Changeset 201322 in webkit


Ignore:
Timestamp:
May 23, 2016 11:24:44 PM (8 years ago)
Author:
Yusuke Suzuki
Message:

Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
https://bugs.webkit.org/show_bug.cgi?id=157080

Reviewed by Saam Barati.

Source/JavaScriptCore:

In custom accessor getter, the argument "thisValue" can be altered by using Reflect.get.
In this patch, we add a new parameter, "slotBase". This represents the base value offering
this custom getter. And use it in ProxyObject's performGet custom accessor getter.

  • API/JSCallbackObject.h:
  • API/JSCallbackObjectFunctions.h:

(JSC::JSCallbackObject<Parent>::staticFunctionGetter):
(JSC::JSCallbackObject<Parent>::callbackGetter):

  • bytecode/PolymorphicAccess.cpp:

(JSC::AccessCase::generateImpl):
In PolymorphicAccess case, the thisValue and the slotBase are always cells.
This is because IC is enabled in the case that the base value is a cell.
And slotBase is always on the prototype chain from this base value.

  • jit/CCallHelpers.h:

(JSC::CCallHelpers::setupArgumentsWithExecState):

  • jsc.cpp:

(WTF::CustomGetter::customGetter):
(WTF::RuntimeArray::lengthGetter):

  • runtime/CustomGetterSetter.cpp:

(JSC::callCustomSetter):

  • runtime/JSBoundSlotBaseFunction.cpp:

(JSC::boundSlotBaseFunctionCall):

  • runtime/JSFunction.cpp:

(JSC::JSFunction::argumentsGetter):
(JSC::JSFunction::callerGetter):

  • runtime/JSFunction.h:
  • runtime/JSModuleNamespaceObject.cpp:

(JSC::callbackGetter):

  • runtime/PropertySlot.cpp:

(JSC::PropertySlot::customGetter):

  • runtime/PropertySlot.h:
  • runtime/ProxyObject.cpp:

(JSC::performProxyGet):

  • runtime/RegExpConstructor.cpp:

(JSC::regExpConstructorDollar):
(JSC::regExpConstructorInput):
(JSC::regExpConstructorMultiline):
(JSC::regExpConstructorLastMatch):
(JSC::regExpConstructorLastParen):
(JSC::regExpConstructorLeftContext):
(JSC::regExpConstructorRightContext):
(JSC::regExpConstructorDollar1): Deleted.
(JSC::regExpConstructorDollar2): Deleted.
(JSC::regExpConstructorDollar3): Deleted.
(JSC::regExpConstructorDollar4): Deleted.
(JSC::regExpConstructorDollar5): Deleted.
(JSC::regExpConstructorDollar6): Deleted.
(JSC::regExpConstructorDollar7): Deleted.
(JSC::regExpConstructorDollar8): Deleted.
(JSC::regExpConstructorDollar9): Deleted.

  • tests/stress/proxy-get-with-primitive-receiver.js: Added.

(shouldBe):

Source/WebCore:

  • bindings/js/JSDOMBinding.h:

(WebCore::nonCachingStaticFunctionGetter):

  • bindings/js/JSDOMWindowCustom.cpp:

(WebCore::jsDOMWindowWebKit):

  • bindings/js/JSPluginElementFunctions.cpp:

(WebCore::pluginElementPropertyGetter):

  • bindings/js/JSPluginElementFunctions.h:
  • bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):
(GenerateImplementation):

  • bridge/runtime_array.cpp:

(JSC::RuntimeArray::lengthGetter):

  • bridge/runtime_array.h:
  • bridge/runtime_method.cpp:

(JSC::RuntimeMethod::lengthGetter):

  • bridge/runtime_method.h:
  • bridge/runtime_object.cpp:

(JSC::Bindings::RuntimeObject::fallbackObjectGetter):
(JSC::Bindings::RuntimeObject::fieldGetter):
(JSC::Bindings::RuntimeObject::methodGetter):

  • bridge/runtime_object.h:

Source/WebKit2:

  • WebProcess/Plugins/Netscape/JSNPObject.cpp:

(WebKit::JSNPObject::propertyGetter):
(WebKit::JSNPObject::methodGetter):

  • WebProcess/Plugins/Netscape/JSNPObject.h:
Location:
trunk/Source
Files:
1 added
30 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/API/JSCallbackObject.h

    r198023 r201322  
    212212   
    213213    JSValue getStaticValue(ExecState*, PropertyName);
    214     static EncodedJSValue staticFunctionGetter(ExecState*, EncodedJSValue, PropertyName);
    215     static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName);
     214    static EncodedJSValue staticFunctionGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
     215    static EncodedJSValue callbackGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
    216216
    217217    std::unique_ptr<JSCallbackObjectData> m_callbackObjectData;
  • trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h

    r198023 r201322  
    600600
    601601template <class Parent>
    602 EncodedJSValue JSCallbackObject<Parent>::staticFunctionGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
     602EncodedJSValue JSCallbackObject<Parent>::staticFunctionGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
    603603{
    604604    JSCallbackObject* thisObj = asCallbackObject(thisValue);
     
