Changeset 205354 in webkit

Timestamp:

Sep 2, 2016 11:04:25 AM (8 years ago)

Author:

Chris Dumez

Message:

Align proto getter / setter behavior with other browsers
​https://bugs.webkit.org/show_bug.cgi?id=161455

Reviewed by Mark Lam.

Source/JavaScriptCore:

Drop allowsAccessFrom from the methodTable and delegate cross-origin
checking to the DOM bindings for SetPrototypeOf? / GetPrototypeOf?.
This is more consistent with other operations (e.g. GetOwnProperty?).

• jsc.cpp:
• runtime/JSGlobalObject.cpp:
• runtime/JSGlobalObject.h:
• runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncProtoGetter):
(JSC::globalFuncProtoSetter):
(JSC::globalFuncBuiltinLog): Deleted.

• runtime/JSGlobalObjectFunctions.h:
• runtime/JSObject.h:

(JSC::JSObject::getArrayLength): Deleted.

• runtime/JSProxy.cpp:

(JSC::JSProxy::setPrototype):
(JSC::JSProxy::getPrototype):

• runtime/JSProxy.h:
• runtime/ObjectConstructor.cpp:

(JSC::objectConstructorGetPrototypeOf):
(JSC::objectConstructorSetPrototypeOf):
(JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
(JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.

• runtime/ObjectConstructor.h:
• runtime/ReflectObject.cpp:

(JSC::reflectObjectGetPrototypeOf):
(JSC::reflectObjectSetPrototypeOf):

• runtime/JSObject.cpp:

(JSC::JSObject::setPrototypeWithCycleCheck):
Comment out check added in r197648. This check was added to match
the latest EcmaScript spec:

• ​https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)

This check allowed for Prototype? chain cycles if the prototype
chain includes objects that do not use the ordinary object definitions
for GetPrototypeOf? and SetPrototypeOf?.
The issue is that the rest of our code base does not properly handle
such cycles and we can end up in infinite loops. This became obvious
because this patch updates Window / Location so that they no longer
use the default GetPrototypeOf? / SetPrototypeOf?. If I do not
comment out this check, I get an infinite loop in
Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
called from JSObject::setPrototypeDirect(), when running the following
layout test:

• html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html

I filed ​https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
issue.

Source/WebCore:

Align cross-origin proto getter / setter behavior with other
browsers and the specification:

SetPrototypeOf? should throw a TypeError:

• ​https://html.spec.whatwg.org/#windowproxy-setprototypeof
• ​https://html.spec.whatwg.org/#location-setprototypeof
• ​https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)

GetPrototypeOf? should return null cross-origin:

• ​https://html.spec.whatwg.org/#windowproxy-getprototypeof
• ​https://html.spec.whatwg.org/#location-getprototypeof

Test: js/dom/setPrototypeOf-location-window.html

• bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::JSDOMWindowBase): Deleted.

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::setPrototype):
(WebCore::JSDOMWindow::getPrototype):

• bindings/js/JSLocationCustom.cpp:

(WebCore::JSLocation::setPrototype):
(WebCore::JSLocation::getPrototype):

• bindings/js/JSWorkerGlobalScopeBase.cpp:

(WebCore::JSWorkerGlobalScopeBase::supportsRichSourceInfo): Deleted.

• bindings/js/JSWorkerGlobalScopeBase.h:
• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):

• bindings/scripts/IDLAttributes.txt:
• page/DOMWindow.idl:
• page/Location.idl:

LayoutTests:

Add layout test coverage and update a few existing test to reflect
behavior change.

• http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
• http/tests/security/cross-frame-access-object-getPrototypeOf.html:
• http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
• http/tests/security/cross-frame-access-object-setPrototypeOf.html:
• http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html:
• http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-method-with-iframe-proto.html:
• http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html:
• http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt:
• http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html:
• js/dom/setPrototypeOf-location-window-expected.txt: Added.
• js/dom/setPrototypeOf-location-window.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/dom/Window/script-tests/window-custom-prototype.js (deleted)
• LayoutTests/fast/dom/Window/window-custom-prototype-crash-expected.txt (modified) (1 diff)
• LayoutTests/fast/dom/Window/window-custom-prototype-expected.txt (deleted)
• LayoutTests/fast/dom/Window/window-custom-prototype.html (deleted)
• LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto.html (modified) (5 diffs)
• LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html (modified) (3 diffs)
• LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html (modified) (3 diffs)
• LayoutTests/js/dom/setPrototypeOf-location-window-expected.txt (added)
• LayoutTests/js/dom/setPrototypeOf-location-window.html (added)
• LayoutTests/js/object-literal-shorthand-construction-expected.txt (modified) (1 diff)
• LayoutTests/js/script-tests/object-literal-shorthand-construction.js (modified) (1 diff)
• LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js (modified) (1 diff)
• LayoutTests/js/sloppy-getter-setter-global-object-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/jsc.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSProxy.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSProxy.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/ObjectConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ReflectObject.cpp (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowBase.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMWindowCustom.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSLocationCustom.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• Source/WebCore/bindings/scripts/IDLAttributes.txt (modified) (2 diffs)
• Source/WebCore/page/DOMWindow.idl (modified) (1 diff)
• Source/WebCore/page/Location.idl (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-09-02  Chris Dumez  <cdumez@apple.com>
+
+        Align proto getter / setter behavior with other browsers
+        https://bugs.webkit.org/show_bug.cgi?id=161455
+
+        Reviewed by Mark Lam.
+
+        Add layout test coverage and update a few existing test to reflect
+        behavior change.
+
+        * http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt:
+        * http/tests/security/cross-frame-access-object-getPrototypeOf.html:
+        * http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt:
+        * http/tests/security/cross-frame-access-object-setPrototypeOf.html:
+        * http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt:
+        * http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html:
+        * http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt:
+        * http/tests/security/xss-DENIED-method-with-iframe-proto.html:
+        * http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt:
+        * http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html:
+        * http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt:
+        * http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html:
+        * js/dom/setPrototypeOf-location-window-expected.txt: Added.
+        * js/dom/setPrototypeOf-location-window.html: Added.
+
 2016-09-02  Eric Carlson  <eric.carlson@apple.com>
 

