Changeset 109824 in webkit

Timestamp:

Mar 5, 2012 5:18:42 PM (12 years ago)

Author:

barraclough@apple.com

Message:

putByIndex should throw in strict mode
​https://bugs.webkit.org/show_bug.cgi?id=80335

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

We'll need to pass an additional parameter.

Part 1 - rename JSValue::put() for integer indices to JSValue::putByIndex()
to match the method in the MethodTable, make this take a parameter indicating
whether the put should throw. This fixes the cases where the base of the put
is a primitive.

• dfg/DFGOperations.cpp:

(DFG):
(JSC::DFG::putByVal):
(JSC::DFG::operationPutByValInternal):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::execute):
(JSC::Interpreter::privateExecute):

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/JSObject.h:

(JSC::JSValue::putByIndex):

• runtime/JSValue.cpp:

(JSC):

• runtime/JSValue.h:

(JSValue):

LayoutTests:

• fast/js/primitive-property-access-edge-cases-expected.txt:
• fast/js/script-tests/primitive-property-access-edge-cases.js:

(checkNumericGet.Object.defineProperty):
(checkNumericSet.Object.defineProperty):
(checkNumericGetStrict.Object.defineProperty):
(checkNumericSetStrict.Object.defineProperty):
(checkNumericRead):
(checkNumericWrite):
(checkNumericReadStrict):
(checkNumericWriteStrict):

• Added test cases.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/primitive-property-access-edge-cases-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/script-tests/primitive-property-access-edge-cases.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (4 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITStubs.cpp (modified) (3 diffs)
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSValue.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSValue.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-03-05  Gavin Barraclough  <barraclough@apple.com>
+
+        putByIndex should throw in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=80335
+
+        Reviewed by Filip Pizlo.
+
+        * fast/js/primitive-property-access-edge-cases-expected.txt:
+        * fast/js/script-tests/primitive-property-access-edge-cases.js:
+        (checkNumericGet.Object.defineProperty):
+        (checkNumericSet.Object.defineProperty):
+        (checkNumericGetStrict.Object.defineProperty):
+        (checkNumericSetStrict.Object.defineProperty):
+        (checkNumericRead):
+        (checkNumericWrite):
+        (checkNumericReadStrict):
+        (checkNumericWriteStrict):
+            - Added test cases.
+
 2012-03-05  Stephen Chenney  <schenney@chromium.org>
 

trunk/LayoutTests/fast/js/primitive-property-access-edge-cases-expected.txt

@@ -28 +28 @@
 PASS checkWriteStrict('hello', String) threw exception TypeError: Attempted to assign to readonly property..
 PASS checkWriteStrict(true, Boolean) threw exception TypeError: Attempted to assign to readonly property..
+PASS checkNumericGet(1, Number) is true
+PASS checkNumericGet('hello', String) is true
+PASS checkNumericGet(true, Boolean) is true
+PASS checkNumericSet(1, Number) is true
+PASS checkNumericSet('hello', String) is true
+PASS checkNumericSet(true, Boolean) is true
+PASS checkNumericGetStrict(1, Number) is true
+PASS checkNumericGetStrict('hello', String) is true
+PASS checkNumericGetStrict(true, Boolean) is true
+PASS checkNumericSetStrict(1, Number) is true
+PASS checkNumericSetStrict(true, Boolean) is true
+PASS checkNumericRead(1, Number) is true
+PASS checkNumericRead('hello', String) is true
+PASS checkNumericRead(true, Boolean) is true
+PASS checkNumericWrite(1, Number) is true
+PASS checkNumericWrite('hello', String) is true
+PASS checkNumericWrite(true, Boolean) is true
+PASS checkNumericReadStrict(1, Number) is true
+PASS checkNumericReadStrict('hello', String) is true
+PASS checkNumericReadStrict(true, Boolean) is true
+PASS checkNumericWriteStrict(1, Number) threw exception TypeError: Attempted to assign to readonly property..
+PASS checkNumericWriteStrict(true, Boolean) threw exception TypeError: Attempted to assign to readonly property..
 PASS didNotCrash is true
 PASS successfullyParsed is true

trunk/LayoutTests/fast/js/script-tests/primitive-property-access-edge-cases.js

@@ -127 +127 @@
 shouldThrow("checkWriteStrict(true, Boolean)");
 
