Context Navigation

← Previous Changeset
Next Changeset →

Changeset 141034 in webkit

Timestamp:

Jan 28, 2013 6:37:52 PM (11 years ago)

Author:

abarth@webkit.org

Message:

[v8] Security feature: JavaScript Bindings hardening
https://bugs.webkit.org/show_bug.cgi?id=106608

Source/WebCore:

The patch adds a check at wrapper creation time to enuse that the
object being wrapped is not already free, to the extent that we know
the information about the type of the object as provided in the IDL.

Patch by Tom Sepez <tsepez@chromium.org> on 2013-01-28
Reviewed by Adam Barth.

Patch is correct if existing tests pass without new crashes.

bindings/scripts/CodeGeneratorV8.pm:

(GenerateImplementation):
(GenerateToV8Converters):
(GetNativeTypeForConversions):
(GetGnuVTableRefForInterface):
(GetGnuVTableNameForInterface):
(GetGnuMangledNameForInterface):
(GetGnuVTableOffsetForType):
(GetWinVTableRefForInterface):
(GetWinVTableNameForInterface):
(GetWinMangledNameForInterface):
(GetNamespaceForInterface):
(GetImplementationLacksVTableForInterface):
(GetV8SkipVTableValidationForInterface):
Update code generation to add object validity tests under the control
of the ENABLE_BINDING_INTEGRITY option.

Modules/filesystem/DirectoryReader.idl:
Modules/filesystem/DirectoryReaderSync.idl:
Modules/filesystem/EntryArray.idl:
Modules/filesystem/EntryArraySync.idl:
Modules/filesystem/Metadata.idl:
Modules/gamepad/Gamepad.idl:
Modules/gamepad/GamepadList.idl:
Modules/geolocation/Geoposition.idl:
Modules/geolocation/PositionError.idl:
Modules/indexeddb/IDBFactory.idl:
Modules/indexeddb/IDBIndex.idl:
Modules/indexeddb/IDBKeyRange.idl:
Modules/indexeddb/IDBObjectStore.idl:
Modules/mediastream/RTCStatsElement.idl:
Modules/mediastream/RTCStatsReport.idl:
Modules/quota/StorageInfo.idl:
Modules/speech/SpeechGrammar.idl:
Modules/speech/SpeechGrammarList.idl:
Modules/speech/SpeechRecognitionAlternative.idl:
Modules/speech/SpeechRecognitionResult.idl:
Modules/speech/SpeechRecognitionResultList.idl:
Modules/webaudio/AudioBuffer.idl:
Modules/webaudio/AudioDestinationNode.idl:
Modules/webaudio/AudioListener.idl:
Modules/webaudio/AudioSourceNode.idl:
Modules/webaudio/WaveTable.idl:
Modules/webdatabase/SQLError.idl:
Modules/webdatabase/SQLException.idl:
Modules/webdatabase/SQLResultSet.idl:
Modules/webdatabase/SQLResultSetRowList.idl:
Modules/webdatabase/SQLTransaction.idl:
Modules/webdatabase/SQLTransactionSync.idl:
bindings/scripts/IDLAttributes.txt:
css/CSSPrimitiveValue.idl:
css/CSSRule.idl:
css/CSSRuleList.idl:
css/CSSStyleDeclaration.idl:
css/CSSValue.idl:
css/CSSValueList.idl:
css/Counter.idl:
css/MediaList.idl:
css/MediaQueryList.idl:
css/RGBColor.idl:
css/Rect.idl:
css/StyleSheetList.idl:
css/WebKitCSSFilterValue.idl:
css/WebKitCSSMixFunctionValue.idl:
css/WebKitCSSTransformValue.idl:
dom/ClientRect.idl:
dom/ClientRectList.idl:
dom/Clipboard.idl:
dom/DOMCoreException.idl:
dom/DOMError.idl:
dom/DOMImplementation.idl:
dom/DOMNamedFlowCollection.idl:
dom/DOMStringList.idl:
dom/DOMStringMap.idl:
dom/DataTransferItem.idl:
dom/DataTransferItemList.idl:
dom/DocumentFragment.idl:
dom/Element.idl:
dom/Entity.idl:
dom/Event.idl:
dom/EventException.idl:
dom/MessageChannel.idl:
dom/MouseEvent.idl:
dom/MutationObserver.idl:
dom/MutationRecord.idl:
dom/NamedNodeMap.idl:
dom/NodeFilter.idl:
dom/NodeIterator.idl:
dom/NodeList.idl:
dom/Range.idl:
dom/RangeException.idl:
dom/Touch.idl:
dom/TouchList.idl:
dom/TreeWalker.idl:
fileapi/FileError.idl:
fileapi/FileException.idl:
fileapi/FileList.idl:
html/DOMFormData.idl:
html/DOMTokenList.idl:
html/DOMURL.idl:
html/HTMLAllCollection.idl:
html/HTMLCollection.idl:
html/HTMLDialogElement.idl:
html/HTMLDivElement.idl:
html/HTMLDocument.idl:
html/HTMLElement.idl:
html/HTMLImageElement.idl:
html/HTMLInputElement.idl:
html/HTMLSelectElement.idl:
html/HTMLSpanElement.idl:
html/HTMLUnknownElement.idl:
html/ImageData.idl:
html/MediaError.idl:
html/MediaKeyError.idl:
html/TimeRanges.idl:
html/ValidityState.idl:
html/canvas/ArrayBuffer.idl:
html/canvas/ArrayBufferView.idl:
html/canvas/CanvasGradient.idl:
html/canvas/CanvasPattern.idl:
html/canvas/Float32Array.idl:
html/canvas/Float64Array.idl:
html/canvas/Int16Array.idl:
html/canvas/Int32Array.idl:
html/canvas/Int8Array.idl:
html/canvas/Uint16Array.idl:
html/canvas/Uint32Array.idl:
html/canvas/Uint8Array.idl:
html/canvas/Uint8ClampedArray.idl:
html/canvas/WebGLActiveInfo.idl:
html/canvas/WebGLShaderPrecisionFormat.idl:
html/track/TextTrack.idl:
html/track/TextTrackCue.idl:
html/track/TextTrackCueList.idl:
inspector/InjectedScriptHost.idl:
inspector/InspectorFrontendHost.idl:
inspector/JavaScriptCallFrame.idl:
page/Coordinates.idl:
page/Crypto.idl:
page/MemoryInfo.idl:
page/PagePopupController.idl:
page/PerformanceEntryList.idl:
page/SpeechInputResult.idl:
page/SpeechInputResultList.idl:
page/WebKitPoint.idl:
svg/SVGAnimatedAngle.idl:
svg/SVGAnimatedBoolean.idl:
svg/SVGAnimatedEnumeration.idl:
svg/SVGAnimatedInteger.idl:
svg/SVGAnimatedLength.idl:
svg/SVGAnimatedLengthList.idl:
svg/SVGAnimatedNumber.idl:
svg/SVGAnimatedNumberList.idl:
svg/SVGAnimatedPreserveAspectRatio.idl:
svg/SVGAnimatedRect.idl:
svg/SVGAnimatedString.idl:
svg/SVGAnimatedTransformList.idl:
svg/SVGColor.idl:
svg/SVGException.idl:
svg/SVGPaint.idl:
svg/SVGPathSeg.idl:
svg/SVGRenderingIntent.idl:
svg/SVGUnitTypes.idl:
svg/SVGZoomAndPan.idl:
testing/MallocStatistics.idl:
testing/TypeConversions.idl:
workers/WorkerLocation.idl:
xml/DOMParser.idl:
xml/XMLHttpRequestException.idl:
xml/XMLSerializer.idl:
xml/XPathEvaluator.idl:
xml/XPathException.idl:
xml/XPathExpression.idl:
xml/XPathNSResolver.idl:
xml/XPathResult.idl:
xml/XSLTProcessor.idl:

Add exceptions to binding integrity checks to IDL.

Source/WebKit/chromium:

Patch by Tom Sepez <tsepez@chromium.org> on 2013-01-28
Reviewed by Adam Barth.

features.gypi:

Added ENABLE_BINDING_INTEGRITY option.

Location:

trunk/Source

Files:

: 163 edited

WebCore/ChangeLog (modified) (1 diff)
WebCore/Modules/filesystem/DirectoryReader.idl (modified) (1 diff)
WebCore/Modules/filesystem/DirectoryReaderSync.idl (modified) (1 diff)
WebCore/Modules/filesystem/EntryArray.idl (modified) (1 diff)
WebCore/Modules/filesystem/EntryArraySync.idl (modified) (1 diff)
WebCore/Modules/filesystem/Metadata.idl (modified) (1 diff)
WebCore/Modules/gamepad/Gamepad.idl (modified) (1 diff)
WebCore/Modules/gamepad/GamepadList.idl (modified) (1 diff)
WebCore/Modules/geolocation/Geoposition.idl (modified) (1 diff)
WebCore/Modules/geolocation/PositionError.idl (modified) (1 diff)
WebCore/Modules/indexeddb/IDBFactory.idl (modified) (1 diff)
WebCore/Modules/indexeddb/IDBIndex.idl (modified) (1 diff)
WebCore/Modules/indexeddb/IDBKeyRange.idl (modified) (1 diff)
WebCore/Modules/indexeddb/IDBObjectStore.idl (modified) (1 diff)
WebCore/Modules/mediastream/RTCStatsElement.idl (modified) (1 diff)
WebCore/Modules/mediastream/RTCStatsReport.idl (modified) (1 diff)
WebCore/Modules/quota/StorageInfo.idl (modified) (1 diff)
WebCore/Modules/speech/SpeechGrammar.idl (modified) (1 diff)
WebCore/Modules/speech/SpeechGrammarList.idl (modified) (1 diff)
WebCore/Modules/speech/SpeechRecognitionAlternative.idl (modified) (1 diff)
WebCore/Modules/speech/SpeechRecognitionResult.idl (modified) (1 diff)
WebCore/Modules/speech/SpeechRecognitionResultList.idl (modified) (1 diff)
WebCore/Modules/webaudio/AudioBuffer.idl (modified) (1 diff)
WebCore/Modules/webaudio/AudioDestinationNode.idl (modified) (1 diff)
WebCore/Modules/webaudio/AudioListener.idl (modified) (1 diff)
WebCore/Modules/webaudio/AudioSourceNode.idl (modified) (1 diff)
WebCore/Modules/webaudio/WaveTable.idl (modified) (1 diff)
WebCore/Modules/webdatabase/SQLError.idl (modified) (1 diff)
WebCore/Modules/webdatabase/SQLException.idl (modified) (1 diff)
WebCore/Modules/webdatabase/SQLResultSet.idl (modified) (1 diff)
WebCore/Modules/webdatabase/SQLResultSetRowList.idl (modified) (1 diff)
WebCore/Modules/webdatabase/SQLTransaction.idl (modified) (1 diff)
WebCore/Modules/webdatabase/SQLTransactionSync.idl (modified) (1 diff)
WebCore/bindings/scripts/CodeGeneratorV8.pm (modified) (5 diffs)
WebCore/bindings/scripts/IDLAttributes.txt (modified) (2 diffs)
WebCore/css/CSSPrimitiveValue.idl (modified) (1 diff)
WebCore/css/CSSRule.idl (modified) (1 diff)
WebCore/css/CSSRuleList.idl (modified) (1 diff)
WebCore/css/CSSStyleDeclaration.idl (modified) (1 diff)
WebCore/css/CSSValue.idl (modified) (1 diff)
WebCore/css/CSSValueList.idl (modified) (1 diff)
WebCore/css/Counter.idl (modified) (1 diff)
WebCore/css/MediaList.idl (modified) (1 diff)
WebCore/css/MediaQueryList.idl (modified) (1 diff)
WebCore/css/RGBColor.idl (modified) (1 diff)
WebCore/css/Rect.idl (modified) (1 diff)
WebCore/css/StyleSheetList.idl (modified) (1 diff)
WebCore/css/WebKitCSSFilterValue.idl (modified) (1 diff)
WebCore/css/WebKitCSSMixFunctionValue.idl (modified) (1 diff)
WebCore/css/WebKitCSSTransformValue.idl (modified) (1 diff)
WebCore/dom/ClientRect.idl (modified) (1 diff)
WebCore/dom/ClientRectList.idl (modified) (1 diff)
WebCore/dom/Clipboard.idl (modified) (1 diff)
WebCore/dom/DOMCoreException.idl (modified) (1 diff)
WebCore/dom/DOMError.idl (modified) (1 diff)
WebCore/dom/DOMImplementation.idl (modified) (1 diff)
WebCore/dom/DOMNamedFlowCollection.idl (modified) (1 diff)
WebCore/dom/DOMStringList.idl (modified) (1 diff)
WebCore/dom/DOMStringMap.idl (modified) (1 diff)
WebCore/dom/DataTransferItem.idl (modified) (1 diff)
WebCore/dom/DataTransferItemList.idl (modified) (1 diff)
WebCore/dom/DocumentFragment.idl (modified) (1 diff)
WebCore/dom/Element.idl (modified) (1 diff)
WebCore/dom/Entity.idl (modified) (1 diff)
WebCore/dom/Event.idl (modified) (1 diff)
WebCore/dom/EventException.idl (modified) (1 diff)
WebCore/dom/MessageChannel.idl (modified) (1 diff)
WebCore/dom/MouseEvent.idl (modified) (1 diff)
WebCore/dom/MutationObserver.idl (modified) (1 diff)
WebCore/dom/MutationRecord.idl (modified) (1 diff)
WebCore/dom/NamedNodeMap.idl (modified) (1 diff)
WebCore/dom/NodeFilter.idl (modified) (1 diff)
WebCore/dom/NodeIterator.idl (modified) (1 diff)
WebCore/dom/NodeList.idl (modified) (1 diff)
WebCore/dom/Range.idl (modified) (1 diff)
WebCore/dom/RangeException.idl (modified) (1 diff)
WebCore/dom/Touch.idl (modified) (1 diff)
WebCore/dom/TouchList.idl (modified) (1 diff)
WebCore/dom/TreeWalker.idl (modified) (1 diff)
WebCore/fileapi/FileError.idl (modified) (1 diff)
WebCore/fileapi/FileException.idl (modified) (1 diff)
WebCore/fileapi/FileList.idl (modified) (1 diff)
WebCore/html/DOMFormData.idl (modified) (1 diff)
WebCore/html/DOMTokenList.idl (modified) (1 diff)
WebCore/html/DOMURL.idl (modified) (1 diff)
WebCore/html/HTMLAllCollection.idl (modified) (1 diff)
WebCore/html/HTMLCollection.idl (modified) (1 diff)
WebCore/html/HTMLDialogElement.idl (modified) (1 diff)
WebCore/html/HTMLDivElement.idl (modified) (1 diff)
WebCore/html/HTMLDocument.idl (modified) (1 diff)
WebCore/html/HTMLElement.idl (modified) (1 diff)
WebCore/html/HTMLImageElement.idl (modified) (1 diff)
WebCore/html/HTMLInputElement.idl (modified) (1 diff)
WebCore/html/HTMLSelectElement.idl (modified) (1 diff)
WebCore/html/HTMLSpanElement.idl (modified) (1 diff)
WebCore/html/HTMLUnknownElement.idl (modified) (1 diff)
WebCore/html/ImageData.idl (modified) (1 diff)
WebCore/html/MediaError.idl (modified) (1 diff)
WebCore/html/MediaKeyError.idl (modified) (1 diff)
WebCore/html/TimeRanges.idl (modified) (1 diff)
WebCore/html/ValidityState.idl (modified) (1 diff)
WebCore/html/canvas/ArrayBuffer.idl (modified) (1 diff)
WebCore/html/canvas/ArrayBufferView.idl (modified) (1 diff)
WebCore/html/canvas/CanvasGradient.idl (modified) (1 diff)
WebCore/html/canvas/CanvasPattern.idl (modified) (1 diff)
WebCore/html/canvas/Float32Array.idl (modified) (1 diff)
WebCore/html/canvas/Float64Array.idl (modified) (1 diff)
WebCore/html/canvas/Int16Array.idl (modified) (1 diff)
WebCore/html/canvas/Int32Array.idl (modified) (1 diff)
WebCore/html/canvas/Int8Array.idl (modified) (1 diff)
WebCore/html/canvas/Uint16Array.idl (modified) (1 diff)
WebCore/html/canvas/Uint32Array.idl (modified) (1 diff)
WebCore/html/canvas/Uint8Array.idl (modified) (1 diff)
WebCore/html/canvas/Uint8ClampedArray.idl (modified) (1 diff)
WebCore/html/canvas/WebGLActiveInfo.idl (modified) (1 diff)
WebCore/html/canvas/WebGLShaderPrecisionFormat.idl (modified) (1 diff)
WebCore/html/track/TextTrack.idl (modified) (1 diff)
WebCore/html/track/TextTrackCue.idl (modified) (1 diff)
WebCore/html/track/TextTrackCueList.idl (modified) (1 diff)
WebCore/inspector/InjectedScriptHost.idl (modified) (1 diff)
WebCore/inspector/InspectorFrontendHost.idl (modified) (1 diff)
WebCore/inspector/JavaScriptCallFrame.idl (modified) (1 diff)
WebCore/page/Coordinates.idl (modified) (1 diff)
WebCore/page/Crypto.idl (modified) (1 diff)
WebCore/page/MemoryInfo.idl (modified) (1 diff)
WebCore/page/PagePopupController.idl (modified) (1 diff)
WebCore/page/PerformanceEntryList.idl (modified) (1 diff)
WebCore/page/SpeechInputResult.idl (modified) (1 diff)
WebCore/page/SpeechInputResultList.idl (modified) (1 diff)
WebCore/page/WebKitPoint.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedAngle.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedBoolean.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedEnumeration.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedInteger.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedLength.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedLengthList.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedNumber.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedNumberList.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedPreserveAspectRatio.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedRect.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedString.idl (modified) (1 diff)
WebCore/svg/SVGAnimatedTransformList.idl (modified) (1 diff)
WebCore/svg/SVGColor.idl (modified) (1 diff)
WebCore/svg/SVGException.idl (modified) (1 diff)
WebCore/svg/SVGPaint.idl (modified) (1 diff)
WebCore/svg/SVGPathSeg.idl (modified) (1 diff)
WebCore/svg/SVGRenderingIntent.idl (modified) (1 diff)
WebCore/svg/SVGUnitTypes.idl (modified) (1 diff)
WebCore/svg/SVGZoomAndPan.idl (modified) (1 diff)
WebCore/testing/MallocStatistics.idl (modified) (1 diff)
WebCore/testing/TypeConversions.idl (modified) (1 diff)
WebCore/workers/WorkerLocation.idl (modified) (1 diff)
WebCore/xml/DOMParser.idl (modified) (1 diff)
WebCore/xml/XMLHttpRequestException.idl (modified) (1 diff)
WebCore/xml/XMLSerializer.idl (modified) (1 diff)
WebCore/xml/XPathEvaluator.idl (modified) (1 diff)
WebCore/xml/XPathException.idl (modified) (1 diff)
WebCore/xml/XPathExpression.idl (modified) (1 diff)
WebCore/xml/XPathNSResolver.idl (modified) (1 diff)
WebCore/xml/XPathResult.idl (modified) (1 diff)
WebCore/xml/XSLTProcessor.idl (modified) (1 diff)
WebKit/chromium/ChangeLog (modified) (1 diff)
WebKit/chromium/features.gypi (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/WebCore/ChangeLog