trunk/LayoutTests/fast/dom/Window/window-custom-prototype-crash-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: line 7: TypeError: Cannot set prototype of this object
 If this did not crash the test has succeeded.

trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 This tests that you can't get the prototype of the window or history objects cross-origin using Object.getPrototypeOf().
 
 PASS: Object.getPrototypeOf(targetWindow) should be 'null' and is.
 PASS: Object.getPrototypeOf(targetWindow.location) should be 'null' and is.
+PASS: protoGetter.call(targetWindow) should be 'null' and is.
+PASS: protoGetter.call(targetWindow.location) should be 'null' and is.
 PASS targetWindow.history threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
 PASS: successfullyParsed should be 'true' and is.

trunk/LayoutTests/http/tests/security/cross-frame-access-object-getPrototypeOf.html

@@ -19 +19 @@
             shouldBeNull("Object.getPrototypeOf(targetWindow)");
             shouldBeNull("Object.getPrototypeOf(targetWindow.location)");
+            protoGetter = Object.getOwnPropertyDescriptor(Object.prototype, '__proto__').get;
+            shouldBeNull("protoGetter.call(targetWindow)");
+            shouldBeNull("protoGetter.call(targetWindow.location)");
+
             shouldThrowErrorName("targetWindow.history", "SecurityError");
 

trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 1: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 This tests that you can't set the prototype of the window or location objects cross-origin using Object.setPrototypeOf()
 
@@ -7 +5 @@
 
 PASS: targetWindow instanceof Array should be 'false' and is.
-PASS Object.setPrototypeOf(targetWindow, Array.prototype) threw exception TypeError: Permission denied.
+PASS Object.setPrototypeOf(targetWindow, Array.prototype) threw exception TypeError: Cannot set prototype of this object.
 PASS: targetWindow instanceof Array should be 'false' and is.
 PASS: targetWindow.location instanceof Array should be 'false' and is.
-PASS Object.setPrototypeOf(targetWindow.location, Array.prototype) threw exception TypeError: Permission denied.
+PASS Object.setPrototypeOf(targetWindow.location, Array.prototype) threw exception TypeError: Cannot set prototype of this object.
+PASS: targetWindow.location instanceof Array should be 'false' and is.
+PASS: targetWindow instanceof Array should be 'false' and is.
+PASS protoSetter.call(targetWindow, Array.prototype) threw exception TypeError: Cannot set prototype of this object.
+PASS: targetWindow instanceof Array should be 'false' and is.
+PASS: targetWindow.location instanceof Array should be 'false' and is.
+PASS protoSetter.call(targetWindow.location, Array.prototype) threw exception TypeError: Cannot set prototype of this object.
 PASS: targetWindow.location instanceof Array should be 'false' and is.
 PASS: successfullyParsed should be 'true' and is.

trunk/LayoutTests/http/tests/security/cross-frame-access-object-setPrototypeOf.html

@@ -25 +25 @@
             shouldBeFalse("targetWindow.location instanceof Array");
 
+            protoSetter = Object.getOwnPropertyDescriptor(Object.prototype, '__proto__').set;
+            shouldBeFalse("targetWindow instanceof Array");
+            shouldThrowErrorName("protoSetter.call(targetWindow, Array.prototype)", "TypeError");
+            shouldBeFalse("targetWindow instanceof Array");
+
+            shouldBeFalse("targetWindow.location instanceof Array");
+            shouldThrowErrorName("protoSetter.call(targetWindow.location, Array.prototype)", "TypeError");
+            shouldBeFalse("targetWindow.location instanceof Array");
+
             finishJSTest();
         }

trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto-expected.txt

@@ -5 +5 @@
 
 
+PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
 PASS targetWindow.myinput threw exception SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match..
 PASS: successfullyParsed should be 'true' and is.