    628628
    629629template <class Parent>
    630 EncodedJSValue JSCallbackObject<Parent>::callbackGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
     630EncodedJSValue JSCallbackObject<Parent>::callbackGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
    631631{
    632632    JSCallbackObject* thisObj = asCallbackObject(thisValue);
  • trunk/Source/JavaScriptCore/ChangeLog

    r201315 r201322  
     12016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
     2
     3        Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
     4        https://bugs.webkit.org/show_bug.cgi?id=157080
     5
     6        Reviewed by Saam Barati.
     7
     8        In custom accessor getter, the argument "thisValue" can be altered by using `Reflect.get`.
     9        In this patch, we add a new parameter, "slotBase". This represents the base value offering
     10        this custom getter. And use it in ProxyObject's performGet custom accessor getter.
     11
     12        * API/JSCallbackObject.h:
     13        * API/JSCallbackObjectFunctions.h:
     14        (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
     15        (JSC::JSCallbackObject<Parent>::callbackGetter):
     16        * bytecode/PolymorphicAccess.cpp:
     17        (JSC::AccessCase::generateImpl):
     18        In PolymorphicAccess case, the thisValue and the slotBase are always cells.
     19        This is because IC is enabled in the case that the base value is a cell.
     20        And slotBase is always on the prototype chain from this base value.
     21
     22        * jit/CCallHelpers.h:
     23        (JSC::CCallHelpers::setupArgumentsWithExecState):
     24        * jsc.cpp:
     25        (WTF::CustomGetter::customGetter):
     26        (WTF::RuntimeArray::lengthGetter):
     27        * runtime/CustomGetterSetter.cpp:
     28        (JSC::callCustomSetter):
     29        * runtime/JSBoundSlotBaseFunction.cpp:
     30        (JSC::boundSlotBaseFunctionCall):
     31        * runtime/JSFunction.cpp:
     32        (JSC::JSFunction::argumentsGetter):
     33        (JSC::JSFunction::callerGetter):
     34        * runtime/JSFunction.h:
     35        * runtime/JSModuleNamespaceObject.cpp:
     36        (JSC::callbackGetter):
     37        * runtime/PropertySlot.cpp:
     38        (JSC::PropertySlot::customGetter):
     39        * runtime/PropertySlot.h:
     40        * runtime/ProxyObject.cpp:
     41        (JSC::performProxyGet):
     42        * runtime/RegExpConstructor.cpp:
     43        (JSC::regExpConstructorDollar):
     44        (JSC::regExpConstructorInput):
     45        (JSC::regExpConstructorMultiline):
     46        (JSC::regExpConstructorLastMatch):
     47        (JSC::regExpConstructorLastParen):
     48        (JSC::regExpConstructorLeftContext):
     49        (JSC::regExpConstructorRightContext):
     50        (JSC::regExpConstructorDollar1): Deleted.
     51        (JSC::regExpConstructorDollar2): Deleted.
     52        (JSC::regExpConstructorDollar3): Deleted.
     53        (JSC::regExpConstructorDollar4): Deleted.
     54        (JSC::regExpConstructorDollar5): Deleted.
     55        (JSC::regExpConstructorDollar6): Deleted.
     56        (JSC::regExpConstructorDollar7): Deleted.
     57        (JSC::regExpConstructorDollar8): Deleted.
     58        (JSC::regExpConstructorDollar9): Deleted.
     59        * tests/stress/proxy-get-with-primitive-receiver.js: Added.
     60        (shouldBe):
     61
    1622016-05-23  Geoffrey Garen  <ggaren@apple.com>
    263
  • trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp

    r201161 r201322  
    10851085            jit.makeSpaceOnStackForCCall();
    10861086
    1087             // getter: EncodedJSValue (*GetValueFunc)(ExecState*, EncodedJSValue thisValue, PropertyName);
     1087            // getter: EncodedJSValue (*GetValueFunc)(ExecState*, EncodedJSValue thisValue, PropertyName, JSObject* slotBase);
    10881088            // setter: void (*PutValueFunc)(ExecState*, EncodedJSValue thisObject, EncodedJSValue value);
    10891089            // Custom values are passed the slotBase (the property holder), custom accessors are passed the thisVaule (reciever).
     1090            // FIXME: Remove this differences in custom values and custom accessors.
     1091            // https://bugs.webkit.org/show_bug.cgi?id=158014
    10901092            GPRReg baseForCustomValue = m_type == CustomValueGetter || m_type == CustomValueSetter ? baseForAccessGPR : baseForGetGPR;
    10911093#if USE(JSVALUE64)
     