+function checkNumericGet(x, constructor)
+{
+    checkOkay = false;
+    Object.defineProperty(constructor.prototype, 42, { get: function() { checkOkay = typeof this === 'object'; }, configurable: true });
+    x[42];
+    delete constructor.prototype[42];
+    return checkOkay;
+}
+
+function checkNumericSet(x, constructor)
+{
+    checkOkay = false;
+    Object.defineProperty(constructor.prototype, 42, { set: function() { checkOkay = typeof this === 'object'; }, configurable: true });
+    x[42] = null;
+    delete constructor.prototype[42];
+    return checkOkay;
+}
+
+function checkNumericGetStrict(x, constructor)
+{
+    checkOkay = false;
+    Object.defineProperty(constructor.prototype, 42, { get: function() { "use strict"; checkOkay = typeof this !== 'object'; }, configurable: true });
+    x[42];
+    delete constructor.prototype[42];
+    return checkOkay;
+}
+
+function checkNumericSetStrict(x, constructor)
+{
+    checkOkay = false;
+    Object.defineProperty(constructor.prototype, 42, { set: function() { "use strict"; checkOkay = typeof this !== 'object'; }, configurable: true });
+    x[42] = null;
+    delete constructor.prototype[42];
+    return checkOkay;
+}
+
+shouldBeTrue("checkNumericGet(1, Number)");
+shouldBeTrue("checkNumericGet('hello', String)");
+shouldBeTrue("checkNumericGet(true, Boolean)");
+shouldBeTrue("checkNumericSet(1, Number)");
+shouldBeTrue("checkNumericSet('hello', String)");
+shouldBeTrue("checkNumericSet(true, Boolean)");
+shouldBeTrue("checkNumericGetStrict(1, Number)");
+shouldBeTrue("checkNumericGetStrict('hello', String)");
+shouldBeTrue("checkNumericGetStrict(true, Boolean)");
+shouldBeTrue("checkNumericSetStrict(1, Number)");
+//shouldBeTrue("checkNumericSetStrict('hello', String)"); // FIXME: https://bugs.webkit.org/show_bug.cgi?id=80335
+shouldBeTrue("checkNumericSetStrict(true, Boolean)");
+
+function checkNumericRead(x, constructor)
+{
+    return x[42] === undefined;
+}
+
+function checkNumericWrite(x, constructor)
+{
+    x[42] = null;
+    return x[42] === undefined;
+}
+
+function checkNumericReadStrict(x, constructor)
+{
+    "use strict";
+    return x[42] === undefined;
+}
+
+function checkNumericWriteStrict(x, constructor)
+{
+    "use strict";
+    x[42] = null;
+    return x[42] === undefined;
+}
+
+shouldBeTrue("checkNumericRead(1, Number)");
+shouldBeTrue("checkNumericRead('hello', String)");
+shouldBeTrue("checkNumericRead(true, Boolean)");
+shouldBeTrue("checkNumericWrite(1, Number)");
+shouldBeTrue("checkNumericWrite('hello', String)");
+shouldBeTrue("checkNumericWrite(true, Boolean)");
+shouldBeTrue("checkNumericReadStrict(1, Number)");
+shouldBeTrue("checkNumericReadStrict('hello', String)");
+shouldBeTrue("checkNumericReadStrict(true, Boolean)");
+shouldThrow("checkNumericWriteStrict(1, Number)");
+//shouldThrow("checkNumericWriteStrict('hello', String)"); // FIXME: https://bugs.webkit.org/show_bug.cgi?id=80335
+shouldThrow("checkNumericWriteStrict(true, Boolean)");
+
 shouldBeTrue("didNotCrash");