trunk/LayoutTests/http/tests/security/xss-DENIED-htmlelelment-with-iframe-proto.html

@@ -15 +15 @@
 
 window.onload = function() {
-  __proto__ = targetWindow;
+  shouldThrowErrorName("__proto__ = targetWindow", "TypeError");
   shouldThrowErrorName('targetWindow.myinput', 'SecurityError');
   finishJSTest();

trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 40: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 47: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 54: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 36: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 43: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 50: SecurityError (DOM Exception 18): Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 
 Tests that making other frame window a prototype doesn't expose that window methods
 
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
+PASS: successfullyParsed should be 'true' and is.
+
+TEST COMPLETE
+

trunk/LayoutTests/http/tests/security/xss-DENIED-method-with-iframe-proto.html

@@ -1 +1 @@
 <html>
 <head>
+<script src="/js-test-resources/js-test-pre.js"></script>
 <script src="resources/cross-frame-access.js"></script>
 </head>
@@ -7 +8 @@
 <pre id="console"></pre>
 <script>
-if (window.testRunner) {
-    testRunner.dumpAsText();
-    testRunner.waitUntilDone();
-}
-
-log("Tests that making other frame window a prototype doesn't expose that window methods");
+description("Tests that making other frame window a prototype doesn't expose that window methods");
+jsTestIsAsync = true;
 
 targetWindow = frames[0];
@@ -24 +21 @@
 function check() {
   shouldBeFalse('this.wasInvoked');
-  if (window.testRunner)
-      testRunner.notifyDone();
+  finishJSTest();
 }
 
@@ -31 +27 @@
   originalSetTimeout = setTimeout;
 
-  __proto__ = targetWindow;
+  shouldThrowErrorName("__proto__ = targetWindow", "TypeError");
 
   var needsCheck = false;
@@ -58 +54 @@
     originalSetTimeout(check, 10);
   } else {
-    if (window.testRunner)
-      testRunner.notifyDone();
+    finishJSTest();
   }
 }
 </script>
+<script src="/js-test-resources/js-test-post.js"></script>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto-expected.txt

@@ -1 +1 @@
 
 Tests that making other frame window a prototype doesn't expose that window properties
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
 PASS: location === originalLocation should be 'true' and is.
 PASS: this.location === originalLocation should be 'true' and is.
+PASS: successfullyParsed should be 'true' and is.
 
+TEST COMPLETE
+

trunk/LayoutTests/http/tests/security/xss-DENIED-non-shadowable-propterty-with-iframe-proto.html

@@ -1 +1 @@
 <html>
 <head>
+<script src="/js-test-resources/js-test-pre.js"></script>
 <script src="resources/cross-frame-access.js"></script>
 </head>
@@ -7 +8 @@
 <pre id="console"></pre>
 <script>
-if (window.testRunner)
-    testRunner.dumpAsText();
-
-log("Tests that making other frame window a prototype doesn't expose that window properties");
+description("Tests that making other frame window a prototype doesn't expose that window properties");
+jsTestIsAsync = true;
 
 targetWindow = frames[0];
@@ -17 +16 @@
   originalLocation = location;
 
-  __proto__ = targetWindow;
+  shouldThrowErrorName("__proto__ = targetWindow", "TypeError");
 
   shouldBeTrue('location === originalLocation');
   shouldBeTrue('this.location === originalLocation');
+  finishJSTest();
 }
 </script>
+<script src="/js-test-resources/js-test-post.js"></script>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto-expected.txt

@@ -1 +1 @@
 
 Tests that making other frame window a prototype doesn't expose that window properties
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS __proto__ = targetWindow threw exception TypeError: Cannot set prototype of this object.
 PASS: innerHeight === originalInnerHeight should be 'true' and is.
 PASS: this.innerHeight === originalInnerHeight should be 'true' and is.
+PASS: successfullyParsed should be 'true' and is.
 
+TEST COMPLETE
+

trunk/LayoutTests/http/tests/security/xss-DENIED-regular-propterty-with-iframe-proto.html

@@ -1 +1 @@
 <html>
 <head>
+<script src="/js-test-resources/js-test-pre.js"></script>
 <script src="resources/cross-frame-access.js"></script>
 </head>
@@ -7 +8 @@
 <pre id="console"></pre>
 <script>
-if (window.testRunner)
-    testRunner.dumpAsText();
-
-log("Tests that making other frame window a prototype doesn't expose that window properties");
+description("Tests that making other frame window a prototype doesn't expose that window properties");
+jsTestIsAsync = true;
 
 targetWindow = frames[0];
@@ -17 +16 @@
   originalInnerHeight = innerHeight;
 
