Changeset 196414 in webkit


Ignore:
Timestamp:
Feb 10, 2016 8:06:37 PM (8 years ago)
Author:
keith_miller@apple.com
Message:

Symbol.species accessors on builtin constructors should be configurable
https://bugs.webkit.org/show_bug.cgi?id=154097

Reviewed by Benjamin Poulain.

We did not have the Symbol.species accessors on our builtin constructors
marked as configurable. This does not accurately follow the ES6 spec as
the ES6 spec states that all default accessors on builtins should be
configurable. This means that we need an additional watchpoint on
ArrayConstructor to make sure that no users re-configures Symbol.species.

  • runtime/ArrayConstructor.cpp:

(JSC::ArrayConstructor::finishCreation):

  • runtime/ArrayPrototype.cpp:

(JSC::speciesConstructArray):
(JSC::ArrayPrototype::setConstructor):
(JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):

  • runtime/ArrayPrototype.h:

(JSC::ArrayPrototype::didChangeConstructorOrSpeciesProperties):
(JSC::ArrayPrototype::didChangeConstructorProperty): Deleted.

  • runtime/JSArrayBufferConstructor.cpp:

(JSC::JSArrayBufferConstructor::finishCreation):

  • runtime/JSPromiseConstructor.cpp:

(JSC::JSPromiseConstructor::finishCreation):

  • runtime/JSTypedArrayViewConstructor.cpp:

(JSC::JSTypedArrayViewConstructor::finishCreation):

  • runtime/MapConstructor.cpp:

(JSC::MapConstructor::finishCreation):

  • runtime/RegExpConstructor.cpp:

(JSC::RegExpConstructor::finishCreation):

  • runtime/SetConstructor.cpp:

(JSC::SetConstructor::finishCreation):

  • tests/stress/array-species-config-array-constructor.js: Added.

(A):

  • tests/stress/symbol-species.js:

(testSymbolSpeciesOnConstructor):

Location:
trunk/Source/JavaScriptCore
Files:
1 added
11 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r196409 r196414  
     12016-02-10  Keith Miller  <keith_miller@apple.com>
     2
     3        Symbol.species accessors on builtin constructors should be configurable
     4        https://bugs.webkit.org/show_bug.cgi?id=154097
     5
     6        Reviewed by Benjamin Poulain.
     7
     8        We did not have the Symbol.species accessors on our builtin constructors
     9        marked as configurable. This does not accurately follow the ES6 spec as
     10        the ES6 spec states that all default accessors on builtins should be
     11        configurable. This means that we need an additional watchpoint on
     12        ArrayConstructor to make sure that no users re-configures Symbol.species.
     13
     14        * runtime/ArrayConstructor.cpp:
     15        (JSC::ArrayConstructor::finishCreation):
     16        * runtime/ArrayPrototype.cpp:
     17        (JSC::speciesConstructArray):
     18        (JSC::ArrayPrototype::setConstructor):
     19        (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
     20        * runtime/ArrayPrototype.h:
     21        (JSC::ArrayPrototype::didChangeConstructorOrSpeciesProperties):
     22        (JSC::ArrayPrototype::didChangeConstructorProperty): Deleted.
     23        * runtime/JSArrayBufferConstructor.cpp:
     24        (JSC::JSArrayBufferConstructor::finishCreation):
     25        * runtime/JSPromiseConstructor.cpp:
     26        (JSC::JSPromiseConstructor::finishCreation):
     27        * runtime/JSTypedArrayViewConstructor.cpp:
     28        (JSC::JSTypedArrayViewConstructor::finishCreation):
     29        * runtime/MapConstructor.cpp:
     30        (JSC::MapConstructor::finishCreation):
     31        * runtime/RegExpConstructor.cpp:
     32        (JSC::RegExpConstructor::finishCreation):
     33        * runtime/SetConstructor.cpp:
     34        (JSC::SetConstructor::finishCreation):
     35        * tests/stress/array-species-config-array-constructor.js: Added.
     36        (A):
     37        * tests/stress/symbol-species.js:
     38        (testSymbolSpeciesOnConstructor):
     39
    1402016-02-10  Benjamin Poulain  <benjamin@webkit.org>
    241

  • trunk/Source/JavaScriptCore/runtime/ArrayConstructor.cpp

    r195460 r196414  
    6868    putDirectWithoutTransition(vm, vm.propertyNames->prototype, arrayPrototype, DontEnum | DontDelete | ReadOnly);
    6969    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), ReadOnly | DontEnum | DontDelete);
    70     putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
     70    putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
    7171}
    7272

  • trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

    r196155 r196414  
    193193        if (LIKELY(!thisObject->hasCustomProperties()
    194194            && thisObject->globalObject()->arrayPrototype() == thisObject->prototype()
    195             && !thisObject->globalObject()->arrayPrototype()->didChangeConstructorProperty()))
     195            && !thisObject->globalObject()->arrayPrototype()->didChangeConstructorOrSpeciesProperties()))
    196196            return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
    197197
     
