrom(thisObject, exec))
-        return JSValue::encode(jsUndefined());
-
-    return JSValue::encode(thisObject->prototype());
-}
-
-EncodedJSValue JSC_HOST_CALL globalFuncProtoSetter(ExecState* exec)
-{
-    JSValue value = exec->argument(0);
-
-    // Setting __proto__ of a primitive should have no effect.
-    if (!exec->thisValue().isObject())
-        return JSValue::encode(jsUndefined());
-
-    JSObject* thisObject = asObject(exec->thisValue());
-    if (!thisObject->methodTable()->allowsAccessFrom(thisObject, exec))
-        return JSValue::encode(jsUndefined());
-
-    // Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla.
-    if (!value.isObject() && !value.isNull())
-        return JSValue::encode(jsUndefined());
-
-    if (!thisObject->isExtensible())
-        return JSValue::encode(jsUndefined());
-
-    if (!thisObject->setPrototypeWithCycleCheck(exec->globalData(), value))
-        throwError(exec, createError(exec, "cyclic __proto__ value"));
-
-    return JSValue::encode(jsUndefined());
-}
-
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h

@@ -49 +49 @@
     EncodedJSValue JSC_HOST_CALL globalFuncUnescape(ExecState*);
     EncodedJSValue JSC_HOST_CALL globalFuncThrowTypeError(ExecState*);
-    EncodedJSValue JSC_HOST_CALL globalFuncProtoGetter(ExecState*);
-    EncodedJSValue JSC_HOST_CALL globalFuncProtoSetter(ExecState*);
 
     static const double mantissaOverflowLowerBound = 9007199254740992.0;

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -133 +133 @@
     JSGlobalData& globalData = exec->globalData();
 
+    if (propertyName == exec->propertyNames().underscoreProto) {
+        // Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla.
+        if (!value.isObject() && !value.isNull())
+            return;
+
+        if (!thisObject->isExtensible()) {
+            if (slot.isStrictMode())
+                throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
+            return;
+        }
+            
+        if (!thisObject->setPrototypeWithCycleCheck(globalData, value))
+            throwError(exec, createError(exec, "cyclic __proto__ value"));
+        return;
+    }
+
     // Check if there are any setters or getters in the prototype chain
     JSValue prototype;
-    if (propertyName != exec->propertyNames().underscoreProto) {
-        for (JSObject* obj = thisObject; !obj->structure()->hasGetterSetterPropertiesExcludingProto(); obj = asObject(prototype)) {
-            prototype = obj->prototype();
-            if (prototype.isNull()) {
-                if (!thisObject->putDirectInternal<PutModePut>(globalData, propertyName, value, 0, slot, getJSFunction(value)) && slot.isStrictMode())
-                    throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
-                return;
-            }
-        }
-    }
-
+    for (JSObject* obj = thisObject; !obj->structure()->hasGetterSetterProperties(); obj = asObject(prototype)) {
+        prototype = obj->prototype();
+        if (prototype.isNull()) {
+            if (!thisObject->putDirectInternal<PutModePut>(globalData, propertyName, value, 0, slot, getJSFunction(value)) && slot.isStrictMode())
+                throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
+            return;
+        }
+    }
+    
     unsigned attributes;
     JSCell* specificValue;
@@ -202 +216 @@
 }
 
-bool JSObject::allowsAccessFrom(JSObject*, ExecState*)
-{
-    return true;
-}
-
 void JSObject::putDirectAccessor(JSGlobalData& globalData, const Identifier& propertyName, JSValue value, unsigned attributes)
 {
     ASSERT(value.isGetterSetter() && (attributes & Accessor));
+    ASSERT(propertyName != globalData.propertyNames->underscoreProto);
 
     PutPropertySlot slot;
@@ -220 +230 @@
         setStructure(globalData, Structure::attributeChangeTransition(globalData, structure(), propertyName, attributes));
 
-    structure()->setHasGetterSetterProperties(propertyName == globalData.propertyNames->underscoreProto);
+    structure()->setHasGetterSetterProperties(true);
 }
 
@@ -620 +630 @@
 bool JSObject::defineOwnProperty(JSObject* object, ExecState* exec, const Identifier& propertyName, PropertyDescriptor& descriptor, bool throwException)
 {
+    // __proto__ is magic; we don't currently support setting it as a regular property.
+    // Silent filter out calls to set __proto__ at an early stage; pretend all is okay.
+    if (propertyName == exec->propertyNames().underscoreProto)
+        return true;
+
     // If we have a new property we can just put it on normally
     PropertyDescriptor current;

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -105 +105 @@
         JS_EXPORT_PRIVATE static bool getOwnPropertySlotByIndex(JSCell*, ExecState*, unsigned propertyName, PropertySlot&);
         JS_EXPORT_PRIVATE static bool getOwnPropertyDescriptor(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&);
-        JS_EXPORT_PRIVATE static bool allowsAccessFrom(JSObject*, ExecState*);
 