-  __proto__ = targetWindow;
+  shouldThrowErrorName("__proto__ = targetWindow", "TypeError");
 
   shouldBeTrue('innerHeight === originalInnerHeight');
   shouldBeTrue('this.innerHeight === originalInnerHeight');
+  finishJSTest();
 }
 </script>
+<script src="/js-test-resources/js-test-post.js"></script>
 </body>
 </html>

trunk/LayoutTests/js/object-literal-shorthand-construction-expected.txt

@@ -62 +62 @@
 PASS !!Object.getOwnPropertyDescriptor({set 'x'(value){}}, 'x').set is true
 PASS !!Object.getOwnPropertyDescriptor({set 42(value){}}, '42').set is true
-PASS __proto__ = []; ({__proto__: __proto__}) instanceof Array is true
-PASS __proto__ = []; ({__proto__}) instanceof Array is false
-PASS __proto__ = []; ({__proto__}).__proto__ instanceof Array is true
+PASS __proto__ = [] threw exception TypeError: Cannot set prototype of this object.
 PASS successfullyParsed is true
 

trunk/LayoutTests/js/script-tests/object-literal-shorthand-construction.js

@@ -110 +110 @@
 shouldBeTrue("!!Object.getOwnPropertyDescriptor({set 42(value){}}, '42').set");
 
-// __proto__ shorthand should be not modify the prototype.
-shouldBeTrue("__proto__ = []; ({__proto__: __proto__}) instanceof Array");
-shouldBeFalse("__proto__ = []; ({__proto__}) instanceof Array");
-shouldBeTrue("__proto__ = []; ({__proto__}).__proto__ instanceof Array");
+shouldThrowErrorName("__proto__ = []", "TypeError");

trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js

@@ -34 +34 @@
 
 var top_level_sloppy_setter = Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set;
-shouldNotThrow("top_level_sloppy_setter(['foo']);");
+shouldThrowErrorName("top_level_sloppy_setter(['foo']);", "TypeError");

trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt

@@ -12 +12 @@
 PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo']) threw exception TypeError: Can't convert undefined or null to object.
 PASS top_level_sloppy_getter(); did not throw exception.
-PASS top_level_sloppy_setter(['foo']); did not throw exception.
+PASS top_level_sloppy_setter(['foo']); threw exception TypeError: Cannot set prototype of this object.
 PASS successfullyParsed is true
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-09-02  Chris Dumez  <cdumez@apple.com>
+
+        Align proto getter / setter behavior with other browsers
+        https://bugs.webkit.org/show_bug.cgi?id=161455
+
+        Reviewed by Mark Lam.
+
+        Drop allowsAccessFrom from the methodTable and delegate cross-origin
+        checking to the DOM bindings for [[SetPrototypeOf]] / [[GetPrototypeOf]].
+        This is more consistent with other operations (e.g. [[GetOwnProperty]]).
+
+        * jsc.cpp:
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSGlobalObject.h:
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncProtoGetter):
+        (JSC::globalFuncProtoSetter):
+        (JSC::globalFuncBuiltinLog): Deleted.
+        * runtime/JSGlobalObjectFunctions.h:
+        * runtime/JSObject.h:
+        (JSC::JSObject::getArrayLength): Deleted.
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::setPrototype):
+        (JSC::JSProxy::getPrototype):
+        * runtime/JSProxy.h:
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorGetPrototypeOf):
+        (JSC::objectConstructorSetPrototypeOf):
+        (JSC::objectConstructorGetOwnPropertyDescriptor): Deleted.
+        (JSC::objectConstructorGetOwnPropertyDescriptors): Deleted.
+        * runtime/ObjectConstructor.h:
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectGetPrototypeOf):
+        (JSC::reflectObjectSetPrototypeOf):
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::setPrototypeWithCycleCheck):
+        Comment out check added in r197648. This check was added to match
+        the latest EcmaScript spec:
+        - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
+        This check allowed for [[Prototype]] chain cycles if the prototype
+        chain includes objects that do not use the ordinary object definitions
+        for [[GetPrototypeOf]] and [[SetPrototypeOf]].
+        The issue is that the rest of our code base does not properly handle
+        such cycles and we can end up in infinite loops. This became obvious
+        because this patch updates Window / Location so that they no longer
+        use the default [[GetPrototypeOf]] / [[SetPrototypeOf]]. If I do not
+        comment out this check, I get an infinite loop in
+        Structure::anyObjectInChainMayInterceptIndexedAccesses(), which is
+        called from JSObject::setPrototypeDirect(), when running the following
+        layout test:
+        - html/browsers/history/the-location-interface/allow_prototype_cycle_through_location.sub.html
+        I filed https://bugs.webkit.org/show_bug.cgi?id=161534 to track this
+        issue.
+
 2016-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
 

trunk/Source/JavaScriptCore/jsc.cpp

@@ -904 +904 @@
 
 const ClassInfo GlobalObject::s_info = { "global", &JSGlobalObject::s_info, nullptr, CREATE_METHOD_TABLE(GlobalObject) };
-const GlobalObjectMethodTable GlobalObject::s_globalObjectMethodTable = { &allowsAccessFrom, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, 0, &shouldInterruptScriptBeforeTimeout, &moduleLoaderResolve, &moduleLoaderFetch, nullptr, nullptr, nullptr, nullptr };
+const GlobalObjectMethodTable GlobalObject::s_globalObjectMethodTable = { &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, 0, &shouldInterruptScriptBeforeTimeout, &moduleLoaderResolve, &moduleLoaderFetch, nullptr, nullptr, nullptr, nullptr };
 