    10611061    putDirectWithoutTransition(vm, vm.propertyNames->constructor, constructorProperty, attributes);
    10621062
     1063    // Do the watchpoint on our constructor property
    10631064    PropertyOffset offset = this->structure()->get(vm, vm.propertyNames->constructor);
    10641065    ASSERT(isValidOffset(offset));
     
    10701071    m_constructorWatchpoint = std::make_unique<ArrayPrototypeAdaptiveInferredPropertyWatchpoint>(condition, this);
    10711072    m_constructorWatchpoint->install();
     1073   
     1074    // Do the watchpoint on the constructor's Symbol.species property
     1075    offset = constructorProperty->structure()->get(vm, vm.propertyNames->speciesSymbol);
     1076    ASSERT(isValidOffset(offset));
     1077    constructorProperty->structure()->startWatchingPropertyForReplacements(vm, offset);
     1078
     1079    ASSERT(constructorProperty->getDirect(offset).isGetterSetter());
     1080    condition = ObjectPropertyCondition::equivalence(vm, this, constructorProperty, vm.propertyNames->speciesSymbol.impl(), constructorProperty->getDirect(offset));
     1081    ASSERT(condition.isWatchable());
     1082
     1083    m_constructorSpeciesWatchpoint = std::make_unique<ArrayPrototypeAdaptiveInferredPropertyWatchpoint>(condition, this);
     1084    m_constructorSpeciesWatchpoint->install();
    10721085}
    10731086
     
    10851098    StringFireDetail stringDetail(out.toCString().data());
    10861099
    1087     m_arrayPrototype->m_didChangeConstructorProperty = true;
     1100    m_arrayPrototype->m_didChangeConstructorOrSpeciesProperties = true;
    10881101}
    10891102

  • trunk/Source/JavaScriptCore/runtime/ArrayPrototype.h

    r196155 r196414  
    4747    void setConstructor(VM&, JSObject* constructorProperty, unsigned attributes);
    4848
    49     bool didChangeConstructorProperty() const { return m_didChangeConstructorProperty; }
     49    bool didChangeConstructorOrSpeciesProperties() const { return m_didChangeConstructorOrSpeciesProperties; }
    5050
    5151    static const bool needsDestruction = false;
     
    6060    friend ArrayPrototypeAdaptiveInferredPropertyWatchpoint;
    6161    std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
    62     bool m_didChangeConstructorProperty = false;
     62    std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorSpeciesWatchpoint;
     63    bool m_didChangeConstructorOrSpeciesProperties = false;
    6364};
    6465

  • trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp

    r195528 r196414  
    5454    putDirectWithoutTransition(vm, vm.propertyNames->prototype, prototype, DontEnum | DontDelete | ReadOnly);
    5555    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), DontEnum | DontDelete | ReadOnly);
    56     putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
     56    putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
    5757
    5858    JSGlobalObject* globalObject = this->globalObject();

  • trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp

    r195528 r196414  
    8686    putDirectWithoutTransition(vm, vm.propertyNames->prototype, promisePrototype, DontEnum | DontDelete | ReadOnly);
    8787    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), ReadOnly | DontEnum | DontDelete);
    88     putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
     88    putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
    8989}
    9090

  • trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp

    r195528 r196414  
    5151    putDirectWithoutTransition(vm, vm.propertyNames->prototype, prototype, DontEnum | DontDelete | ReadOnly);
    5252    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(3), DontEnum | DontDelete | ReadOnly);
    53     putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
     53    putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
    5454
    5555    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->of, typedArrayConstructorOfCodeGenerator, DontEnum);

  • trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp

    r195460 r196414  
    4646    putDirectWithoutTransition(vm, vm.propertyNames->prototype, mapPrototype, DontEnum | DontDelete | ReadOnly);
    4747    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(0), ReadOnly | DontEnum | DontDelete);
    48     putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
     48    putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
    4949}
    5050

  • trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp

    r196331 r196414  
    103103    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(2), ReadOnly | DontDelete | DontEnum);
    104104
    105     putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
     105    putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
    106106}
    107107

  • trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp

    r195460 r196414  
    4747    putDirectWithoutTransition(vm, vm.propertyNames->prototype, setPrototype, DontEnum | DontDelete | ReadOnly);
    4848    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(0), ReadOnly | DontEnum | DontDelete);
    49     putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
     49    putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
    5050}
    5151

  • trunk/Source/JavaScriptCore/tests/stress/symbol-species.js

    r195460 r196414  
    77    if (constructor[Symbol.species] !== constructor)
    88        throw "Symbol.species was mutable " + constructor.name;
    9     try {
    10         Object.defineProperty(constructor, Symbol.species, { value: true });
    11     } catch(e) {
    12         return;
    13     }
    14     throw "Symbol.species was configurable " + constructor.name;
     9
     10    // Symbol.species should be configurable.
     11    Object.defineProperty(constructor, Symbol.species, { value: true });
    1512}
    1613
Note: See TracChangeset for help on using the changeset viewer.