-                      r141033
+                      r141034
+-01-28  Tom Sepez  <tsepez@chromium.org>
+        [v8] Security feature: JavaScript Bindings hardening
+        https://bugs.webkit.org/show_bug.cgi?id=106608
+        The patch adds a check at wrapper creation time to enuse that the
+        object being wrapped is not already free, to the extent that we know
+        the information about the type of the object as provided in the IDL.
+        Reviewed by Adam Barth.
+        Patch is correct if existing tests pass without new crashes.
+        * bindings/scripts/CodeGeneratorV8.pm:
+        (GenerateImplementation):
+        (GenerateToV8Converters):
+        (GetNativeTypeForConversions):
+        (GetGnuVTableRefForInterface):
+        (GetGnuVTableNameForInterface):
+        (GetGnuMangledNameForInterface):
+        (GetGnuVTableOffsetForType):
+        (GetWinVTableRefForInterface):
+        (GetWinVTableNameForInterface):
+        (GetWinMangledNameForInterface):
+        (GetNamespaceForInterface):
+        (GetImplementationLacksVTableForInterface):
+        (GetV8SkipVTableValidationForInterface):
+        Update code generation to add object validity tests under the control
+        of the ENABLE_BINDING_INTEGRITY option.
+        * Modules/filesystem/DirectoryReader.idl:
+        * Modules/filesystem/DirectoryReaderSync.idl:
+        * Modules/filesystem/EntryArray.idl:
+        * Modules/filesystem/EntryArraySync.idl:
+        * Modules/filesystem/Metadata.idl:
+        * Modules/gamepad/Gamepad.idl:
+        * Modules/gamepad/GamepadList.idl:
+        * Modules/geolocation/Geoposition.idl:
+        * Modules/geolocation/PositionError.idl:
+        * Modules/indexeddb/IDBFactory.idl:
+        * Modules/indexeddb/IDBIndex.idl:
+        * Modules/indexeddb/IDBKeyRange.idl:
+        * Modules/indexeddb/IDBObjectStore.idl:
+        * Modules/mediastream/RTCStatsElement.idl:
+        * Modules/mediastream/RTCStatsReport.idl:
+        * Modules/quota/StorageInfo.idl:
+        * Modules/speech/SpeechGrammar.idl:
+        * Modules/speech/SpeechGrammarList.idl:
+        * Modules/speech/SpeechRecognitionAlternative.idl:
+        * Modules/speech/SpeechRecognitionResult.idl:
+        * Modules/speech/SpeechRecognitionResultList.idl:
+        * Modules/webaudio/AudioBuffer.idl:
+        * Modules/webaudio/AudioDestinationNode.idl:
+        * Modules/webaudio/AudioListener.idl:
+        * Modules/webaudio/AudioSourceNode.idl:
+        * Modules/webaudio/WaveTable.idl:
+        * Modules/webdatabase/SQLError.idl:
+        * Modules/webdatabase/SQLException.idl:
+        * Modules/webdatabase/SQLResultSet.idl:
+        * Modules/webdatabase/SQLResultSetRowList.idl:
+        * Modules/webdatabase/SQLTransaction.idl:
+        * Modules/webdatabase/SQLTransactionSync.idl:
+        * bindings/scripts/IDLAttributes.txt:
+        * css/CSSPrimitiveValue.idl:
+        * css/CSSRule.idl:
+        * css/CSSRuleList.idl:
+        * css/CSSStyleDeclaration.idl:
+        * css/CSSValue.idl:
+        * css/CSSValueList.idl:
+        * css/Counter.idl:
+        * css/MediaList.idl:
+        * css/MediaQueryList.idl:
+        * css/RGBColor.idl:
+        * css/Rect.idl:
+        * css/StyleSheetList.idl:
+        * css/WebKitCSSFilterValue.idl:
+        * css/WebKitCSSMixFunctionValue.idl:
+        * css/WebKitCSSTransformValue.idl:
+        * dom/ClientRect.idl:
+        * dom/ClientRectList.idl:
+        * dom/Clipboard.idl:
+        * dom/DOMCoreException.idl:
+        * dom/DOMError.idl:
+        * dom/DOMImplementation.idl:
+        * dom/DOMNamedFlowCollection.idl:
+        * dom/DOMStringList.idl:
+        * dom/DOMStringMap.idl:
+        * dom/DataTransferItem.idl:
+        * dom/DataTransferItemList.idl:
+        * dom/DocumentFragment.idl:
+        * dom/Element.idl:
+        * dom/Entity.idl:
+        * dom/Event.idl:
+        * dom/EventException.idl:
+        * dom/MessageChannel.idl:
+        * dom/MouseEvent.idl:
+        * dom/MutationObserver.idl:
+        * dom/MutationRecord.idl:
+        * dom/NamedNodeMap.idl:
+        * dom/NodeFilter.idl:
+        * dom/NodeIterator.idl:
+        * dom/NodeList.idl:
+        * dom/Range.idl:
+        * dom/RangeException.idl:
+        * dom/Touch.idl:
+        * dom/TouchList.idl:
+        * dom/TreeWalker.idl:
+        * fileapi/FileError.idl:
+        * fileapi/FileException.idl:
+        * fileapi/FileList.idl:
+        * html/DOMFormData.idl:
+        * html/DOMTokenList.idl:
+        * html/DOMURL.idl:
+        * html/HTMLAllCollection.idl:
+        * html/HTMLCollection.idl:
+        * html/HTMLDialogElement.idl:
+        * html/HTMLDivElement.idl:
+        * html/HTMLDocument.idl:
+        * html/HTMLElement.idl:
+        * html/HTMLImageElement.idl:
+        * html/HTMLInputElement.idl:
+        * html/HTMLSelectElement.idl:
+        * html/HTMLSpanElement.idl:
+        * html/HTMLUnknownElement.idl:
+        * html/ImageData.idl:
+        * html/MediaError.idl:
+        * html/MediaKeyError.idl:
+        * html/TimeRanges.idl:
+        * html/ValidityState.idl:
+        * html/canvas/ArrayBuffer.idl:
+        * html/canvas/ArrayBufferView.idl:
+        * html/canvas/CanvasGradient.idl:
+        * html/canvas/CanvasPattern.idl:
+        * html/canvas/Float32Array.idl:
+        * html/canvas/Float64Array.idl:
+        * html/canvas/Int16Array.idl:
+        * html/canvas/Int32Array.idl:
+        * html/canvas/Int8Array.idl:
+        * html/canvas/Uint16Array.idl:
+        * html/canvas/Uint32Array.idl:
+        * html/canvas/Uint8Array.idl:
+        * html/canvas/Uint8ClampedArray.idl:
+        * html/canvas/WebGLActiveInfo.idl:
+        * html/canvas/WebGLShaderPrecisionFormat.idl:
+        * html/track/TextTrack.idl:
+        * html/track/TextTrackCue.idl:
+        * html/track/TextTrackCueList.idl:
+        * inspector/InjectedScriptHost.idl:
+        * inspector/InspectorFrontendHost.idl:
+        * inspector/JavaScriptCallFrame.idl:
+        * page/Coordinates.idl:
+        * page/Crypto.idl:
+        * page/MemoryInfo.idl:
+        * page/PagePopupController.idl:
+        * page/PerformanceEntryList.idl:
+        * page/SpeechInputResult.idl:
+        * page/SpeechInputResultList.idl:
+        * page/WebKitPoint.idl:
+        * svg/SVGAnimatedAngle.idl:
+        * svg/SVGAnimatedBoolean.idl:
+        * svg/SVGAnimatedEnumeration.idl:
+        * svg/SVGAnimatedInteger.idl:
+        * svg/SVGAnimatedLength.idl:
+        * svg/SVGAnimatedLengthList.idl:
+        * svg/SVGAnimatedNumber.idl:
+        * svg/SVGAnimatedNumberList.idl:
+        * svg/SVGAnimatedPreserveAspectRatio.idl:
+        * svg/SVGAnimatedRect.idl:
+        * svg/SVGAnimatedString.idl:
+        * svg/SVGAnimatedTransformList.idl:
+        * svg/SVGColor.idl:
+        * svg/SVGException.idl:
+        * svg/SVGPaint.idl:
+        * svg/SVGPathSeg.idl:
+        * svg/SVGRenderingIntent.idl:
+        * svg/SVGUnitTypes.idl:
+        * svg/SVGZoomAndPan.idl:
+        * testing/MallocStatistics.idl:
+        * testing/TypeConversions.idl:
+        * workers/WorkerLocation.idl:
+        * xml/DOMParser.idl:
+        * xml/XMLHttpRequestException.idl:
+        * xml/XMLSerializer.idl:
+        * xml/XPathEvaluator.idl:
+        * xml/XPathException.idl:
+        * xml/XPathExpression.idl:
+        * xml/XPathNSResolver.idl:
+        * xml/XPathResult.idl:
+        * xml/XSLTProcessor.idl:
+        Add exceptions to binding integrity checks to IDL.
 -01-28  Alpha Lam  <hclam@chromium.org>

trunk/Source/WebCore/Modules/filesystem/DirectoryReader.idl

-                      r131172
+                      r141034
+[
     Conditional=FILE_SYSTEM,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface DirectoryReader {
     void readEntries(in [Callback] EntriesCallback successCallback, in [Optional, Callback] ErrorCallback errorCallback);

trunk/Source/WebCore/Modules/filesystem/DirectoryReaderSync.idl

-                      r131172
+                      r141034
+[
     Conditional=FILE_SYSTEM,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface DirectoryReaderSync {
     EntryArraySync readEntries() raises (FileException);

trunk/Source/WebCore/Modules/filesystem/EntryArray.idl

-                      r131172
+                      r141034
     Conditional=FILE_SYSTEM,
     IndexedGetter,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface EntryArray {
     readonly attribute unsigned long length;

trunk/Source/WebCore/Modules/filesystem/EntryArraySync.idl

-                      r131172
+                      r141034
     Conditional=FILE_SYSTEM,
     IndexedGetter,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface EntryArraySync {
     readonly attribute unsigned long length;

trunk/Source/WebCore/Modules/filesystem/Metadata.idl

-                      r131172
+                      r141034
+[
     Conditional=FILE_SYSTEM,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface Metadata {
     readonly attribute Date modificationTime;

trunk/Source/WebCore/Modules/gamepad/Gamepad.idl

-                      r131172
+                      r141034
+[
+    Conditional=GAMEPAD
+    Conditional=GAMEPAD,
+    ImplementationLacksVTable
 ] interface Gamepad {
     readonly attribute DOMString id;

trunk/Source/WebCore/Modules/gamepad/GamepadList.idl

-                      r131172
+                      r141034
+[
     Conditional=GAMEPAD,
+    IndexedGetter
+    IndexedGetter,
+    ImplementationLacksVTable
 ] interface GamepadList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/Modules/geolocation/Geoposition.idl

