Changeset 239583 in webkit

Timestamp:

Jan 2, 2019 7:48:19 PM (5 years ago)

Author:

webkit@devinrousso.com

Message:

Web Inspector: Implement queryObjects Command Line API
​https://bugs.webkit.org/show_bug.cgi?id=176766
<rdar://problem/34890689>

Reviewed by Joseph Pecoraro.

Source/JavaScriptCore:

Introduces a new Command Line function called queryObjects that will return an array of
object that have the given constructor/prototype argument in their prototype chain.

• queryObjects(Promise) will return an array of all Promises.
• queryObjects(Foo) will return all objects created with the constructor Foo.

Currently, an error is thrown if the first argument is one of the following:

• Object
• Object.prototype
• Function
• Function.prototype
• Array
• Array.prototype
• Map
• Map.prototype
• Set
• Set.prototype
• Proxy

The reason for this is that we don't want to expose any internal/builtin objects, as some of
them are highly sensitive and undefined behaviour can occur if they are modified.

• inspector/JSInjectedScriptHost.h:
• inspector/JSInjectedScriptHost.cpp:

(Inspector::checkForbiddenPrototype): Added.
(Inspector::JSInjectedScriptHost::queryObjects): Added.
Does a GC and then iterates over all live JSCell in the heap to find these objects.

• inspector/JSInjectedScriptHostPrototype.cpp:

(Inspector::JSInjectedScriptHostPrototype::finishCreation):
(Inspector::jsInjectedScriptHostPrototypeFunctionQueryObjects): Added.

• inspector/InjectedScriptSource.js:

(queryObjects): Added.

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::promisePrototype): Added.

Source/WebCore:

Test: inspector/console/queryObjects.html

• inspector/CommandLineAPIModuleSource.js:

(CommandLineAPI):
(CommandLineAPIImpl.prototype.queryObjects): Added.

Source/WebInspectorUI:

• UserInterface/Controllers/JavaScriptRuntimeCompletionProvider.js:

(WI.JavaScriptRuntimeCompletionProvider.completionControllerCompletionsNeeded.receivedPropertyNames):
Add queryObjects to the list of command line functions.

LayoutTests:

• inspector/console/queryObjects-expected.html: Added.
• inspector/console/queryObjects.html: Added.

• http/tests/inspector/console/cross-domain-inspected-node-access-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/inspector/dom/cross-domain-inspected-node-access-expected.txt (modified) (1 diff)
• LayoutTests/inspector/console/queryObjects-expected.txt (added)
• LayoutTests/inspector/console/queryObjects.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/inspector/InjectedScriptSource.js (modified) (1 diff)
• Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp (modified) (5 diffs)
• Source/JavaScriptCore/inspector/JSInjectedScriptHost.h (modified) (1 diff)
• Source/JavaScriptCore/inspector/JSInjectedScriptHostPrototype.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/inspector/CommandLineAPIModuleSource.js (modified) (3 diffs)
• Source/WebInspectorUI/ChangeLog (modified) (1 diff)
• Source/WebInspectorUI/UserInterface/Controllers/JavaScriptRuntimeCompletionProvider.js (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2019-01-02  Devin Rousso  <webkit@devinrousso.com>
+
+        Web Inspector: Implement `queryObjects` Command Line API
+        https://bugs.webkit.org/show_bug.cgi?id=176766
+        <rdar://problem/34890689>
+
+        Reviewed by Joseph Pecoraro.
+
+        * inspector/console/queryObjects-expected.html: Added.
+        * inspector/console/queryObjects.html: Added.
+
+        * http/tests/inspector/console/cross-domain-inspected-node-access-expected.txt:
+
 2019-01-02  Charles Vazac  <cvazac@gmail.com>
 