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -208 +208 @@
 const ClassInfo JSGlobalObject::s_info = { "GlobalObject", &Base::s_info, &globalObjectTable, CREATE_METHOD_TABLE(JSGlobalObject) };
 
-const GlobalObjectMethodTable JSGlobalObject::s_globalObjectMethodTable = { &allowsAccessFrom, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, nullptr, &shouldInterruptScriptBeforeTimeout, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr };
+const GlobalObjectMethodTable JSGlobalObject::s_globalObjectMethodTable = { &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, nullptr, &shouldInterruptScriptBeforeTimeout, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr };
 
 /* Source for JSGlobalObject.lut.h

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -149 +149 @@
 
 struct GlobalObjectMethodTable {
-    typedef bool (*AllowsAccessFromFunctionPtr)(const JSGlobalObject*, ExecState*);
-    AllowsAccessFromFunctionPtr allowsAccessFrom;
-
     typedef bool (*SupportsRichSourceInfoFunctionPtr)(const JSGlobalObject*);
     SupportsRichSourceInfoFunctionPtr supportsRichSourceInfo;
@@ -713 +710 @@
     const GlobalObjectMethodTable* globalObjectMethodTable() const { return m_globalObjectMethodTable; }
 
-    static bool allowsAccessFrom(const JSGlobalObject*, ExecState*) { return true; }
     static bool supportsRichSourceInfo(const JSGlobalObject*) { return true; }
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -867 +867 @@
 }
 
-class GlobalFuncProtoGetterFunctor {
-public:
-    GlobalFuncProtoGetterFunctor(ExecState* exec, JSObject* thisObject)
-        : m_exec(exec)
-        , m_hasSkippedFirstFrame(false)
-        , m_thisObject(thisObject)
-        , m_result(JSValue::encode(jsUndefined()))
-    {
-    }
-
-    EncodedJSValue result() { return m_result; }
-
-    StackVisitor::Status operator()(StackVisitor& visitor) const
-    {
-        if (!m_hasSkippedFirstFrame) {
-            m_hasSkippedFirstFrame = true;
-            return StackVisitor::Continue;
-        }
-
-        if (m_thisObject->allowsAccessFrom(visitor->callFrame()))
-            m_result = JSValue::encode(m_thisObject->getPrototype(m_exec->vm(), m_exec));
-
-        return StackVisitor::Done;
-    }
-
-private:
-    ExecState* m_exec;
-    mutable bool m_hasSkippedFirstFrame;
-    JSObject* m_thisObject;
-    mutable EncodedJSValue m_result;
-};
-
 EncodedJSValue JSC_HOST_CALL globalFuncProtoGetter(ExecState* exec)
 {
@@ -916 +884 @@
     }
 
-    GlobalFuncProtoGetterFunctor functor(exec, thisObject);
-    // This can throw but it's just unneeded extra work to check for it. The return
-    // value from this function is only used as the return value from a host call.
-    // Therefore, the return value is only used if there wasn't an exception.
-    exec->iterate(functor);
-    return functor.result();
-}
-
-class GlobalFuncProtoSetterFunctor {
-public:
-    GlobalFuncProtoSetterFunctor(JSObject* thisObject)
-        : m_hasSkippedFirstFrame(false)
-        , m_allowsAccess(false)
-        , m_thisObject(thisObject)
-    {
-    }
-
-    bool allowsAccess() const { return m_allowsAccess; }
-
-    StackVisitor::Status operator()(StackVisitor& visitor) const
-    {
-        if (!m_hasSkippedFirstFrame) {
-            m_hasSkippedFirstFrame = true;
-            return StackVisitor::Continue;
-        }
-
-        m_allowsAccess = m_thisObject->allowsAccessFrom(visitor->callFrame());
-        return StackVisitor::Done;
-    }
-
-private:
-    mutable bool m_hasSkippedFirstFrame;
-    mutable bool m_allowsAccess;
-    JSObject* m_thisObject;
-};
-
-bool checkProtoSetterAccessAllowed(ExecState* exec, JSObject* object)
-{
-    GlobalFuncProtoSetterFunctor functor(object);
-    exec->iterate(functor);
-    return functor.allowsAccess();
+    return JSValue::encode(thisObject->getPrototype(vm, exec));
 }
 
@@ -975 +903 @@
         return JSValue::encode(jsUndefined());
 
-    if (!checkProtoSetterAccessAllowed(exec, thisObject))
-        return JSValue::encode(jsUndefined());
-
     // Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla.
     if (!value.isObject() && !value.isNull())

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h

@@ -53 +53 @@
 EncodedJSValue JSC_HOST_CALL globalFuncBuiltinLog(ExecState*);
 
-bool checkProtoSetterAccessAllowed(ExecState*, JSObject*);
-
 static const double mantissaOverflowLowerBound = 9007199254740992.0;
 double parseIntOverflow(const LChar*, unsigned length, int radix);