    10931095                jit.setupArgumentsWithExecState(
    10941096                    baseForCustomValue,
    1095                     CCallHelpers::TrustedImmPtr(ident.impl()));
     1097                    CCallHelpers::TrustedImmPtr(ident.impl()),
     1098                    baseForAccessGPR);
    10961099            } else
    10971100                jit.setupArgumentsWithExecState(baseForCustomValue, valueRegs.gpr());
     
    11011104                    EABI_32BIT_DUMMY_ARG baseForCustomValue,
    11021105                    CCallHelpers::TrustedImm32(JSValue::CellTag),
    1103                     CCallHelpers::TrustedImmPtr(ident.impl()));
     1106                    CCallHelpers::TrustedImmPtr(ident.impl()),
     1107                    baseForAccessGPR);
    11041108            } else {
    11051109                jit.setupArgumentsWithExecState(
  • trunk/Source/JavaScriptCore/jit/CCallHelpers.h

    r201161 r201322  
    708708
    709709    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImmPtr arg1, GPRReg arg2, TrustedImm32 arg3, TrustedImmPtr arg4)
     710    {
     711        resetCallArguments();
     712        addCallArgument(GPRInfo::callFrameRegister);
     713        addCallArgument(arg1);
     714        addCallArgument(arg2);
     715        addCallArgument(arg3);
     716        addCallArgument(arg4);
     717    }
     718
     719    ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, TrustedImm32 arg2, TrustedImmPtr arg3, GPRReg arg4)
    710720    {
    711721        resetCallArguments();
     
    16851695    }
    16861696
     1697    ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, TrustedImm32 arg2, TrustedImmPtr arg3, GPRReg arg4)
     1698    {
     1699        poke(arg4, POKE_ARGUMENT_OFFSET);
     1700        setupArgumentsWithExecState(arg1, arg2, arg3);
     1701    }
     1702
    16871703    ALWAYS_INLINE void setupArgumentsWithExecState(GPRReg arg1, GPRReg arg2, TrustedImm32 arg3, TrustedImm32 arg4, TrustedImm32 arg5)
    16881704    {
     
    20352051
    20362052    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, GPRReg arg2, TrustedImm32 arg3, GPRReg arg4, TrustedImm32 arg5)
     2053    {
     2054        poke(arg5, POKE_ARGUMENT_OFFSET + 1);
     2055        poke(arg4, POKE_ARGUMENT_OFFSET);
     2056        setupArgumentsWithExecState(arg1, arg2, arg3);
     2057    }
     2058
     2059    ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, GPRReg arg2, TrustedImm32 arg3, TrustedImmPtr arg4, GPRReg arg5)
    20372060    {
    20382061        poke(arg5, POKE_ARGUMENT_OFFSET + 1);
  • trunk/Source/JavaScriptCore/jsc.cpp

    r201237 r201322  
    359359
    360360private:
    361     static EncodedJSValue customGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     361    static EncodedJSValue customGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    362362    {
    363363        CustomGetter* thisObject = jsDynamicCast<CustomGetter*>(JSValue::decode(thisValue));
     
    464464    }
    465465
    466     static EncodedJSValue lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     466    static EncodedJSValue lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    467467    {
    468468        RuntimeArray* thisObject = jsDynamicCast<RuntimeArray*>(JSValue::decode(thisValue));
  • trunk/Source/JavaScriptCore/runtime/CustomGetterSetter.cpp

    r198023 r201322  
    5454    if (!setter)
    5555        return false;
     56    // FIXME: Remove this differences in custom values and custom accessors.
     57    // https://bugs.webkit.org/show_bug.cgi?id=158014
    5658    if (!isAccessor)
    5759        thisValue = base;
  • trunk/Source/JavaScriptCore/runtime/JSBoundSlotBaseFunction.cpp

    r200430 r201322  
    5252
    5353    const String& name = boundSlotBaseFunction->name();
    54     return getter(exec, JSValue::encode(exec->thisValue()), PropertyName(Identifier::fromString(exec, name)));
     54    return getter(exec, JSValue::encode(exec->thisValue()), PropertyName(Identifier::fromString(exec, name)), baseObject);
    5555}
    5656
  • trunk/Source/JavaScriptCore/runtime/JSFunction.cpp

    r200694 r201322  
    265265}
    266266
    267 EncodedJSValue JSFunction::argumentsGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     267EncodedJSValue JSFunction::argumentsGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    268268{
    269269    JSFunction* thisObj = jsCast<JSFunction*>(JSValue::decode(thisValue));
     