-                      r131172
+                      r141034
+[
     Conditional=GEOLOCATION,
+    OmitConstructor
+    OmitConstructor,
+    ImplementationLacksVTable
 ] interface Geoposition {
     readonly attribute Coordinates coords;

trunk/Source/WebCore/Modules/geolocation/PositionError.idl

-                      r131172
+                      r141034
+[
+    Conditional=GEOLOCATION
+    Conditional=GEOLOCATION,
+    ImplementationLacksVTable
 ] interface PositionError {
     readonly attribute unsigned short code;

trunk/Source/WebCore/Modules/indexeddb/IDBFactory.idl

-                      r141013
+                      r141034
+[
     Conditional=INDEXED_DATABASE,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface IDBFactory {
     [CallWith=ScriptExecutionContext, ImplementedAs=getDatabaseNames] IDBRequest webkitGetDatabaseNames();

trunk/Source/WebCore/Modules/indexeddb/IDBIndex.idl

-                      r140457
+                      r141034
+[
     Conditional=INDEXED_DATABASE,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface IDBIndex {
     readonly attribute DOMString name;

trunk/Source/WebCore/Modules/indexeddb/IDBKeyRange.idl

-                      r140457
+                      r141034
+[
     Conditional=INDEXED_DATABASE,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface IDBKeyRange {
     [ImplementedAs=lowerValue,CallWith=ScriptExecutionContext] readonly attribute any lower;

trunk/Source/WebCore/Modules/indexeddb/IDBObjectStore.idl

-                      r140457
+                      r141034
+[
     Conditional=INDEXED_DATABASE,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface IDBObjectStore {
     [TreatReturnedNullStringAs=Null] readonly attribute DOMString name;

trunk/Source/WebCore/Modules/mediastream/RTCStatsElement.idl

r136507	r141034
25	25	[
26	26	Conditional=MEDIA_STREAM,
	27	ImplementationLacksVTable
27	28	] interface RTCStatsElement {
28	29	readonly attribute Date timestamp;

trunk/Source/WebCore/Modules/mediastream/RTCStatsReport.idl

-                      r131172
+                      r141034
+[
+    Conditional=MEDIA_STREAM
+    Conditional=MEDIA_STREAM,
+    ImplementationLacksVTable
 ] interface RTCStatsReport {
     readonly attribute RTCStatsElement local;

trunk/Source/WebCore/Modules/quota/StorageInfo.idl

-                      r131172
+                      r141034
+[
     Conditional=QUOTA,
+    OmitConstructor
+    OmitConstructor,
+    ImplementationLacksVTable
 ] interface StorageInfo {
     const unsigned short TEMPORARY = 0;

trunk/Source/WebCore/Modules/speech/SpeechGrammar.idl

-                      r131172
+                      r141034
+[
     Conditional=SCRIPTED_SPEECH,
+    Constructor
+    Constructor,
+    ImplementationLacksVTable
 ] interface SpeechGrammar {
     [URL,CallWith=ScriptExecutionContext] attribute DOMString src;

trunk/Source/WebCore/Modules/speech/SpeechGrammarList.idl

r131172	r141034
28	28	IndexedGetter,
29	29	Constructor,
	30	ImplementationLacksVTable
30	31	] interface SpeechGrammarList {
31	32	readonly attribute unsigned long length;

trunk/Source/WebCore/Modules/speech/SpeechRecognitionAlternative.idl

-                      r131172
+                      r141034
+[
+    Conditional=SCRIPTED_SPEECH
+    Conditional=SCRIPTED_SPEECH,
+    ImplementationLacksVTable
 ] interface SpeechRecognitionAlternative {
     readonly attribute DOMString transcript;

trunk/Source/WebCore/Modules/speech/SpeechRecognitionResult.idl

-                      r136392
+                      r141034
+[
     Conditional=SCRIPTED_SPEECH,
+    IndexedGetter
+    IndexedGetter,
+    ImplementationLacksVTable
 ] interface SpeechRecognitionResult {
     readonly attribute unsigned long length;

trunk/Source/WebCore/Modules/speech/SpeechRecognitionResultList.idl

-                      r131172
+                      r141034
+[
     Conditional=SCRIPTED_SPEECH,
+    IndexedGetter
+    IndexedGetter,
+    ImplementationLacksVTable
 ] interface SpeechRecognitionResultList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/Modules/webaudio/AudioBuffer.idl

-                      r131172
+                      r141034
+[
+    Conditional=WEB_AUDIO
+    Conditional=WEB_AUDIO,
+    ImplementationLacksVTable
 ] interface AudioBuffer {
     readonly attribute long length; // in sample-frames

trunk/Source/WebCore/Modules/webaudio/AudioDestinationNode.idl

-                      r131172
+                      r141034
+[
     Conditional=WEB_AUDIO,
+    JSGenerateToJSObject
+    JSGenerateToJSObject,
+    V8SkipVTableValidation
 ] interface AudioDestinationNode : AudioNode {
     readonly attribute long numberOfChannels;

trunk/Source/WebCore/Modules/webaudio/AudioListener.idl

-                      r131172
+                      r141034
+[
+    Conditional=WEB_AUDIO
+    Conditional=WEB_AUDIO,
+    ImplementationLacksVTable
 ] interface AudioListener {
     attribute float dopplerFactor;  // same as OpenAL (default 1.0)

trunk/Source/WebCore/Modules/webaudio/AudioSourceNode.idl

-                      r131172
+                      r141034
+[
+    Conditional=WEB_AUDIO
+    Conditional=WEB_AUDIO,
+    ImplementationLacksVTable
 ] interface AudioSourceNode : AudioNode {
 };

trunk/Source/WebCore/Modules/webaudio/WaveTable.idl

-                      r131172
+                      r141034
 // WaveTable represents a periodic audio waveform given by its Fourier coefficients.
+[
+    Conditional=WEB_AUDIO
+    Conditional=WEB_AUDIO,
+    ImplementationLacksVTable
 ] interface WaveTable {

trunk/Source/WebCore/Modules/webdatabase/SQLError.idl

-                      r131172
+                      r141034
     Conditional=SQL_DATABASE,
     OmitConstructor,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface SQLError {
     readonly attribute unsigned long code;

trunk/Source/WebCore/Modules/webdatabase/SQLException.idl

-                      r131172
+                      r141034
     Conditional=SQL_DATABASE,
     JSNoStaticTables,
+    DoNotCheckConstants
+    DoNotCheckConstants,
+    ImplementationLacksVTable
 ] exception SQLException {
     readonly attribute unsigned long code;

trunk/Source/WebCore/Modules/webdatabase/SQLResultSet.idl

-                      r131172
+                      r141034
     Conditional=SQL_DATABASE,
     OmitConstructor,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface SQLResultSet {
     readonly attribute SQLResultSetRowList rows;

trunk/Source/WebCore/Modules/webdatabase/SQLResultSetRowList.idl

-                      r131172
+                      r141034
     Conditional=SQL_DATABASE,
     OmitConstructor,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface SQLResultSetRowList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/Modules/webdatabase/SQLTransaction.idl

-                      r131172
+                      r141034
     Conditional=SQL_DATABASE,
     OmitConstructor,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface SQLTransaction {
     [Custom] void executeSql(in DOMString sqlStatement,

trunk/Source/WebCore/Modules/webdatabase/SQLTransactionSync.idl

-                      r131172
+                      r141034
     Conditional=SQL_DATABASE,
     OmitConstructor,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface SQLTransactionSync {
     [Custom] SQLResultSet executeSql(in DOMString sqlStatement, in ObjectArray arguments);