trunk/LayoutTests/http/tests/inspector/dom/cross-domain-inspected-node-access-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 42: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
-CONSOLE MESSAGE: line 42: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 43: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
+CONSOLE MESSAGE: line 43: Blocked a frame with origin "http://localhost:8000" from accessing a frame with origin "http://127.0.0.1:8000". Protocols, domains, and ports must match.
 Test that code evaluated in the main frame cannot access $0 that resolves to a node in a frame from a different domain. Bug 105423.
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-01-02  Devin Rousso  <webkit@devinrousso.com>
+
+        Web Inspector: Implement `queryObjects` Command Line API
+        https://bugs.webkit.org/show_bug.cgi?id=176766
+        <rdar://problem/34890689>
+
+        Reviewed by Joseph Pecoraro.
+
+        Introduces a new Command Line function called `queryObjects` that will return an array of
+        object that have the given constructor/prototype argument in their prototype chain.
+         - `queryObjects(Promise)` will return an array of all Promises.
+         - `queryObjects(Foo)` will return all objects created with the constructor `Foo`.
+
+        Currently, an error is thrown if the first argument is one of the following:
+         - Object
+         - Object.prototype
+         - Function
+         - Function.prototype
+         - Array
+         - Array.prototype
+         - Map
+         - Map.prototype
+         - Set
+         - Set.prototype
+         - Proxy
+
+        The reason for this is that we don't want to expose any internal/builtin objects, as some of
+        them are highly sensitive and undefined behaviour can occur if they are modified.
+
+        * inspector/JSInjectedScriptHost.h:
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::checkForbiddenPrototype): Added.
+        (Inspector::JSInjectedScriptHost::queryObjects): Added.
+        Does a GC and then iterates over all live JSCell in the heap to find these objects.
+
+        * inspector/JSInjectedScriptHostPrototype.cpp:
+        (Inspector::JSInjectedScriptHostPrototype::finishCreation):
+        (Inspector::jsInjectedScriptHostPrototypeFunctionQueryObjects): Added.
+
+        * inspector/InjectedScriptSource.js:
+        (queryObjects): Added.
+
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::promisePrototype): Added.
+
 2018-12-31  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/inspector/InjectedScriptSource.js

@@ -1448 +1448 @@
         return result;
     },
+
+    function queryObjects() {
+        return InjectedScriptHost.queryObjects(...arguments);
+    },
 ];
 

trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp

@@ -28 +28 @@
 
 #include "ArrayIteratorPrototype.h"
+#include "ArrayPrototype.h"
 #include "BuiltinNames.h"
 #include "Completion.h"
@@ -33 +34 @@
 #include "DirectArguments.h"
 #include "Error.h"
+#include "FunctionPrototype.h"
+#include "HeapIterationScope.h"
 #include "InjectedScriptHost.h"
 #include "IterationKind.h"
@@ -45 +48 @@
 #include "JSMap.h"
 #include "JSPromise.h"
+#include "JSPromisePrototype.h"
 #include "JSSet.h"
 #include "JSStringIterator.h"
@@ -52 +56 @@
 #include "JSWithScope.h"
 #include "MapIteratorPrototype.h"
+#include "MapPrototype.h"
+#include "MarkedSpaceInlines.h"
 #include "ObjectConstructor.h"
+#include "ObjectPrototype.h"
 #include "ProxyObject.h"
 #include "RegExpObject.h"
 #include "ScopedArguments.h"
 #include "SetIteratorPrototype.h"
+#include "SetPrototype.h"
 #include "SourceCode.h"
 #include "TypedArrayInlines.h"
@@ -622 +630 @@
 }
 