    327327}
    328328
    329 EncodedJSValue JSFunction::callerGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     329EncodedJSValue JSFunction::callerGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    330330{
    331331    JSFunction* thisObj = jsCast<JSFunction*>(JSValue::decode(thisValue));
  • trunk/Source/JavaScriptCore/runtime/JSFunction.h

    r198288 r201322  
    199199    friend class LLIntOffsetsExtractor;
    200200
    201     static EncodedJSValue argumentsGetter(ExecState*, EncodedJSValue, PropertyName);
    202     static EncodedJSValue callerGetter(ExecState*, EncodedJSValue, PropertyName);
    203     static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName);
    204     static EncodedJSValue nameGetter(ExecState*, EncodedJSValue, PropertyName);
     201    static EncodedJSValue argumentsGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
     202    static EncodedJSValue callerGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
    205203
    206204    WriteBarrier<ExecutableBase> m_executable;
  • trunk/Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp

    r198023 r201322  
    9898}
    9999
    100 static EncodedJSValue callbackGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
     100static EncodedJSValue callbackGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
    101101{
    102102    JSModuleNamespaceObject* thisObject = jsCast<JSModuleNamespaceObject*>(JSValue::decode(thisValue));
  • trunk/Source/JavaScriptCore/runtime/PropertySlot.cpp

    r199170 r201322  
    3636JSValue PropertySlot::customGetter(ExecState* exec, PropertyName propertyName) const
    3737{
     38    // FIXME: Remove this differences in custom values and custom accessors.
     39    // https://bugs.webkit.org/show_bug.cgi?id=158014
    3840    JSValue thisValue = m_attributes & CustomAccessor ? m_thisValue : JSValue(slotBase());
    39     return JSValue::decode(m_data.custom.getValue(exec, JSValue::encode(thisValue), propertyName));
     41    return JSValue::decode(m_data.custom.getValue(exec, JSValue::encode(thisValue), propertyName, slotBase()));
    4042}
    4143
  • trunk/Source/JavaScriptCore/runtime/PropertySlot.h

    r200430 r201322  
    9595    }
    9696
    97     typedef EncodedJSValue (*GetValueFunc)(ExecState*, EncodedJSValue thisValue, PropertyName);
     97    // There are two types of custom properties: custom values and custom accessors.
     98    // For the second argument, custom values are passed the slotBase (the property holder), custom accessors are passed the thisVaule (reciever).
     99    // And when getting the property descriptor from these properties, custom values return the data descriptor while custom accessors return the accessor descriptor.
     100    // FIXME: Remove this slotBase / receiver behavior difference in custom values and custom accessors.
     101    // https://bugs.webkit.org/show_bug.cgi?id=158014
     102    typedef EncodedJSValue (*GetValueFunc)(ExecState*, EncodedJSValue thisValue, PropertyName, JSObject* slotBase);
    98103
    99104    JSValue getValue(ExecState*, PropertyName) const;
  • trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp

    r199170 r201322  
    9393static const char* s_proxyAlreadyRevokedErrorMessage = "Proxy has already been revoked. No more operations are allowed to be performed on it";
    9494
    95 static EncodedJSValue performProxyGet(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
     95static EncodedJSValue performProxyGet(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject* slotBase)
    9696{
    9797    VM& vm = exec->vm();
     
    101101    }
    102102
    103     JSObject* thisObject = jsCast<JSObject*>(JSValue::decode(thisValue)); // This might be a value where somewhere in __proto__ chain lives a ProxyObject.
    104     JSObject* proxyObjectAsObject = thisObject;
    105     // FIXME: make it so that custom getters take both the |this| value and the slotBase (property holder).
    106     // https://bugs.webkit.org/show_bug.cgi?id=154320
    107     while (true) {
    108         if (LIKELY(proxyObjectAsObject->type() == ProxyObjectType))
    109             break;
    110 
    111         JSValue prototype = proxyObjectAsObject->getPrototypeDirect();
    112         RELEASE_ASSERT(prototype.isObject());
    113         proxyObjectAsObject = asObject(prototype);
    114     }
    115 
    116     ProxyObject* proxyObject = jsCast<ProxyObject*>(proxyObjectAsObject);
     103    ProxyObject* proxyObject = jsCast<ProxyObject*>(slotBase);
    117104    JSObject* target = proxyObject->target();
    118105
     