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -1372 +1372 @@
 
     JSValue nextPrototype = prototype;
-    MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
     while (nextPrototype && nextPrototype.isObject()) {
         if (nextPrototype == this) {
@@ -1379 +1378 @@
             return false;
         }
-        if (UNLIKELY(asObject(nextPrototype)->methodTable(vm)->getPrototype != defaultGetPrototype))
-            break; // We're done. Set the prototype.
+        // FIXME: The specification says we should do this but this allows for cycles and our
+        // code base currently does not deal properly with such cycles.
+        // https://bugs.webkit.org/show_bug.cgi?id=161534
+        // if (UNLIKELY(asObject(nextPrototype)->methodTable(vm)->getPrototype != JSObject::getPrototype))
+        //    break; // We're done. Set the prototype.
         nextPrototype = asObject(nextPrototype)->getPrototypeDirect();
     }
@@ -1400 +1402 @@
 {
     return methodTable(vm)->setPrototype(this, exec, prototype, shouldThrowIfCantSet);
-}
-
-bool JSObject::allowsAccessFrom(ExecState* exec)
-{
-    JSGlobalObject* globalObject = this->globalObject();
-    return globalObject->globalObjectMethodTable()->allowsAccessFrom(globalObject, exec);
 }
 

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -169 +169 @@
     JS_EXPORT_PRIVATE bool getOwnPropertyDescriptor(ExecState*, PropertyName, PropertyDescriptor&);
 
-    JS_EXPORT_PRIVATE bool allowsAccessFrom(ExecState*);
-
     unsigned getArrayLength() const
     {

trunk/Source/JavaScriptCore/runtime/JSProxy.cpp

@@ -140 +140 @@
 }
 
+bool JSProxy::setPrototype(JSObject* object, ExecState* exec, JSValue value, bool shouldThrowIfCantSet)
+{
+    JSProxy* thisObject = jsCast<JSProxy*>(object);
+    return thisObject->target()->methodTable(exec->vm())->setPrototype(thisObject->target(), exec, value, shouldThrowIfCantSet);
+}
+
+JSValue JSProxy::getPrototype(JSObject* object, ExecState* exec)
+{
+    JSProxy* thisObject = jsCast<JSProxy*>(object);
+    return thisObject->target()->methodTable(exec->vm())->getPrototype(thisObject->target(), exec);
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSProxy.h

@@ -95 +95 @@
     JS_EXPORT_PRIVATE static void getGenericPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
     JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
+    JS_EXPORT_PRIVATE static bool setPrototype(JSObject*, ExecState*, JSValue, bool shouldThrowIfCantSet);
+    JS_EXPORT_PRIVATE static JSValue getPrototype(JSObject*, ExecState*);
 
 private:

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -167 +167 @@
 }
 
-class ObjectConstructorGetPrototypeOfFunctor {
-public:
-    ObjectConstructorGetPrototypeOfFunctor(ExecState* exec, JSObject* object)
-        : m_exec(exec)
-        , m_hasSkippedFirstFrame(false)
-        , m_object(object)
-        , m_result(jsUndefined())
-    {
-    }
-
-    JSValue result() const { return m_result; }
-
-    StackVisitor::Status operator()(StackVisitor& visitor) const
-    {
-        if (!m_hasSkippedFirstFrame) {
-            m_hasSkippedFirstFrame = true;
-            return StackVisitor::Continue;
-        }
-
-        if (m_object->allowsAccessFrom(visitor->callFrame()))
-            m_result = m_object->getPrototype(m_exec->vm(), m_exec);
-        else
-            m_result = jsNull();
-        return StackVisitor::Done;
-    }
-
-private:
-    ExecState* m_exec;
-    mutable bool m_hasSkippedFirstFrame;
-    JSObject* m_object;
-    mutable JSValue m_result;
-};
-
-JSValue objectConstructorGetPrototypeOf(ExecState* exec, JSObject* object)
-{
-    ObjectConstructorGetPrototypeOfFunctor functor(exec, object);
-    // This can throw but it's just unneeded extra work to check for it. The return
-    // value from this function is only used as the return value from a host call.
-    // Therefore, the return value is only used if there wasn't an exception.
-    exec->iterate(functor);
-    return functor.result();
-}
-
 EncodedJSValue JSC_HOST_CALL objectConstructorGetPrototypeOf(ExecState* exec)
 {
@@ -215 +172 @@
     if (exec->hadException())
         return JSValue::encode(jsUndefined());
-    return JSValue::encode(objectConstructorGetPrototypeOf(exec, object));
+    return JSValue::encode(object->getPrototype(exec->vm(), exec));
 }
 
@@ -234 +191 @@
     if (exec->hadException())
         return JSValue::encode(objectValue);
-
-    if (!checkProtoSetterAccessAllowed(exec, object)) {
-        throwTypeError(exec, scope, ASCIILiteral("Permission denied"));
-        return JSValue::encode(objectValue);
-    }
 
     bool shouldThrowIfCantSet = true;