trunk/Source/WebCore/bindings/scripts/CodeGeneratorV8.pm

-                      r140938
+                      r141034
     my $v8InterfaceName = "V8$interfaceName";
     my $nativeType = GetNativeTypeForConversions($interface);
+    my $vtableNameGnu = GetGnuVTableNameForInterface($interface);
+    my $vtableRefGnu = GetGnuVTableRefForInterface($interface);
+    my $vtableRefWin = GetWinVTableRefForInterface($interface);
     # - Add default header template
 …
         last;
+    }
+    push(@implContentDecls, <<END) if $vtableNameGnu;
+#if ENABLE(BINDING_INTEGRITY)
+#if defined(OS_WIN)
+#pragma warning(disable: 4483)
+extern "C" { extern void (*const ${vtableRefWin}[])(); }
+#else
+extern "C" { extern void* ${vtableNameGnu}[]; }
+#endif
+#endif // ENABLE(BINDING_INTEGRITY)
+END
     push(@implContentDecls, "namespace WebCore {\n\n");
+    push(@implContentDecls, <<END) if $vtableNameGnu;
+#if ENABLE(BINDING_INTEGRITY)
+inline void checkTypeOrDieTrying(${nativeType}* object)
+{
+    void* actualVTablePointer = *(reinterpret_cast<void**>(object));
+#if defined(OS_WIN)
+    void* expectedVTablePointer = reinterpret_cast<void*>(${vtableRefWin});
+#else
+    void* expectedVTablePointer = ${vtableRefGnu};
+#endif
+    if (actualVTablePointer != expectedVTablePointer)
+        CRASH();
+}
+#endif // ENABLE(BINDING_INTEGRITY)
+END
     my $parentClassInfo = $parentClass ? "&${parentClass}::info" : "0";
 …
+    }
+    AddToImplIncludes("Frame.h");
     my $createWrapperArgumentType = GetPassRefPtrType($nativeType);
     my $baseType = BaseInterfaceName($interface);
 …
     ASSERT(DOMDataStore::getWrapper(impl.get(), isolate).IsEmpty());
 END
+    if ($baseType ne $interfaceName) {
+        push(@implContent, <<END);
+    my $vtableNameGnu = GetGnuVTableNameForInterface($interface);
+    push(@implContent, <<END) if $vtableNameGnu;
+#if ENABLE(BINDING_INTEGRITY)
+    checkTypeOrDieTrying(impl.get());
+#endif
+END
+    push(@implContent, <<END) if ($baseType ne $interfaceName);
     ASSERT(static_cast<void*>(static_cast<${baseType}*>(impl.get())) == static_cast<void*>(impl.get()));
 END
+    }
-    AddToImplIncludes("Frame.h");
     if ($codeGenerator->InheritsInterface($interface, "Document")) {
 …
     my $interface = shift;
     my $interfaceName = $interface->name;
     $interfaceName = $codeGenerator->GetSVGTypeNeedingTearOff($interfaceName) if $codeGenerator->IsSVGTypeNeedingTearOff($interfaceName);
+    return $interfaceName;;
+    return $interfaceName;
+}
+# See http://refspecs.linux-foundation.org/cxxabi-1.83.html.
+sub GetGnuVTableRefForInterface
+{
+    my $interface = shift;
+    my $vtableName = GetGnuVTableNameForInterface($interface);
+    if (!$vtableName) {
+        return "0";
+    }
+    my $typename = GetNativeTypeForConversions($interface);
+    my $offset = GetGnuVTableOffsetForType($typename);
+    return "&" . $vtableName . "[" . $offset . "]";
+}
+sub GetGnuVTableNameForInterface
+{
+    my $interface = shift;
+    my $typename = GetNativeTypeForConversions($interface);
+    my $templatePosition = index($typename, "<");
+    return "" if $templatePosition != -1;
+    return "" if GetImplementationLacksVTableForInterface($interface);
+    return "" if GetV8SkipVTableValidationForInterface($interface);
+    return "_ZTV" . GetGnuMangledNameForInterface($interface);
+}
+sub GetGnuMangledNameForInterface
+{
+    my $interface = shift;
+    my $typename = GetNativeTypeForConversions($interface);
+    my $templatePosition = index($typename, "<");
+    if ($templatePosition != -1) {
+        return "";
+    }
+    my $mangledType = length($typename) . $typename;
+    my $namespace = GetNamespaceForInterface($interface);
+    my $mangledNamespace =  "N" . length($namespace) . $namespace;
+    return $mangledNamespace . $mangledType . "E";
+}
+sub GetGnuVTableOffsetForType
+{
+    my $typename = shift;
+    if ($typename eq "SVGAElement"
+        || $typename eq "SVGCircleElement"
+        || $typename eq "SVGClipPathElement"
+        || $typename eq "SVGDefsElement"
+        || $typename eq "SVGEllipseElement"
+        || $typename eq "SVGForeignObjectElement"
+        || $typename eq "SVGGElement"
+        || $typename eq "SVGImageElement"
+        || $typename eq "SVGLineElement"
+        || $typename eq "SVGPathElement"
+        || $typename eq "SVGPolyElement"
+        || $typename eq "SVGPolygonElement"
+        || $typename eq "SVGPolylineElement"
+        || $typename eq "SVGRectElement"
+        || $typename eq "SVGSVGElement"
+        || $typename eq "SVGStyledLocatableElement"
+        || $typename eq "SVGStyledTransformableElement"
+        || $typename eq "SVGSwitchElement"
+        || $typename eq "SVGTextElement"
+        || $typename eq "SVGTransformable"
+        || $typename eq "SVGUseElement") {
+        return "3";
+    }
+    return "2";
+}
+# See http://en.wikipedia.org/wiki/Microsoft_Visual_C%2B%2B_Name_Mangling.
+sub GetWinVTableRefForInterface
+{
+    my $interface = shift;
+    my $vtableName = GetWinVTableNameForInterface($interface);
+    return 0 if !$vtableName;
+    return "__identifier(\"" . $vtableName . "\")";
+}
+sub GetWinVTableNameForInterface
+{
+    my $interface = shift;
+    my $typename = GetNativeTypeForConversions($interface);
+    my $templatePosition = index($typename, "<");
+    return "" if $templatePosition != -1;
+    return "" if GetImplementationLacksVTableForInterface($interface);
+    return "" if GetV8SkipVTableValidationForInterface($interface);
+    return "??_7" . GetWinMangledNameForInterface($interface) . "6B@";
+}
+sub GetWinMangledNameForInterface
+{
+    my $interface = shift;
+    my $typename = GetNativeTypeForConversions($interface);
+    my $namespace = GetNamespaceForInterface($interface);
+    return $typename . "@" . $namespace . "@@";
+}
+sub GetNamespaceForInterface
+{
+    my $interface = shift;
+    return $interface->extendedAttributes->{"ImplementationNamespace"} || "WebCore";
+}
+sub GetImplementationLacksVTableForInterface
+{
+    my $interface = shift;
+    return $interface->extendedAttributes->{"ImplementationLacksVTable"};
+}
+sub GetV8SkipVTableValidationForInterface
+{
+    my $interface = shift;
+    return $interface->extendedAttributes->{"V8SkipVTableValidation"};
+}

trunk/Source/WebCore/bindings/scripts/IDLAttributes.txt

-                      r140303
+                      r141034
 GenerateIsReachable=ImplDocument|ImplElementRoot|ImplOwnerNodeRoot
 Immutable
+ImplementationLacksVTable
+ImplementationNamespace=*
 ImplementedAs=*
 IndexedGetter
 …
 V8MeasureAs=*
 V8ReadOnly
+V8SkipVTableValidation
 V8Unforgeable

trunk/Source/WebCore/css/CSSPrimitiveValue.idl

-                      r131145
+                      r141034
  */
+interface CSSPrimitiveValue : CSSValue {
+[
+    ImplementationLacksVTable
+] interface CSSPrimitiveValue : CSSValue {
     // UnitTypes

trunk/Source/WebCore/css/CSSRule.idl

-                      r140997
+                      r141034
     CustomToJSObject,
     ObjCPolymorphic,
+    V8DependentLifetime
+    V8DependentLifetime,
+    V8SkipVTableValidation
 ] interface CSSRule {

trunk/Source/WebCore/css/CSSRuleList.idl

-                      r131172
+                      r141034
     JSCustomIsReachable,
     IndexedGetter,
+    V8DependentLifetime
+    V8DependentLifetime,
+    V8SkipVTableValidation
 ] interface CSSRuleList {
     readonly attribute unsigned long    length;

trunk/Source/WebCore/css/CSSStyleDeclaration.idl

-                      r131172
+                      r141034
     IndexedGetter,
     CustomEnumerateProperty,
+    V8DependentLifetime
+    V8DependentLifetime,
+    V8SkipVTableValidation
 ] interface CSSStyleDeclaration {
              [TreatReturnedNullStringAs=Null, TreatNullAs=NullString] attribute DOMString        cssText

trunk/Source/WebCore/css/CSSValue.idl

-                      r131172
+                      r141034
     JSCustomFinalize,
     ObjCPolymorphic,
+    V8DependentLifetime
+    V8DependentLifetime,
+    ImplementationLacksVTable
 ] interface CSSValue {

trunk/Source/WebCore/css/CSSValueList.idl

-                      r131172
+                      r141034
 // Introduced in DOM Level 2:
+[
+    IndexedGetter
+    IndexedGetter,
+    ImplementationLacksVTable
 ] interface CSSValueList : CSSValue {
     readonly attribute unsigned long    length;

trunk/Source/WebCore/css/Counter.idl

-                      r131145
+                      r141034
 // Introduced in DOM Level 2:
+interface Counter {
+[
+    ImplementationLacksVTable
+] interface Counter {
     readonly attribute DOMString identifier;
     readonly attribute DOMString listStyle;

trunk/Source/WebCore/css/MediaList.idl

-                      r131172
+                      r141034
+[
     JSGenerateIsReachable,
+    IndexedGetter
+    IndexedGetter,
+    ImplementationLacksVTable
 ] interface MediaList {

trunk/Source/WebCore/css/MediaQueryList.idl

-                      r131145
+                      r141034
  *  Boston, MA 02110-1301, USA.
  */
+interface MediaQueryList {
+[
+    ImplementationLacksVTable
+] interface MediaQueryList {
     readonly attribute DOMString media;
     readonly attribute boolean matches;

trunk/Source/WebCore/css/RGBColor.idl

-                      r131145
+                      r141034
 // Introduced in DOM Level 2:
+interface RGBColor {
+[
+    ImplementationLacksVTable
+] interface RGBColor {
     readonly attribute CSSPrimitiveValue  red;
     readonly attribute CSSPrimitiveValue  green;

trunk/Source/WebCore/css/Rect.idl

-                      r131145
+                      r141034
  */
+interface Rect {
+[
+    ImplementationLacksVTable
+] interface Rect {
     readonly attribute CSSPrimitiveValue  top;
     readonly attribute CSSPrimitiveValue  right;

trunk/Source/WebCore/css/StyleSheetList.idl

-                      r131840
+                      r141034
     GenerateIsReachable=ImplDocument,
     IndexedGetter,
+    NamedGetter
+    NamedGetter,
+    ImplementationLacksVTable
 ] interface StyleSheetList {
     readonly attribute unsigned long    length;

trunk/Source/WebCore/css/WebKitCSSFilterValue.idl

-                      r131172
+                      r141034
         Conditional=CSS_FILTERS,
         IndexedGetter,
+        DoNotCheckConstants
+        DoNotCheckConstants,
+    ImplementationLacksVTable
 ] interface WebKitCSSFilterValue : CSSValueList {

trunk/Source/WebCore/css/WebKitCSSMixFunctionValue.idl

r135749	r141034
30	30	[
31	31	Conditional=CSS_SHADERS,
	32	ImplementationLacksVTable
32	33	] interface WebKitCSSMixFunctionValue : CSSValueList {
33	34	};

trunk/Source/WebCore/css/WebKitCSSTransformValue.idl

-                      r131172
+                      r141034
+[
         IndexedGetter,
+        DoNotCheckConstants
+        DoNotCheckConstants,
+    ImplementationLacksVTable
 ] interface WebKitCSSTransformValue : CSSValueList {

trunk/Source/WebCore/dom/ClientRect.idl

-                      r131145
+                      r141034
  */
+interface ClientRect {
+[
+    ImplementationLacksVTable
+] interface ClientRect {
     readonly attribute float top;
     readonly attribute float right;

trunk/Source/WebCore/dom/ClientRectList.idl

-                      r131172
+                      r141034
+[
+    IndexedGetter
+    IndexedGetter,
+    ImplementationLacksVTable
 ] interface ClientRectList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/dom/Clipboard.idl

-                      r131172
+                      r141034
  */
+interface Clipboard {
+[
+    V8SkipVTableValidation
+] interface Clipboard {
              [TreatReturnedNullStringAs=Undefined] attribute DOMString dropEffect;
              [TreatReturnedNullStringAs=Undefined] attribute DOMString effectAllowed;

trunk/Source/WebCore/dom/DOMCoreException.idl

-                      r134440
+                      r141034
     JSNoStaticTables,
     DoNotCheckConstants,
+    InterfaceName=DOMException
+    InterfaceName=DOMException,
+    ImplementationLacksVTable
 ] exception DOMCoreException {

trunk/Source/WebCore/dom/DOMError.idl

-                      r131145
+                      r141034
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
   interface [
 ] DOMError {
+[
+    ImplementationLacksVTable
+] interface  DOMError {
     readonly attribute DOMString name;
   };

trunk/Source/WebCore/dom/DOMImplementation.idl

r131838	r141034
21	21	[
22	22	GenerateIsReachable=ImplDocument,
	23	ImplementationLacksVTable
23	24	] interface DOMImplementation {
24	25

trunk/Source/WebCore/dom/DOMNamedFlowCollection.idl

-                      r137835
+                      r141034
     JSGenerateToJSObject,
     IndexedGetter,
+    NamedGetter
+    NamedGetter,
+    ImplementationLacksVTable
 ] interface DOMNamedFlowCollection {
     readonly attribute unsigned long length;

trunk/Source/WebCore/dom/DOMStringList.idl

-                      r134674
+                      r141034
     IndexedGetter,
     JSCustomToNativeObject,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface DOMStringList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/dom/DOMStringMap.idl