    144131    arguments.append(target);
    145132    arguments.append(identifierToSafePublicJSValue(vm, Identifier::fromUid(&vm, propertyName.uid())));
    146     arguments.append(thisObject);
     133    arguments.append(JSValue::decode(thisValue));
    147134    JSValue trapResult = call(exec, getHandler, callType, callData, handler, arguments);
    148135    if (exec->hadException())
  • trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp

    r199144 r201322  
    3232namespace JSC {
    3333
    34 static EncodedJSValue regExpConstructorInput(ExecState*, EncodedJSValue, PropertyName);
    35 static EncodedJSValue regExpConstructorMultiline(ExecState*, EncodedJSValue, PropertyName);
    36 static EncodedJSValue regExpConstructorLastMatch(ExecState*, EncodedJSValue, PropertyName);
    37 static EncodedJSValue regExpConstructorLastParen(ExecState*, EncodedJSValue, PropertyName);
    38 static EncodedJSValue regExpConstructorLeftContext(ExecState*, EncodedJSValue, PropertyName);
    39 static EncodedJSValue regExpConstructorRightContext(ExecState*, EncodedJSValue, PropertyName);
    40 static EncodedJSValue regExpConstructorDollar1(ExecState*, EncodedJSValue, PropertyName);
    41 static EncodedJSValue regExpConstructorDollar2(ExecState*, EncodedJSValue, PropertyName);
    42 static EncodedJSValue regExpConstructorDollar3(ExecState*, EncodedJSValue, PropertyName);
    43 static EncodedJSValue regExpConstructorDollar4(ExecState*, EncodedJSValue, PropertyName);
    44 static EncodedJSValue regExpConstructorDollar5(ExecState*, EncodedJSValue, PropertyName);
    45 static EncodedJSValue regExpConstructorDollar6(ExecState*, EncodedJSValue, PropertyName);
    46 static EncodedJSValue regExpConstructorDollar7(ExecState*, EncodedJSValue, PropertyName);
    47 static EncodedJSValue regExpConstructorDollar8(ExecState*, EncodedJSValue, PropertyName);
    48 static EncodedJSValue regExpConstructorDollar9(ExecState*, EncodedJSValue, PropertyName);
     34static EncodedJSValue regExpConstructorInput(ExecState*, EncodedJSValue, PropertyName, JSObject*);
     35static EncodedJSValue regExpConstructorMultiline(ExecState*, EncodedJSValue, PropertyName, JSObject*);
     36static EncodedJSValue regExpConstructorLastMatch(ExecState*, EncodedJSValue, PropertyName, JSObject*);
     37static EncodedJSValue regExpConstructorLastParen(ExecState*, EncodedJSValue, PropertyName, JSObject*);
     38static EncodedJSValue regExpConstructorLeftContext(ExecState*, EncodedJSValue, PropertyName, JSObject*);
     39static EncodedJSValue regExpConstructorRightContext(ExecState*, EncodedJSValue, PropertyName, JSObject*);
     40template<int N>
     41static EncodedJSValue regExpConstructorDollar(ExecState*, EncodedJSValue, PropertyName, JSObject*);
    4942
    5043static bool setRegExpConstructorInput(ExecState*, EncodedJSValue, EncodedJSValue);
     
    7366    rightContext    regExpConstructorRightContext   DontDelete|ReadOnly
    7467    $'              regExpConstructorRightContext   DontDelete|ReadOnly|DontEnum
    75     $1              regExpConstructorDollar      DontDelete|ReadOnly
    76     $2              regExpConstructorDollar      DontDelete|ReadOnly
    77     $3              regExpConstructorDollar      DontDelete|ReadOnly
    78     $4              regExpConstructorDollar      DontDelete|ReadOnly
    79     $5              regExpConstructorDollar      DontDelete|ReadOnly
    80     $6              regExpConstructorDollar      DontDelete|ReadOnly
    81     $7              regExpConstructorDollar      DontDelete|ReadOnly
    82     $8              regExpConstructorDollar      DontDelete|ReadOnly
    83     $9              regExpConstructorDollar      DontDelete|ReadOnly
     68    $1              regExpConstructorDollar<1>      DontDelete|ReadOnly
     69    $2              regExpConstructorDollar<2>      DontDelete|ReadOnly
     70    $3              regExpConstructorDollar<3>      DontDelete|ReadOnly
     71    $4              regExpConstructorDollar<4>      DontDelete|ReadOnly
     72    $5              regExpConstructorDollar<5>      DontDelete|ReadOnly
     73    $6              regExpConstructorDollar<6>      DontDelete|ReadOnly
     74    $7              regExpConstructorDollar<7>      DontDelete|ReadOnly
     75    $8              regExpConstructorDollar<8>      DontDelete|ReadOnly
     76    $9              regExpConstructorDollar<9>      DontDelete|ReadOnly
    8477@end
    8578*/
     