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.h

@@ -125 +125 @@
 
 JS_EXPORT_PRIVATE JSObject* objectConstructorFreeze(ExecState*, JSObject*);
-JSValue objectConstructorGetPrototypeOf(ExecState*, JSObject*);
 JSValue objectConstructorGetOwnPropertyDescriptor(ExecState*, JSObject*, const Identifier&);
 JSValue objectConstructorGetOwnPropertyDescriptors(ExecState*, JSObject*);

trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp

@@ -216 +216 @@
     if (!target.isObject())
         return JSValue::encode(throwTypeError(exec, scope, ASCIILiteral("Reflect.getPrototypeOf requires the first argument be an object")));
-    return JSValue::encode(objectConstructorGetPrototypeOf(exec, asObject(target)));
+    return JSValue::encode(asObject(target)->getPrototype(exec->vm(), exec));
 }
 
@@ -302 +302 @@
 
     JSObject* object = asObject(target);
-
-    if (!checkProtoSetterAccessAllowed(exec, object))
-        return JSValue::encode(jsBoolean(false));
 
     bool shouldThrowIfCantSet = false;

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-09-02  Chris Dumez  <cdumez@apple.com>
+
+        Align proto getter / setter behavior with other browsers
+        https://bugs.webkit.org/show_bug.cgi?id=161455
+
+        Reviewed by Mark Lam.
+
+        Align cross-origin __proto__ getter / setter behavior with other
+        browsers and the specification:
+
+        [[SetPrototypeOf]] should throw a TypeError:
+        - https://html.spec.whatwg.org/#windowproxy-setprototypeof
+        - https://html.spec.whatwg.org/#location-setprototypeof
+        - https://tc39.github.io/ecma262/#sec-object.setprototypeof (step 5)
+
+        [[GetPrototypeOf]] should return null cross-origin:
+        - https://html.spec.whatwg.org/#windowproxy-getprototypeof
+        - https://html.spec.whatwg.org/#location-getprototypeof
+
+        Test: js/dom/setPrototypeOf-location-window.html
+
+        * bindings/js/JSDOMWindowBase.cpp:
+        (WebCore::JSDOMWindowBase::JSDOMWindowBase): Deleted.
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::setPrototype):
+        (WebCore::JSDOMWindow::getPrototype):
+        * bindings/js/JSLocationCustom.cpp:
+        (WebCore::JSLocation::setPrototype):
+        (WebCore::JSLocation::getPrototype):
+        * bindings/js/JSWorkerGlobalScopeBase.cpp:
+        (WebCore::JSWorkerGlobalScopeBase::supportsRichSourceInfo): Deleted.
+        * bindings/js/JSWorkerGlobalScopeBase.h:
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateHeader):
+        * bindings/scripts/IDLAttributes.txt:
+        * page/DOMWindow.idl:
+        * page/Location.idl:
+
 2016-09-02  Eric Carlson  <eric.carlson@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

@@ -58 +58 @@
 namespace WebCore {
 
-static bool shouldAllowAccessFrom(const JSGlobalObject* thisObject, ExecState* exec)
-{
-    return BindingSecurity::shouldAllowAccessToDOMWindow(exec, asJSDOMWindow(thisObject)->wrapped());
-}
-
 const ClassInfo JSDOMWindowBase::s_info = { "Window", &JSDOMGlobalObject::s_info, 0, CREATE_METHOD_TABLE(JSDOMWindowBase) };
 
-const GlobalObjectMethodTable JSDOMWindowBase::s_globalObjectMethodTable = { &shouldAllowAccessFrom, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, &queueTaskToEventLoop, &shouldInterruptScriptBeforeTimeout, &moduleLoaderResolve, &moduleLoaderFetch, nullptr, nullptr, &moduleLoaderEvaluate, &defaultLanguage };
+const GlobalObjectMethodTable JSDOMWindowBase::s_globalObjectMethodTable = { &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, &queueTaskToEventLoop, &shouldInterruptScriptBeforeTimeout, &moduleLoaderResolve, &moduleLoaderFetch, nullptr, nullptr, &moduleLoaderEvaluate, &defaultLanguage };
 
 JSDOMWindowBase::JSDOMWindowBase(VM& vm, Structure* structure, RefPtr<DOMWindow>&& window, JSDOMWindowShell* shell)

trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

@@ -343 +343 @@
 }
 
+bool JSDOMWindow::setPrototype(JSObject*, ExecState* exec, JSValue, bool shouldThrowIfCantSet)
+{
+    auto scope = DECLARE_THROW_SCOPE(exec->vm());
+
+    if (shouldThrowIfCantSet)
+        throwTypeError(exec, scope, ASCIILiteral("Cannot set prototype of this object"));
+
+    return false;
+}
+
+JSValue JSDOMWindow::getPrototype(JSObject* object, ExecState* exec)
+{
+    JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
+    if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->wrapped(), DoNotReportSecurityError))
+        return jsNull();
+
+    return Base::getPrototype(object, exec);
+}
+
 // Custom Attributes
 