-                      r131172
+                      r141034
     CustomDeleteProperty,
     CustomEnumerateProperty,
+    CustomNamedSetter
+    CustomNamedSetter,
+    V8SkipVTableValidation
 ] interface DOMStringMap {
 };

trunk/Source/WebCore/dom/DataTransferItem.idl

r131172	r141034
31	31	[
32	32	Conditional=DATA_TRANSFER_ITEMS,
	33	ImplementationLacksVTable
33	34	] interface DataTransferItem {
34	35	readonly attribute DOMString kind;

trunk/Source/WebCore/dom/DataTransferItemList.idl

r131172	r141034
36	36	CustomDeleteProperty,
37	37	#endif
	38	ImplementationLacksVTable
38	39	] interface DataTransferItemList {
39	40	readonly attribute long length;

trunk/Source/WebCore/dom/DocumentFragment.idl

-                      r131145
+                      r141034
  */
+interface DocumentFragment : Node {
+[
+    V8SkipVTableValidation
+] interface DocumentFragment : Node {
     // NodeSelector - Selector API
     Element querySelector(in DOMString selectors)

trunk/Source/WebCore/dom/Element.idl

-                      r139027
+                      r141034
     JSGenerateToNativeObject,
     JSInlineGetOwnPropertySlot,
+    V8CustomToJSObject
+    V8CustomToJSObject,
+    V8SkipVTableValidation
 ] interface Element : Node {

trunk/Source/WebCore/dom/Entity.idl

-                      r131172
+                      r141034
  * Boston, MA 02110-1301, USA.
  */
+interface Entity : Node {
+[
+    ImplementationLacksVTable
+] interface Entity : Node {
     [TreatReturnedNullStringAs=Null] readonly attribute DOMString publicId;
     [TreatReturnedNullStringAs=Null] readonly attribute DOMString systemId;

trunk/Source/WebCore/dom/Event.idl

-                      r131172
+                      r141034
     ConstructorTemplate=Event,
     JSNoStaticTables,
+    ObjCPolymorphic
+    ObjCPolymorphic,
+    V8SkipVTableValidation
 ] interface Event {

trunk/Source/WebCore/dom/EventException.idl

-                      r131172
+                      r141034
+[
     JSNoStaticTables,
+    DoNotCheckConstants
+    DoNotCheckConstants,
+    ImplementationLacksVTable,
 ] exception EventException {

trunk/Source/WebCore/dom/MessageChannel.idl

-                      r131172
+                      r141034
     V8CustomConstructor,
     JSCustomMarkFunction,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface MessageChannel {

trunk/Source/WebCore/dom/MouseEvent.idl

-                      r140657
+                      r141034
+[
     ConstructorConditional=DOM4_EVENTS_CONSTRUCTOR,
+    ConstructorTemplate=Event
+    ConstructorTemplate=Event,
+    V8SkipVTableValidation
 ] interface MouseEvent : UIEvent {
     [InitializedByEventConstructor] readonly attribute long             screenX;

trunk/Source/WebCore/dom/MutationObserver.idl

-                      r138811
+                      r141034
     CustomConstructor,
     ConstructorParameters=1,
+    JSCustomIsReachable
+    JSCustomIsReachable,
+    ImplementationLacksVTable
 ] interface MutationObserver {
     void observe(in Node target, in Dictionary options)

trunk/Source/WebCore/dom/MutationRecord.idl

-                      r138811
+                      r141034
  */
+interface MutationRecord {
+[
+    V8SkipVTableValidation
+] interface MutationRecord {
     readonly attribute DOMString type;
     readonly attribute Node target;

trunk/Source/WebCore/dom/NamedNodeMap.idl

-                      r131172
+                      r141034
     IndexedGetter,
     JSCustomMarkFunction,
+    NamedGetter
+    NamedGetter,
+    ImplementationLacksVTable
 ] interface NamedNodeMap {

trunk/Source/WebCore/dom/NodeFilter.idl

-                      r131172
+                      r141034
     JSCustomToNativeObject,
     ObjCProtocol,
+    CPPPureInterface
+    CPPPureInterface,
+    ImplementationLacksVTable
 ] interface NodeFilter {
     // Constants returned by acceptNode

trunk/Source/WebCore/dom/NodeIterator.idl

-                      r131172
+                      r141034
 // Introduced in DOM Level 2:
+[
+    JSCustomMarkFunction
+    JSCustomMarkFunction,
+    ImplementationLacksVTable
 ] interface NodeIterator {
     readonly attribute Node root;

trunk/Source/WebCore/dom/NodeList.idl

-                      r131172
+                      r141034
     IndexedGetter,
     NamedGetter,
+    V8DependentLifetime
+    V8DependentLifetime,
+    V8SkipVTableValidation
 ] interface NodeList {

trunk/Source/WebCore/dom/Range.idl

-                      r131145
+                      r141034
 // Introduced in DOM Level 2:
+interface Range {
+[
+    ImplementationLacksVTable
+] interface Range {
     readonly attribute Node startContainer

trunk/Source/WebCore/dom/RangeException.idl

-                      r131172
+                      r141034
+[
+    DoNotCheckConstants
+    DoNotCheckConstants,
+    ImplementationLacksVTable
 ] exception RangeException {

trunk/Source/WebCore/dom/Touch.idl

-                      r131172
+                      r141034
+[
+    Conditional=TOUCH_EVENTS
+    Conditional=TOUCH_EVENTS,
+    ImplementationLacksVTable
 ] interface Touch {
     readonly attribute long             clientX;

trunk/Source/WebCore/dom/TouchList.idl

-                      r131172
+                      r141034
+[
     Conditional=TOUCH_EVENTS,
+    IndexedGetter
+    IndexedGetter,
+    ImplementationLacksVTable
 ] interface TouchList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/dom/TreeWalker.idl

-                      r131172
+                      r141034
 // Introduced in DOM Level 2:
+[
+    JSCustomMarkFunction
+    JSCustomMarkFunction,
+    ImplementationLacksVTable
 ] interface TreeWalker {
     readonly attribute Node root;

trunk/Source/WebCore/fileapi/FileError.idl

-                      r131172
+                      r141034
+[
     Conditional=BLOB|FILE_SYSTEM,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface FileError {
 #if !defined(LANGUAGE_OBJECTIVE_C)

trunk/Source/WebCore/fileapi/FileException.idl

-                      r131172
+                      r141034
     Conditional=BLOB|FILE_SYSTEM,
     DoNotCheckConstants,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] exception FileException {

trunk/Source/WebCore/fileapi/FileList.idl

-                      r131172
+                      r141034
+[
     IndexedGetter,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface FileList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/html/DOMFormData.idl

-                      r131172
+                      r141034
     JSGenerateToNativeObject,
     JSGenerateToJSObject,
+    InterfaceName=FormData
+    InterfaceName=FormData,
+    ImplementationLacksVTable
 ] interface DOMFormData {
     // void append(DOMString name, DOMString value);

trunk/Source/WebCore/html/DOMTokenList.idl

-                      r131408
+                      r141034
+[
     GenerateIsReachable=ImplElementRoot,
+    IndexedGetter
+    IndexedGetter,
+    V8SkipVTableValidation
 ] interface DOMTokenList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/html/DOMURL.idl

-                      r131172
+                      r141034
     JSGenerateToJSObject,
     JSNoStaticTables,
+    InterfaceName=URL
+    InterfaceName=URL,
+    ImplementationLacksVTable
 ] interface DOMURL {
 #if defined(ENABLE_MEDIA_SOURCE) && ENABLE_MEDIA_SOURCE

trunk/Source/WebCore/html/HTMLAllCollection.idl

-                      r136850
+                      r141034
     MasqueradesAsUndefined,
     GenerateIsReachable=ImplOwnerNodeRoot,
+    V8DependentLifetime
+    V8DependentLifetime,
+    V8SkipVTableValidation
 ] interface HTMLAllCollection {
     readonly attribute unsigned long length;

trunk/Source/WebCore/html/HTMLCollection.idl

-                      r136850
+                      r141034
     GenerateIsReachable=ImplOwnerNodeRoot,
     V8DependentLifetime,
+    ObjCPolymorphic
+    ObjCPolymorphic,
+    V8SkipVTableValidation
 ] interface HTMLCollection {
     readonly attribute unsigned long length;

trunk/Source/WebCore/html/HTMLDialogElement.idl

-                      r131172
+                      r141034
+[
+    Conditional=DIALOG_ELEMENT
+    Conditional=DIALOG_ELEMENT,
+    V8SkipVTableValidation
 ] interface HTMLDialogElement : HTMLElement {
     [Reflect] attribute boolean open;

trunk/Source/WebCore/html/HTMLDivElement.idl

-                      r131172
+                      r141034
  */
+interface HTMLDivElement : HTMLElement {
+[
+    V8SkipVTableValidation
+] interface HTMLDivElement : HTMLElement {
     [Reflect] attribute DOMString align;
 };

trunk/Source/WebCore/html/HTMLDocument.idl

-                      r134186
+                      r141034
+[
     CustomNamedGetter,
+    V8CustomToJSObject
+    V8CustomToJSObject,
+    V8SkipVTableValidation
 ] interface HTMLDocument : Document {
     [JSCustom, V8Custom] void open();

trunk/Source/WebCore/html/HTMLElement.idl

-                      r134254
+                      r141034
     JSGenerateToNativeObject,
     JSCustomPushEventHandlerScope,
+    V8CustomToJSObject
+    V8CustomToJSObject,
+    V8SkipVTableValidation
 ] interface HTMLElement : Element {
              // iht.com relies on id returning the empty string when no id is present.