    158151    return getStaticValueSlot<RegExpConstructor, InternalFunction>(exec, regExpConstructorTable, jsCast<RegExpConstructor*>(object), propertyName, slot);
    159152}
    160    
    161 EncodedJSValue regExpConstructorDollar1(ExecState* exec, EncodedJSValue thisValue, PropertyName)
    162 {
    163     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 1));
    164 }
    165 
    166 EncodedJSValue regExpConstructorDollar2(ExecState* exec, EncodedJSValue thisValue, PropertyName)
    167 {
    168     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 2));
    169 }
    170 
    171 EncodedJSValue regExpConstructorDollar3(ExecState* exec, EncodedJSValue thisValue, PropertyName)
    172 {
    173     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 3));
    174 }
    175 
    176 EncodedJSValue regExpConstructorDollar4(ExecState* exec, EncodedJSValue thisValue, PropertyName)
    177 {
    178     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 4));
    179 }
    180 
    181 EncodedJSValue regExpConstructorDollar5(ExecState* exec, EncodedJSValue thisValue, PropertyName)
    182 {
    183     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 5));
    184 }
    185 
    186 EncodedJSValue regExpConstructorDollar6(ExecState* exec, EncodedJSValue thisValue, PropertyName)
    187 {
    188     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 6));
    189 }
    190 
    191 EncodedJSValue regExpConstructorDollar7(ExecState* exec, EncodedJSValue thisValue, PropertyName)
    192 {
    193     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 7));
    194 }
    195 
    196 EncodedJSValue regExpConstructorDollar8(ExecState* exec, EncodedJSValue thisValue, PropertyName)
    197 {
    198     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 8));
    199 }
    200 
    201 EncodedJSValue regExpConstructorDollar9(ExecState* exec, EncodedJSValue thisValue, PropertyName)
    202 {
    203     return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 9));
    204 }
    205 
    206 EncodedJSValue regExpConstructorInput(ExecState*, EncodedJSValue thisValue, PropertyName)
     153
     154template<int N>
     155EncodedJSValue regExpConstructorDollar(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
     156{
     157    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, N));
     158}
     159
     160EncodedJSValue regExpConstructorInput(ExecState*, EncodedJSValue thisValue, PropertyName, JSObject*)
    207161{
    208162    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->input());
    209163}
    210164
    211 EncodedJSValue regExpConstructorMultiline(ExecState*, EncodedJSValue thisValue, PropertyName)
     165EncodedJSValue regExpConstructorMultiline(ExecState*, EncodedJSValue thisValue, PropertyName, JSObject*)
    212166{
    213167    return JSValue::encode(jsBoolean(asRegExpConstructor(JSValue::decode(thisValue))->multiline()));
    214168}
    215169
    216 EncodedJSValue regExpConstructorLastMatch(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     170EncodedJSValue regExpConstructorLastMatch(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    217171{
    218172    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getBackref(exec, 0));
    219173}
    220174
    221 EncodedJSValue regExpConstructorLastParen(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     175EncodedJSValue regExpConstructorLastParen(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    222176{
    223177    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getLastParen(exec));
    224178}
    225179
    226 EncodedJSValue regExpConstructorLeftContext(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     180EncodedJSValue regExpConstructorLeftContext(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    227181{
    228182    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getLeftContext(exec));
    229183}
    230184
    231 EncodedJSValue regExpConstructorRightContext(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     185EncodedJSValue regExpConstructorRightContext(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    232186{
    233187    return JSValue::encode(asRegExpConstructor(JSValue::decode(thisValue))->getRightContext(exec));
  • trunk/Source/WebCore/ChangeLog

    r201318 r201322  
     12016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
     2
     3        Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
     4        https://bugs.webkit.org/show_bug.cgi?id=157080
     5
     6        Reviewed by Saam Barati.
     7
     8        * bindings/js/JSDOMBinding.h:
     9        (WebCore::nonCachingStaticFunctionGetter):
     10        * bindings/js/JSDOMWindowCustom.cpp:
     11        (WebCore::jsDOMWindowWebKit):
     12        * bindings/js/JSPluginElementFunctions.cpp:
     13        (WebCore::pluginElementPropertyGetter):
     14        * bindings/js/JSPluginElementFunctions.h:
     15        * bindings/scripts/CodeGeneratorJS.pm:
     16        (GenerateHeader):
     17        (GenerateImplementation):
     18        * bridge/runtime_array.cpp:
     19        (JSC::RuntimeArray::lengthGetter):
     20        * bridge/runtime_array.h:
     21        * bridge/runtime_method.cpp:
     22        (JSC::RuntimeMethod::lengthGetter):
     23        * bridge/runtime_method.h:
     24        * bridge/runtime_object.cpp:
     25        (JSC::Bindings::RuntimeObject::fallbackObjectGetter):
     26        (JSC::Bindings::RuntimeObject::fieldGetter):
     27        (JSC::Bindings::RuntimeObject::methodGetter):
     28        * bridge/runtime_object.h:
     29
    1302016-05-23  Alex Christensen  <achristensen@webkit.org>
    231
  • trunk/Source/WebCore/bindings/js/JSDOMBinding.h

    r201253 r201322  
    306306
    307307template<typename DOMClass> const JSC::HashTableValue* getStaticValueSlotEntryWithoutCaching(JSC::ExecState*, JSC::PropertyName);
    308 template<JSC::NativeFunction, int length> JSC::EncodedJSValue nonCachingStaticFunctionGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);
     308template<JSC::NativeFunction, int length> JSC::EncodedJSValue nonCachingStaticFunctionGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);
    309309
    310310// Inline functions and template definitions.
     