trunk/Source/WebCore/bindings/js/JSLocationCustom.cpp

@@ -125 +125 @@
 }
 
+bool JSLocation::setPrototype(JSObject*, ExecState* exec, JSValue, bool shouldThrowIfCantSet)
+{
+    auto scope = DECLARE_THROW_SCOPE(exec->vm());
+
+    if (shouldThrowIfCantSet)
+        throwTypeError(exec, scope, ASCIILiteral("Cannot set prototype of this object"));
+
+    return false;
+}
+
+JSValue JSLocation::getPrototype(JSObject* object, ExecState* exec)
+{
+    JSLocation* thisObject = jsCast<JSLocation*>(object);
+    if (!BindingSecurity::shouldAllowAccessToFrame(exec, thisObject->wrapped().frame(), DoNotReportSecurityError))
+        return jsNull();
+
+    return Base::getPrototype(object, exec);
+}
+
 bool JSLocationPrototype::putDelegate(ExecState* exec, PropertyName propertyName, JSValue, PutPropertySlot&, bool& putResult)
 {

trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.cpp

@@ -46 +46 @@
 const ClassInfo JSWorkerGlobalScopeBase::s_info = { "WorkerGlobalScope", &JSDOMGlobalObject::s_info, 0, CREATE_METHOD_TABLE(JSWorkerGlobalScopeBase) };
 
-const GlobalObjectMethodTable JSWorkerGlobalScopeBase::s_globalObjectMethodTable = { &allowsAccessFrom, &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, &queueTaskToEventLoop, &shouldInterruptScriptBeforeTimeout, nullptr, nullptr, nullptr, nullptr, nullptr, &defaultLanguage };
+const GlobalObjectMethodTable JSWorkerGlobalScopeBase::s_globalObjectMethodTable = { &supportsRichSourceInfo, &shouldInterruptScript, &javaScriptRuntimeFlags, &queueTaskToEventLoop, &shouldInterruptScriptBeforeTimeout, nullptr, nullptr, nullptr, nullptr, nullptr, &defaultLanguage };
 
 JSWorkerGlobalScopeBase::JSWorkerGlobalScopeBase(JSC::VM& vm, JSC::Structure* structure, RefPtr<WorkerGlobalScope>&& impl)
@@ -78 +78 @@
 {
     return m_wrapped.get();
-}
-
-bool JSWorkerGlobalScopeBase::allowsAccessFrom(const JSGlobalObject* object, ExecState* exec)
-{
-    return JSGlobalObject::allowsAccessFrom(object, exec);
 }
 

trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeBase.h

@@ -54 +54 @@
         static const JSC::GlobalObjectMethodTable s_globalObjectMethodTable;
 
-        static bool allowsAccessFrom(const JSC::JSGlobalObject*, JSC::ExecState*);
         static bool supportsRichSourceInfo(const JSC::JSGlobalObject*);
         static bool shouldInterruptScript(const JSC::JSGlobalObject*);

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -1322 +1322 @@
     # Custom defineOwnProperty function
     push(@headerContent, "    static bool defineOwnProperty(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, const JSC::PropertyDescriptor&, bool shouldThrow);\n") if $interface->extendedAttributes->{"JSCustomDefineOwnProperty"};
+
+    # Custom getPrototype / setPrototype functions.
+    push (@headerContent, "    static JSC::JSValue getPrototype(JSC::JSObject*, JSC::ExecState*);\n") if $interface->extendedAttributes->{"CustomGetPrototype"};
+    push (@headerContent, "    static bool setPrototype(JSC::JSObject*, JSC::ExecState*, JSC::JSValue, bool shouldThrowIfCantSet);\n") if $interface->extendedAttributes->{"CustomSetPrototype"};
 
     # Override toBoolean to return false for objects that want to 'MasqueradesAsUndefined'.

trunk/Source/WebCore/bindings/scripts/IDLAttributes.txt

@@ -42 +42 @@
 CustomEnumerateProperty
 CustomGetOwnPropertySlot
+CustomGetPrototype
 CustomGetter
 CustomIndexedSetter
@@ -50 +51 @@
 CustomPutFunction
 CustomReturn
+CustomSetPrototype
 CustomSetter
 CustomToJSObject

trunk/Source/WebCore/page/DOMWindow.idl

@@ -30 +30 @@
     CustomEnumerateProperty,
     CustomGetOwnPropertySlot,
+    CustomGetPrototype,
     CustomProxyToJSObject,
     CustomPutFunction,
+    CustomSetPrototype,
     ExportMacro=WEBCORE_EXPORT,
     ImplicitThis,

trunk/Source/WebCore/page/Location.idl

@@ -31 +31 @@
     CustomDeleteProperty,
     CustomEnumerateProperty,
+    CustomGetPrototype,
     CustomNamedSetter,
+    CustomSetPrototype,
     GenerateIsReachable=ImplFrame,
     JSCustomDefineOwnProperty,