         JS_EXPORT_PRIVATE static void put(JSCell*, ExecState*, const Identifier& propertyName, JSValue, PutPropertySlot&);
@@ -549 +548 @@
         else
             slot.setValue(this, location->get(), offsetForLocation(location));
+        return true;
+    }
+
+    // non-standard Netscape extension
+    if (propertyName == exec->propertyNames().underscoreProto) {
+        slot.setValue(prototype());
         return true;
     }
@@ -799 +804 @@
     if (UNLIKELY(!isCell())) {
         JSObject* prototype = synthesizePrototype(exec);
+        if (propertyName == exec->propertyNames().underscoreProto)
+            return prototype;
         if (!prototype->getPropertySlot(exec, propertyName, slot))
             return jsUndefined();

trunk/Source/JavaScriptCore/runtime/JSString.cpp

@@ -254 +254 @@
     if (thisObject->getStringPropertySlot(exec, propertyName, slot))
         return true;
+    if (propertyName == exec->propertyNames().underscoreProto) {
+        slot.setValue(exec->lexicalGlobalObject()->stringPrototype());
+        return true;
+    }
     slot.setBase(thisObject);
     JSObject* object;

trunk/Source/JavaScriptCore/runtime/JSValue.h

@@ -235 +235 @@
         char* description();
 
-        JS_EXPORT_PRIVATE JSObject* synthesizePrototype(ExecState*) const;
-
     private:
         template <class T> JSValue(WriteBarrierBase<T>);
@@ -249 +247 @@
         JS_EXPORT_PRIVATE JSObject* toThisObjectSlowCase(ExecState*) const;
 
+        JS_EXPORT_PRIVATE JSObject* synthesizePrototype(ExecState*) const;
         JSObject* synthesizeObject(ExecState*) const;
 

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -139 +139 @@
     if (!exec->argument(0).isObject())
         return throwVMError(exec, createTypeError(exec, "Requested prototype of a value that is not an object."));
-    JSObject* object = asObject(exec->argument(0));
-
-    if (!object->methodTable()->allowsAccessFrom(object, exec))
-        return JSValue::encode(jsUndefined());
-
-    return JSValue::encode(object->prototype());
+        
+    // This uses JSValue::get() instead of directly accessing the prototype from the object
+    // (using JSObject::prototype()) in order to allow objects to override the behavior, such
+    // as returning jsUndefined() for cross-origin access.
+    return JSValue::encode(exec->argument(0).get(exec, exec->propertyNames().underscoreProto));
 }
 

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -168 +168 @@
     , m_isPinnedPropertyTable(false)
     , m_hasGetterSetterProperties(false)
-    , m_hasGetterSetterPropertiesExcludingProto(false)
     , m_hasNonEnumerableProperties(false)
     , m_attributesInPrevious(0)
@@ -190 +189 @@
     , m_isPinnedPropertyTable(false)
     , m_hasGetterSetterProperties(false)
-    , m_hasGetterSetterPropertiesExcludingProto(false)
     , m_hasNonEnumerableProperties(false)
     , m_attributesInPrevious(0)
@@ -210 +208 @@
     , m_isPinnedPropertyTable(false)
     , m_hasGetterSetterProperties(previous->m_hasGetterSetterProperties)
-    , m_hasGetterSetterPropertiesExcludingProto(previous->m_hasGetterSetterPropertiesExcludingProto)
     , m_hasNonEnumerableProperties(previous->m_hasNonEnumerableProperties)
     , m_attributesInPrevious(0)

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -146 +146 @@
 
         bool hasGetterSetterProperties() const { return m_hasGetterSetterProperties; }
-        bool hasGetterSetterPropertiesExcludingProto() const { return m_hasGetterSetterPropertiesExcludingProto; }
-        void setHasGetterSetterProperties(bool isProto)
-        {
-            m_hasGetterSetterProperties = true;
-            if (!isProto)
-                m_hasGetterSetterPropertiesExcludingProto = true;
-        }
+        void setHasGetterSetterProperties(bool hasGetterSetterProperties) { m_hasGetterSetterProperties = hasGetterSetterProperties; }
 
         bool hasNonEnumerableProperties() const { return m_hasNonEnumerableProperties; }
@@ -289 +283 @@
         bool m_isPinnedPropertyTable : 1;
         bool m_hasGetterSetterProperties : 1;
-        bool m_hasGetterSetterPropertiesExcludingProto : 1;
         bool m_hasNonEnumerableProperties : 1;
         unsigned m_attributesInPrevious : 7;

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-02-13  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=78434
+        Unreviewed - temporarily reverting r107498 will I fix a couple of testcases.
+
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore):
+        * bindings/js/JSDOMWindowBase.h:
+        (JSDOMWindowBase):
+
 2012-02-13  Ilya Tikhonovsky  <loislo@chromium.org>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

@@ -93 +93 @@
 }
 
-bool JSDOMWindowBase::allowsAccessFrom(JSObject* thisObject, ExecState* exec)
-{
-    return static_cast<JSDOMWindowBase*>(thisObject)->allowsAccessFrom(exec);
-}
-
 bool JSDOMWindowBase::supportsProfiling(const JSGlobalObject* object)
 {

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.h

@@ -64 +64 @@
         static bool supportsRichSourceInfo(const JSC::JSGlobalObject*);
         static bool shouldInterruptScript(const JSC::JSGlobalObject*);
-        static bool allowsAccessFrom(JSC::JSObject*, JSC::ExecState*);
-        
+
         bool allowsAccessFrom(JSC::ExecState*) const;
         bool allowsAccessFromNoErrorMessage(JSC::ExecState*) const;