    785785}
    786786
    787 template<JSC::NativeFunction nativeFunction, int length> JSC::EncodedJSValue nonCachingStaticFunctionGetter(JSC::ExecState* exec, JSC::EncodedJSValue, JSC::PropertyName propertyName)
     787template<JSC::NativeFunction nativeFunction, int length> JSC::EncodedJSValue nonCachingStaticFunctionGetter(JSC::ExecState* exec, JSC::EncodedJSValue, JSC::PropertyName propertyName, JSC::JSObject*)
    788788{
    789789    return JSC::JSValue::encode(JSC::JSFunction::create(exec->vm(), exec->lexicalGlobalObject(), length, propertyName.publicName(), nativeFunction));
  • trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

    r200788 r201322  
    6363
    6464#if ENABLE(USER_MESSAGE_HANDLERS)
    65 static EncodedJSValue jsDOMWindowWebKit(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     65static EncodedJSValue jsDOMWindowWebKit(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    6666{
    6767    JSDOMWindow* castedThis = toJSDOMWindow(JSValue::decode(thisValue));
  • trunk/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp

    r198023 r201322  
    9595}
    9696   
    97 EncodedJSValue pluginElementPropertyGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
     97EncodedJSValue pluginElementPropertyGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
    9898{
    9999
  • trunk/Source/WebCore/bindings/js/JSPluginElementFunctions.h

    r198023 r201322  
    3939    WEBCORE_EXPORT JSC::JSObject* pluginScriptObject(JSC::ExecState*, JSHTMLElement*);
    4040
    41     JSC::EncodedJSValue pluginElementPropertyGetter(JSC::ExecState*,
    42     JSC::EncodedJSValue, JSC::PropertyName);
     41    JSC::EncodedJSValue pluginElementPropertyGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);
    4342    bool pluginElementCustomGetOwnPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, JSHTMLElement*);
    4443    bool pluginElementCustomPut(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSHTMLElement*, JSC::PutPropertySlot&, bool& putResult);
  • trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

    r201318 r201322  
    15081508            push(@headerContent, "#if ${conditionalString}\n") if $conditionalString;
    15091509            my $getter = GetAttributeGetterName($interface, $className, $attribute);
    1510             push(@headerContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);\n");
     1510            push(@headerContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);\n");
    15111511            if (!IsReadonly($attribute)) {
    15121512                my $setter = GetAttributeSetterName($interface, $className, $attribute);
     
    20692069            push(@implContent, "#if ${conditionalString}\n") if $conditionalString;
    20702070            my $getter = GetAttributeGetterName($interface, $className, $attribute);
    2071             push(@implContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);\n");
     2071            push(@implContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);\n");
    20722072            if (!IsReadonly($attribute)) {
    20732073                my $setter = GetAttributeSetterName($interface, $className, $attribute);
     
    20792079        if (NeedsConstructorProperty($interface)) {
    20802080            my $getter = "js" . $interfaceName . "Constructor";
    2081             push(@implContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);\n");
     2081            push(@implContent, "JSC::EncodedJSValue ${getter}(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);\n");
    20822082        }
    20832083
     
    25392539            push(@implContent, "#if ${attributeConditionalString}\n") if $attributeConditionalString;
    25402540
    2541             push(@implContent, "EncodedJSValue ${getFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName)\n");
     2541            push(@implContent, "EncodedJSValue ${getFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName, JSObject* slotBase)\n");
    25422542            push(@implContent, "{\n");
    25432543
    25442544            push(@implContent, "    UNUSED_PARAM(state);\n");
    25452545            push(@implContent, "    UNUSED_PARAM(thisValue);\n");
     2546            push(@implContent, "    UNUSED_PARAM(slotBase);\n");
    25462547
    25472548            if (!$attribute->isStatic || $attribute->signature->type =~ /Constructor$/) {
     