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-03-05  Gavin Barraclough  <barraclough@apple.com>
+
+        putByIndex should throw in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=80335
+
+        Reviewed by Filip Pizlo.
+
+        We'll need to pass an additional parameter.
+
+        Part 1 - rename JSValue::put() for integer indices to JSValue::putByIndex()
+        to match the method in the MethodTable, make this take a parameter indicating
+        whether the put should throw. This fixes the cases where the base of the put
+        is a primitive.
+
+        * dfg/DFGOperations.cpp:
+        (DFG):
+        (JSC::DFG::putByVal):
+        (JSC::DFG::operationPutByValInternal):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::privateExecute):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/JSObject.h:
+        (JSC::JSValue::putByIndex):
+        * runtime/JSValue.cpp:
+        (JSC):
+        * runtime/JSValue.h:
+        (JSValue):
+
 2012-03-05  Sam Weinig  <sam@webkit.org>
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -147 +147 @@
 namespace JSC { namespace DFG {
 
+template<bool strict>
 static inline void putByVal(ExecState* exec, JSValue baseValue, uint32_t index, JSValue value)
 {
@@ -176 +177 @@
     }
 
-    baseValue.put(exec, index, value);
+    baseValue.putByIndex(exec, index, value, strict);
 }
 
@@ -190 +191 @@
 
     if (LIKELY(property.isUInt32())) {
-        putByVal(exec, baseValue, property.asUInt32(), value);
+        putByVal<strict>(exec, baseValue, property.asUInt32(), value);
         return;
     }
@@ -198 +199 @@
         uint32_t propertyAsUInt32 = static_cast<uint32_t>(propertyAsDouble);
         if (propertyAsDouble == propertyAsUInt32) {
-            putByVal(exec, baseValue, propertyAsUInt32, value);
+            putByVal<strict>(exec, baseValue, propertyAsUInt32, value);
             return;
         }

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -1159 +1159 @@
             }
             case JSONPPathEntryTypeLookup: {
-                baseObject.put(callFrame, JSONPPath.last().m_pathIndex, JSONPValue);
+                baseObject.putByIndex(callFrame, JSONPPath.last().m_pathIndex, JSONPValue, slot.isStrictMode());
                 if (callFrame->hadException())
                     return jsUndefined();
@@ -3791 +3791 @@
                     jsByteArray->setIndex(i, jsValue.asDouble());
                 else
-                    baseValue.put(callFrame, i, jsValue);
+                    baseValue.putByIndex(callFrame, i, jsValue, codeBlock->isStrictMode());
             } else
-                baseValue.put(callFrame, i, callFrame->r(value).jsValue());
+                baseValue.putByIndex(callFrame, i, callFrame->r(value).jsValue(), codeBlock->isStrictMode());
         } else {
             Identifier property(callFrame, subscript.toString(callFrame)->value(callFrame));
@@ -3856 +3856 @@
         int value = vPC[3].u.operand;
 
-        callFrame->r(base).jsValue().put(callFrame, property, callFrame->r(value).jsValue());
+        JSValue arrayValue = callFrame->r(base).jsValue();
+        ASSERT(isJSArray(arrayValue));
+        asArray(arrayValue)->putDirectIndex(callFrame, property, callFrame->r(value).jsValue(), false);
 
         vPC += OPCODE_LENGTH(op_put_by_index);

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -2569 +2569 @@
             }
 