trunk/Source/WebCore/html/HTMLImageElement.idl

-                      r131172
+                      r141034
+[
+    JSGenerateToNativeObject
+    JSGenerateToNativeObject,
+    V8SkipVTableValidation
 ] interface HTMLImageElement : HTMLElement {
     [Reflect] attribute DOMString name;

trunk/Source/WebCore/html/HTMLInputElement.idl

-                      r134538
+                      r141034
  */
+interface HTMLInputElement : HTMLElement {
+[
+    V8SkipVTableValidation
+] interface HTMLInputElement : HTMLElement {
     [Reflect] attribute DOMString accept;
     [Reflect] attribute DOMString alt;

trunk/Source/WebCore/html/HTMLSelectElement.idl

-                      r131172
+                      r141034
+[
     IndexedGetter,
+    CustomIndexedSetter
+    CustomIndexedSetter,
+    V8SkipVTableValidation
 ] interface HTMLSelectElement : HTMLElement {
     attribute [Reflect] boolean autofocus;

trunk/Source/WebCore/html/HTMLSpanElement.idl

-                      r131145
+                      r141034
 // http://www.whatwg.org/specs/web-apps/current-work/#htmlspanelement
+interface HTMLSpanElement : HTMLElement {
+[
+    V8SkipVTableValidation
+] interface HTMLSpanElement : HTMLElement {
 };

trunk/Source/WebCore/html/HTMLUnknownElement.idl

-                      r131145
+                      r141034
  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+interface HTMLUnknownElement : HTMLElement {
+[
+    V8SkipVTableValidation
+] interface HTMLUnknownElement : HTMLElement {
 };

trunk/Source/WebCore/html/ImageData.idl

-                      r131172
+                      r141034
+[
+    CustomToJSObject
+    CustomToJSObject,
+    ImplementationLacksVTable
 ] interface ImageData {
     readonly attribute long width;

trunk/Source/WebCore/html/MediaError.idl

-                      r131172
+                      r141034
+[
+    Conditional=VIDEO
+    Conditional=VIDEO,
+    ImplementationLacksVTable
 ] interface MediaError {
       const unsigned short MEDIA_ERR_ABORTED = 1;

trunk/Source/WebCore/html/MediaKeyError.idl

r131172	r141034
27	27	Conditional=ENCRYPTED_MEDIA,
28	28	V8EnabledAtRuntime=encryptedMedia,
	29	ImplementationLacksVTable
29	30	] interface MediaKeyError {
30	31	const unsigned short MEDIA_KEYERR_UNKNOWN = 1;

trunk/Source/WebCore/html/TimeRanges.idl

-                      r131172
+                      r141034
+[
+    Conditional=VIDEO
+    Conditional=VIDEO,
+    ImplementationLacksVTable
 ] interface TimeRanges {
     readonly attribute unsigned long length;

trunk/Source/WebCore/html/ValidityState.idl

-                      r135836
+                      r141034
+[
+    OmitConstructor
+    OmitConstructor,
+    ImplementationLacksVTable
 ] interface ValidityState {
     readonly attribute boolean         valueMissing;

trunk/Source/WebCore/html/canvas/ArrayBuffer.idl

-                      r131172
+                      r141034
     CustomConstructor,
     ConstructorParameters=1,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationNamespace=WTF,
+    ImplementationLacksVTable
 ] interface ArrayBuffer {
     readonly attribute unsigned long byteLength;

trunk/Source/WebCore/html/canvas/ArrayBufferView.idl

-                      r138393
+                      r141034
+[
     CustomToJSObject,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationNamespace=WTF
 ] interface ArrayBufferView {
     readonly attribute ArrayBuffer buffer;

trunk/Source/WebCore/html/canvas/CanvasGradient.idl

-                      r131145
+                      r141034
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+interface CanvasGradient {
+[
+    ImplementationLacksVTable
+] interface CanvasGradient {
     void addColorStop(in [Optional=DefaultIsUndefined] float offset,

trunk/Source/WebCore/html/canvas/CanvasPattern.idl

-                      r131145
+                      r141034
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+interface CanvasPattern {
+[
+    ImplementationLacksVTable
+] interface CanvasPattern {
 };

trunk/Source/WebCore/html/canvas/Float32Array.idl

-                      r131172
+                      r141034
     CustomToJSObject,
     DoNotCheckConstants,
+    TypedArray=float
+    TypedArray=float,
+    ImplementationNamespace=WTF
 ] interface Float32Array : ArrayBufferView {
     const unsigned long BYTES_PER_ELEMENT = 4;

trunk/Source/WebCore/html/canvas/Float64Array.idl

-                      r131172
+                      r141034
     CustomToJSObject,
     DoNotCheckConstants,
+    TypedArray=double
+    TypedArray=double,
+    ImplementationNamespace=WTF
 ] interface Float64Array : ArrayBufferView {
     const unsigned long BYTES_PER_ELEMENT = 8;

trunk/Source/WebCore/html/canvas/Int16Array.idl

-                      r131172
+                      r141034
     CustomToJSObject,
     DoNotCheckConstants,
+    TypedArray=short
+    TypedArray=short,
+    ImplementationNamespace=WTF
 ] interface Int16Array : ArrayBufferView {
     const unsigned long BYTES_PER_ELEMENT = 2;

trunk/Source/WebCore/html/canvas/Int32Array.idl

-                      r131172
+                      r141034
     CustomToJSObject,
     DoNotCheckConstants,
+    TypedArray=int
+    TypedArray=int,
+    ImplementationNamespace=WTF
 ] interface Int32Array : ArrayBufferView {
     const unsigned long BYTES_PER_ELEMENT = 4;

trunk/Source/WebCore/html/canvas/Int8Array.idl

-                      r131172
+                      r141034
     CustomToJSObject,
     DoNotCheckConstants,
+    TypedArray=signed char
+    TypedArray=signed char,
+    ImplementationNamespace=WTF
 ] interface Int8Array : ArrayBufferView {
     const unsigned long BYTES_PER_ELEMENT = 1;

trunk/Source/WebCore/html/canvas/Uint16Array.idl

-                      r131172
+                      r141034
     CustomToJSObject,
     DoNotCheckConstants,
+    TypedArray=unsigned short
+    TypedArray=unsigned short,
+    ImplementationNamespace=WTF
 ] interface Uint16Array : ArrayBufferView {
     const unsigned long BYTES_PER_ELEMENT = 2;

trunk/Source/WebCore/html/canvas/Uint32Array.idl

-                      r131172
+                      r141034
     CustomToJSObject,
     DoNotCheckConstants,
+    TypedArray=unsigned int
+    TypedArray=unsigned int,
+    ImplementationNamespace=WTF
 ] interface Uint32Array : ArrayBufferView {
     const unsigned long BYTES_PER_ELEMENT = 4;

trunk/Source/WebCore/html/canvas/Uint8Array.idl

-                      r131172
+                      r141034
     CustomToJSObject,
     DoNotCheckConstants,
+    TypedArray=unsigned char
+    TypedArray=unsigned char,
+    ImplementationNamespace=WTF
 ] interface Uint8Array : ArrayBufferView {
     const unsigned long BYTES_PER_ELEMENT = 1;

trunk/Source/WebCore/html/canvas/Uint8ClampedArray.idl

-                      r131172
+                      r141034
     CustomToJSObject,
     DoNotCheckConstants,
+    TypedArray=unsigned char
+    TypedArray=unsigned char,
+    ImplementationNamespace=WTF
 ] interface Uint8ClampedArray : Uint8Array {
     const unsigned long BYTES_PER_ELEMENT = 1;

trunk/Source/WebCore/html/canvas/WebGLActiveInfo.idl

r131172	r141034
26	26	[
27	27	Conditional=WEBGL,
	28	ImplementationLacksVTable
28	29	] interface WebGLActiveInfo {
29	30	readonly attribute long size;

trunk/Source/WebCore/html/canvas/WebGLShaderPrecisionFormat.idl

r131172	r141034
27	27	[
28	28	Conditional=WEBGL,
	29	ImplementationLacksVTable
29	30	] interface WebGLShaderPrecisionFormat {
30	31	readonly attribute long rangeMin;

trunk/Source/WebCore/html/track/TextTrack.idl

-                      r136528
+                      r141034
     EventTarget,
     JSCustomMarkFunction,
+    JSCustomIsReachable
+    JSCustomIsReachable,
+    V8SkipVTableValidation
 ] interface TextTrack {
     readonly attribute DOMString kind;

trunk/Source/WebCore/html/track/TextTrackCue.idl

-                      r136684
+                      r141034
     EventTarget,
     JSCustomMarkFunction,
+    JSCustomIsReachable
+    JSCustomIsReachable,
+    ImplementationLacksVTable
 ] interface TextTrackCue {
     readonly attribute TextTrack track;

trunk/Source/WebCore/html/track/TextTrackCueList.idl

-                      r131172
+                      r141034
     Conditional=VIDEO_TRACK,
     V8EnabledAtRuntime=webkitVideoTrack,
+    IndexedGetter
+    IndexedGetter,
+    ImplementationLacksVTable
 ] interface TextTrackCueList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/inspector/InjectedScriptHost.idl