    27422743            my $constructorFunctionName = "js" . $interfaceName . "Constructor";
    27432744
    2744             push(@implContent, "EncodedJSValue ${constructorFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName)\n");
     2745            push(@implContent, "EncodedJSValue ${constructorFunctionName}(ExecState* state, EncodedJSValue thisValue, PropertyName, JSObject*)\n");
    27452746            push(@implContent, "{\n");
    27462747            push(@implContent, "    ${className}Prototype* domObject = jsDynamicCast<${className}Prototype*>(JSValue::decode(thisValue));\n");
  • trunk/Source/WebCore/bridge/runtime_array.cpp

    r198023 r201322  
    6161}
    6262
    63 EncodedJSValue RuntimeArray::lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     63EncodedJSValue RuntimeArray::lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    6464{
    6565    RuntimeArray* thisObject = jsDynamicCast<RuntimeArray*>(JSValue::decode(thisValue));
  • trunk/Source/WebCore/bridge/runtime_array.h

    r199164 r201322  
    8484private:
    8585    RuntimeArray(ExecState*, Structure*);
    86     static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName);
     86    static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
    8787
    8888    BindingsArray* m_array;
  • trunk/Source/WebCore/bridge/runtime_method.cpp

    r197614 r201322  
    5555}
    5656
    57 EncodedJSValue RuntimeMethod::lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName)
     57EncodedJSValue RuntimeMethod::lengthGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName, JSObject*)
    5858{
    5959    RuntimeMethod* thisObject = jsDynamicCast<RuntimeMethod*>(JSValue::decode(thisValue));
  • trunk/Source/WebCore/bridge/runtime_method.h

    r196331 r201322  
    6767
    6868private:
    69     static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName);
     69    static EncodedJSValue lengthGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
    7070
    7171    Bindings::Method* m_method;
  • trunk/Source/WebCore/bridge/runtime_object.cpp

    r198023 r201322  
    6363}
    6464
    65 EncodedJSValue RuntimeObject::fallbackObjectGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
     65EncodedJSValue RuntimeObject::fallbackObjectGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
    6666{
    6767    RuntimeObject* thisObj = jsCast<RuntimeObject*>(JSValue::decode(thisValue));
     
    8181}
    8282
    83 EncodedJSValue RuntimeObject::fieldGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
     83EncodedJSValue RuntimeObject::fieldGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
    8484{   
    8585    RuntimeObject* thisObj = jsCast<RuntimeObject*>(JSValue::decode(thisValue));
     
    100100}
    101101
    102 EncodedJSValue RuntimeObject::methodGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
     102EncodedJSValue RuntimeObject::methodGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
    103103{
    104104    RuntimeObject* thisObj = jsCast<RuntimeObject*>(JSValue::decode(thisValue));
  • trunk/Source/WebCore/bridge/runtime_object.h

    r198023 r201322  
    7979
    8080private:
    81     static EncodedJSValue fallbackObjectGetter(ExecState*, EncodedJSValue, PropertyName);
    82     static EncodedJSValue fieldGetter(ExecState*, EncodedJSValue, PropertyName);
    83     static EncodedJSValue methodGetter(ExecState*, EncodedJSValue, PropertyName);
     81    static EncodedJSValue fallbackObjectGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
     82    static EncodedJSValue fieldGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
     83    static EncodedJSValue methodGetter(ExecState*, EncodedJSValue, PropertyName, JSObject*);
    8484
    8585    RefPtr<Instance> m_instance;
  • trunk/Source/WebKit2/ChangeLog

    r201305 r201322  
     12016-05-23  Yusuke Suzuki  <utatane.tea@gmail.com>
     2
     3        Assertion failure for Reflect.get with Proxy and primitive value as explicit receiver
     4        https://bugs.webkit.org/show_bug.cgi?id=157080
     5
     6        Reviewed by Saam Barati.
     7
     8        * WebProcess/Plugins/Netscape/JSNPObject.cpp:
     9        (WebKit::JSNPObject::propertyGetter):
     10        (WebKit::JSNPObject::methodGetter):
     11        * WebProcess/Plugins/Netscape/JSNPObject.h:
     12
    1132016-05-23  Chris Dumez  <cdumez@apple.com>
    214
  • trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp

    r198023 r201322  
    436436}
    437437
    438 EncodedJSValue JSNPObject::propertyGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
     438EncodedJSValue JSNPObject::propertyGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
    439439{
    440440    JSNPObject* thisObj = jsCast<JSNPObject*>(JSValue::decode(thisValue));
     
    476476}
    477477
    478 EncodedJSValue JSNPObject::methodGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName)
     478EncodedJSValue JSNPObject::methodGetter(ExecState* exec, EncodedJSValue thisValue, PropertyName propertyName, JSObject*)
    479479{
    480480    JSNPObject* thisObj = jsCast<JSNPObject*>(JSValue::decode(thisValue));
  • trunk/Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.h

    r198023 r201322  
    9595    static void getOwnPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode);
    9696
    97     static JSC::EncodedJSValue propertyGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);
    98     static JSC::EncodedJSValue methodGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName);
     97    static JSC::EncodedJSValue propertyGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);
     98    static JSC::EncodedJSValue methodGetter(JSC::ExecState*, JSC::EncodedJSValue, JSC::PropertyName, JSC::JSObject*);
    9999    static JSC::JSObject* throwInvalidAccessError(JSC::ExecState*);
    100100
Note: See TracChangeset for help on using the changeset viewer.