-            baseValue.put(callFrame, i, value);
+            baseValue.putByIndex(callFrame, i, value, callFrame->codeBlock()->isStrictMode());
         } else
-            baseValue.put(callFrame, i, value);
+            baseValue.putByIndex(callFrame, i, value, callFrame->codeBlock()->isStrictMode());
     } else {
         Identifier property(callFrame, subscript.toString(callFrame)->value(callFrame));
@@ -2612 +2612 @@
         if (!isJSByteArray(baseValue))
             ctiPatchCallByReturnAddress(callFrame->codeBlock(), STUB_RETURN_ADDRESS, FunctionPtr(cti_op_put_by_val));
-        baseValue.put(callFrame, i, value);
+        baseValue.putByIndex(callFrame, i, value, callFrame->codeBlock()->isStrictMode());
     } else {
         Identifier property(callFrame, subscript.toString(callFrame)->value(callFrame));
@@ -3403 +3403 @@
     unsigned property = stackFrame.args[1].int32();
 
-    stackFrame.args[0].jsValue().put(callFrame, property, stackFrame.args[2].jsValue());
+    JSValue arrayValue = stackFrame.args[0].jsValue();
+    ASSERT(isJSArray(arrayValue));
+    asArray(arrayValue)->putDirectIndex(callFrame, property, stackFrame.args[2].jsValue(), false);
 }
 

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -1060 +1060 @@
             }
         }
-        baseValue.put(exec, i, value);
+        baseValue.putByIndex(exec, i, value, exec->codeBlock()->isStrictMode());
         LLINT_END();
     }
@@ -1100 +1100 @@
 {
     LLINT_BEGIN();
-    LLINT_OP_C(1).jsValue().put(exec, pc[2].u.operand, LLINT_OP_C(3).jsValue());
+    JSValue arrayValue = LLINT_OP_C(1).jsValue();
+    ASSERT(isJSArray(arrayValue));
+    asArray(arrayValue)->putDirectIndex(exec, pc[2].u.operand, LLINT_OP_C(3).jsValue(), false);
     LLINT_END();
 }

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -841 +841 @@
 }
 
-inline void JSValue::put(ExecState* exec, unsigned propertyName, JSValue value)
+inline void JSValue::putByIndex(ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
 {
     if (UNLIKELY(!isCell())) {
-        JSObject* thisObject = synthesizeObject(exec);
-        thisObject->methodTable()->putByIndex(thisObject, exec, propertyName, value);
+        PutPropertySlot slot(shouldThrow);
+        putToPrimitive(exec, Identifier::from(exec, propertyName), value, slot);
         return;
     }

trunk/Source/JavaScriptCore/runtime/JSValue.cpp

@@ -90 +90 @@
     ASSERT(isUndefinedOrNull());
     return exec->globalThisValue();
-}
-
-JSObject* JSValue::synthesizeObject(ExecState* exec) const
-{
-    ASSERT(!isCell());
-    if (isNumber())
-        return constructNumber(exec, exec->lexicalGlobalObject(), asValue());
-    if (isBoolean())
-        return constructBooleanFromImmediateBoolean(exec, exec->lexicalGlobalObject(), asValue());
-
-    ASSERT(isUndefinedOrNull());
-    throwError(exec, createNotAnObjectError(exec, *this));
-    return JSNotAnObject::create(exec);
 }
 

trunk/Source/JavaScriptCore/runtime/JSValue.h

@@ -223 +223 @@
         void put(ExecState*, const Identifier& propertyName, JSValue, PutPropertySlot&);
         void putToPrimitive(ExecState*, const Identifier& propertyName, JSValue, PutPropertySlot&);
-        void put(ExecState*, unsigned propertyName, JSValue);
+        void putByIndex(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
 
         JSObject* toThisObject(ExecState*) const;
@@ -253 +253 @@
         JS_EXPORT_PRIVATE JSObject* toObjectSlowCase(ExecState*, JSGlobalObject*) const;
         JS_EXPORT_PRIVATE JSObject* toThisObjectSlowCase(ExecState*) const;
-
-        JSObject* synthesizeObject(ExecState*) const;
 
 #if USE(JSVALUE32_64)