-                      r131172
+                      r141034
+[
+    Conditional=INSPECTOR
+    Conditional=INSPECTOR,
+    ImplementationLacksVTable
 ] interface InjectedScriptHost {
     void clearConsoleMessages();

trunk/Source/WebCore/inspector/InspectorFrontendHost.idl

-                      r140539
+                      r141034
+[
+    Conditional=INSPECTOR
+    Conditional=INSPECTOR,
+    ImplementationLacksVTable
 ] interface InspectorFrontendHost {
     void loaded();

trunk/Source/WebCore/inspector/JavaScriptCallFrame.idl

-                      r131172
+                      r141034
     Conditional=JAVASCRIPT_DEBUGGER,
     OmitConstructor,
+    DoNotCheckConstants
+    DoNotCheckConstants,
+    ImplementationLacksVTable
 ] interface JavaScriptCallFrame {

trunk/Source/WebCore/page/Coordinates.idl

-                      r131172
+                      r141034
+[
+    OmitConstructor
+    OmitConstructor,
+    ImplementationLacksVTable
 ] interface Coordinates {
     readonly attribute double latitude;

trunk/Source/WebCore/page/Crypto.idl

-                      r138298
+                      r141034
+[
+    OmitConstructor
+    OmitConstructor,
+    ImplementationLacksVTable
 ] interface Crypto {
     [Custom] ArrayBufferView getRandomValues(in ArrayBufferView array) raises(DOMException);

trunk/Source/WebCore/page/MemoryInfo.idl

-                      r131172
+                      r141034
+[
+    OmitConstructor
+    OmitConstructor,
+    ImplementationLacksVTable
 ] interface MemoryInfo {

trunk/Source/WebCore/page/PagePopupController.idl

-                      r137281
+                      r141034
+[
+    Conditional=PAGE_POPUP
+    Conditional=PAGE_POPUP,
+    ImplementationLacksVTable
 ] interface PagePopupController {
     void setValueAndClosePopup(in long numberValue, in DOMString stringValue);

trunk/Source/WebCore/page/PerformanceEntryList.idl

-                      r131172
+                      r141034
     Conditional=PERFORMANCE_TIMELINE,
     OmitConstructor,
+    IndexedGetter
+    IndexedGetter,
+    ImplementationLacksVTable
 ] interface PerformanceEntryList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/page/SpeechInputResult.idl

r131172	r141034
26	26	[
27	27	Conditional=INPUT_SPEECH,
	28	ImplementationLacksVTable
28	29	] interface SpeechInputResult {
29	30	readonly attribute DOMString utterance;

trunk/Source/WebCore/page/SpeechInputResultList.idl

-                      r131172
+                      r141034
+[
     IndexedGetter,
+    Conditional=INPUT_SPEECH
+    Conditional=INPUT_SPEECH,
+    ImplementationLacksVTable
 ] interface SpeechInputResultList {
     readonly attribute unsigned long length;

trunk/Source/WebCore/page/WebKitPoint.idl

-                      r131172
+                      r141034
+[
     CustomConstructor,
+    ConstructorParameters=2
+    ConstructorParameters=2,
+    ImplementationLacksVTable
 ] interface WebKitPoint {
     attribute float x;

trunk/Source/WebCore/svg/SVGAnimatedAngle.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedAngle {
     readonly attribute SVGAngle baseVal;

trunk/Source/WebCore/svg/SVGAnimatedBoolean.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedBoolean {
     [StrictTypeChecking] attribute boolean baseVal

trunk/Source/WebCore/svg/SVGAnimatedEnumeration.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedEnumeration {
     [StrictTypeChecking] attribute unsigned short baseVal

trunk/Source/WebCore/svg/SVGAnimatedInteger.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedInteger {
     [StrictTypeChecking] attribute long baseVal

trunk/Source/WebCore/svg/SVGAnimatedLength.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedLength {
     readonly attribute SVGLength baseVal;

trunk/Source/WebCore/svg/SVGAnimatedLengthList.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedLengthList {
     readonly attribute SVGLengthList baseVal;

trunk/Source/WebCore/svg/SVGAnimatedNumber.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedNumber {
     [StrictTypeChecking] attribute float baseVal

trunk/Source/WebCore/svg/SVGAnimatedNumberList.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedNumberList {
     readonly attribute SVGNumberList baseVal;

trunk/Source/WebCore/svg/SVGAnimatedPreserveAspectRatio.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedPreserveAspectRatio {
     readonly attribute SVGPreserveAspectRatio baseVal;

trunk/Source/WebCore/svg/SVGAnimatedRect.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedRect {
     readonly attribute SVGRect baseVal;

trunk/Source/WebCore/svg/SVGAnimatedString.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedString {
     attribute DOMString baseVal

trunk/Source/WebCore/svg/SVGAnimatedTransformList.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGAnimatedTransformList {
     readonly attribute SVGTransformList baseVal;

trunk/Source/WebCore/svg/SVGColor.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGColor : CSSValue {
     const unsigned short SVG_COLORTYPE_UNKNOWN = 0;

trunk/Source/WebCore/svg/SVGException.idl

-                      r131172
+                      r141034
+[
     Conditional=SVG,
+    DoNotCheckConstants
+    DoNotCheckConstants,
+    ImplementationLacksVTable
 ] exception SVGException {

trunk/Source/WebCore/svg/SVGPaint.idl

-                      r131172
+                      r141034
+[
+    Conditional=SVG
+    Conditional=SVG,
+    ImplementationLacksVTable
 ] interface SVGPaint : SVGColor {
     const unsigned short SVG_PAINTTYPE_UNKNOWN = 0;

trunk/Source/WebCore/svg/SVGPathSeg.idl

-                      r131172
+                      r141034
     Conditional=SVG,
     CustomToJSObject,
+    ObjCPolymorphic
+    ObjCPolymorphic,
+    ImplementationLacksVTable
 ] interface SVGPathSeg {
     // Path Segment Types

trunk/Source/WebCore/svg/SVGRenderingIntent.idl

-                      r131172
+                      r141034
+[
     Conditional=SVG,
+    SuppressToJSObject
+    SuppressToJSObject,
+    ImplementationLacksVTable
 ] interface SVGRenderingIntent {
     // Rendering Intent Types

trunk/Source/WebCore/svg/SVGUnitTypes.idl

-                      r131172
+                      r141034
+[
     Conditional=SVG,
+    SuppressToJSObject
+    SuppressToJSObject,
+    ImplementationLacksVTable
 ] interface SVGUnitTypes {
     // Unit Types

trunk/Source/WebCore/svg/SVGZoomAndPan.idl

-                      r131172
+                      r141034
     Conditional=SVG,
     ObjCProtocol,
+    SuppressToJSObject
+    SuppressToJSObject,
+    ImplementationLacksVTable
 ] interface SVGZoomAndPan {
     const unsigned short SVG_ZOOMANDPAN_UNKNOWN = 0;

trunk/Source/WebCore/testing/MallocStatistics.idl

-                      r131172
+                      r141034
+[
+    OmitConstructor
+    OmitConstructor,
+    ImplementationLacksVTable
 ] interface MallocStatistics {
     readonly attribute unsigned long reservedVMBytes;

trunk/Source/WebCore/testing/TypeConversions.idl

-                      r138836
+                      r141034
+[
+    OmitConstructor
+    OmitConstructor,
+    ImplementationLacksVTable
 ] interface TypeConversions {
     attribute long testLong;

trunk/Source/WebCore/workers/WorkerLocation.idl

-                      r131172
+                      r141034
     Conditional=WORKERS,
     JSGenerateIsReachable=Impl,
+    JSNoStaticTables
+    JSNoStaticTables,
+    ImplementationLacksVTable
 ] interface WorkerLocation {
     readonly attribute DOMString href;

trunk/Source/WebCore/xml/DOMParser.idl

-                      r131172
+                      r141034
+[
+    Constructor
+    Constructor,
+    ImplementationLacksVTable
 ] interface DOMParser {
     Document parseFromString(in [Optional=DefaultIsUndefined] DOMString str,

trunk/Source/WebCore/xml/XMLHttpRequestException.idl

-                      r131172
+                      r141034
+[
     JSNoStaticTables,
+    DoNotCheckConstants
+    DoNotCheckConstants,
+    ImplementationLacksVTable
 ] exception XMLHttpRequestException {

trunk/Source/WebCore/xml/XMLSerializer.idl

-                      r131172
+                      r141034
+[
+    Constructor
+    Constructor,
+    ImplementationLacksVTable
 ] interface XMLSerializer {
     DOMString serializeToString(in [Optional=DefaultIsUndefined] Node node)

trunk/Source/WebCore/xml/XPathEvaluator.idl

-                      r131172
+                      r141034
+[
+    Constructor
+    Constructor,
+    ImplementationLacksVTable
 ] interface XPathEvaluator {
     XPathExpression createExpression(in [Optional=DefaultIsUndefined] DOMString expression,

trunk/Source/WebCore/xml/XPathException.idl

-                      r131172
+                      r141034
+[
+    DoNotCheckConstants
+    DoNotCheckConstants,
+    ImplementationLacksVTable
 ] exception XPathException {

trunk/Source/WebCore/xml/XPathExpression.idl

-                      r131145
+                      r141034
  * Boston, MA 02110-1301, USA.
  */
+interface XPathExpression {
+[
+     ImplementationLacksVTable
+] interface XPathExpression {
     [ObjCLegacyUnnamedParameters] XPathResult evaluate(in [Optional=DefaultIsUndefined] Node contextNode,
                                         in [Optional=DefaultIsUndefined] unsigned short type,

trunk/Source/WebCore/xml/XPathNSResolver.idl

-                      r131172
+                      r141034
+[
     ObjCProtocol,
+    OmitConstructor
+    OmitConstructor,
+    V8SkipVTableValidation
 ] interface XPathNSResolver {
     [TreatReturnedNullStringAs=Null] DOMString lookupNamespaceURI(in [Optional=DefaultIsUndefined] DOMString prefix);

trunk/Source/WebCore/xml/XPathResult.idl

-                      r131172
+                      r141034
+[
+    JSCustomMarkFunction
+    JSCustomMarkFunction,
+    ImplementationLacksVTable
 ] interface XPathResult {
     const unsigned short ANY_TYPE                       = 0;

trunk/Source/WebCore/xml/XSLTProcessor.idl

-                      r131172
+                      r141034
+[
     Conditional=XSLT,
+    Constructor
+    Constructor,
+    ImplementationLacksVTable
 ] interface XSLTProcessor {

trunk/Source/WebKit/chromium/ChangeLog

-                      r141021
+                      r141034
+-01-28  Tom Sepez  <tsepez@chromium.org>
+        [v8] Security feature: JavaScript Bindings hardening
+        https://bugs.webkit.org/show_bug.cgi?id=106608
+        Reviewed by Adam Barth.
+        * features.gypi:
+        Added ENABLE_BINDING_INTEGRITY option.
 -01-28  Sheriff Bot  <webkit.review.bot@gmail.com>

trunk/Source/WebKit/chromium/features.gypi

r141000	r141034
35	35	'ENABLE_3D_PLUGIN=1',
36	36	'ENABLE_BATTERY_STATUS=0',
	37	'ENABLE_BINDING_INTEGRITY=0',
37	38	'ENABLE_BLOB=1',
38	39	'ENABLE_BLOB_SLICE=1',

Note: See TracChangeset for help on using the changeset viewer.