+static bool checkForbiddenPrototype(ExecState* exec, JSValue value, JSValue proto)
+{
+    if (value == proto)
+        return true;
+
+    // Check that the prototype chain of proto hasn't been modified to include value.
+    return JSObject::defaultHasInstance(exec, proto, value);
+}
+
+JSValue JSInjectedScriptHost::queryObjects(ExecState* exec)
+{
+    if (exec->argumentCount() < 1)
+        return jsUndefined();
+
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    JSValue prototypeOrConstructor = exec->uncheckedArgument(0);
+    if (!prototypeOrConstructor.isObject())
+        return throwTypeError(exec, scope, "queryObjects first argument must be an object."_s);
+
+    JSObject* object = asObject(prototypeOrConstructor);
+    if (object->inherits<ProxyObject>(vm))
+        return throwTypeError(exec, scope, "queryObjects cannot be called with a Proxy."_s);
+
+    JSValue prototype = object;
+
+    PropertySlot prototypeSlot(object, PropertySlot::InternalMethodType::VMInquiry);
+    if (object->getPropertySlot(exec, vm.propertyNames->prototype, prototypeSlot)) {
+        RETURN_IF_EXCEPTION(scope, { });
+        if (prototypeSlot.isValue()) {
+            JSValue prototypeValue = prototypeSlot.getValue(exec, vm.propertyNames->prototype);
+            if (prototypeValue.isObject()) {
+                prototype = prototypeValue;
+                object = asObject(prototype);
+            }
+        }
+    }
+
+    if (object->inherits<ProxyObject>(vm) || prototype.inherits<ProxyObject>(vm))
+        return throwTypeError(exec, scope, "queryObjects cannot be called with a Proxy."_s);
+
+    // FIXME: implement a way of distinguishing between internal and user-created objects.
+    JSGlobalObject* lexicalGlobalObject = exec->lexicalGlobalObject();
+    if (checkForbiddenPrototype(exec, object, lexicalGlobalObject->objectPrototype()))
+        return throwTypeError(exec, scope, "queryObjects cannot be called with Object."_s);
+    if (checkForbiddenPrototype(exec, object, lexicalGlobalObject->functionPrototype()))
+        return throwTypeError(exec, scope, "queryObjects cannot be called with Function."_s);
+    if (checkForbiddenPrototype(exec, object, lexicalGlobalObject->arrayPrototype()))
+        return throwTypeError(exec, scope, "queryObjects cannot be called with Array."_s);
+    if (checkForbiddenPrototype(exec, object, lexicalGlobalObject->mapPrototype()))
+        return throwTypeError(exec, scope, "queryObjects cannot be called with Map."_s);
+    if (checkForbiddenPrototype(exec, object, lexicalGlobalObject->jsSetPrototype()))
+        return throwTypeError(exec, scope, "queryObjects cannot be called with Set."_s);
+    if (checkForbiddenPrototype(exec, object, lexicalGlobalObject->promisePrototype()))
+        return throwTypeError(exec, scope, "queryObjects cannot be called with Promise."_s);
+
+    sanitizeStackForVM(&vm);
+    vm.heap.collectNow(Sync, CollectionScope::Full);
+
+    JSArray* array = constructEmptyArray(exec, nullptr);
+    RETURN_IF_EXCEPTION(scope, { });
+
+    {
+        HeapIterationScope iterationScope(vm.heap);
+        vm.heap.objectSpace().forEachLiveCell(iterationScope, [&] (HeapCell* cell, HeapCell::Kind kind) {
+            if (!isJSCellKind(kind))
+                return IterationStatus::Continue;
+
+            JSValue value(static_cast<JSCell*>(cell));
+            if (value.inherits<ProxyObject>(vm))
+                return IterationStatus::Continue;
+
+            if (JSObject::defaultHasInstance(exec, value, prototype))
+                array->putDirectIndex(exec, array->length(), value);
+
+            return IterationStatus::Continue;
+        });
+    }
+
+    return array;
+}
+
 } // namespace Inspector

trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHost.h

@@ -72 +72 @@
     JSC::JSValue weakSetEntries(JSC::ExecState*);
     JSC::JSValue iteratorEntries(JSC::ExecState*);
+    JSC::JSValue queryObjects(JSC::ExecState*);
 
 protected:

trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHostPrototype.cpp

@@ -50 +50 @@
 static EncodedJSValue JSC_HOST_CALL jsInjectedScriptHostPrototypeFunctionWeakSetEntries(ExecState*);
 static EncodedJSValue JSC_HOST_CALL jsInjectedScriptHostPrototypeFunctionIteratorEntries(ExecState*);
+static EncodedJSValue JSC_HOST_CALL jsInjectedScriptHostPrototypeFunctionQueryObjects(ExecState*);
 static EncodedJSValue JSC_HOST_CALL jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension(ExecState*);
 
@@ -73 +74 @@
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("weakSetEntries", jsInjectedScriptHostPrototypeFunctionWeakSetEntries, static_cast<unsigned>(PropertyAttribute::DontEnum), 1);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("iteratorEntries", jsInjectedScriptHostPrototypeFunctionIteratorEntries, static_cast<unsigned>(PropertyAttribute::DontEnum), 1);
+    JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("queryObjects", jsInjectedScriptHostPrototypeFunctionQueryObjects, static_cast<unsigned>(PropertyAttribute::DontEnum), 1);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("evaluateWithScopeExtension", jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension, static_cast<unsigned>(PropertyAttribute::DontEnum), 1);
 
@@ -195 +197 @@
 }
 
+EncodedJSValue JSC_HOST_CALL jsInjectedScriptHostPrototypeFunctionQueryObjects(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    JSValue thisValue = exec->thisValue();
+    JSInjectedScriptHost* castedThis = jsDynamicCast<JSInjectedScriptHost*>(vm, thisValue);
+    if (!castedThis)
+        return throwVMTypeError(exec, scope);
+
+    return JSValue::encode(castedThis->queryObjects(exec));
+}
+
 EncodedJSValue JSC_HOST_CALL jsInjectedScriptHostPrototypeFunctionEvaluateWithScopeExtension(ExecState* exec)
 {

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -617 +617 @@
     // Workaround for the name conflict between JSCell::setPrototype.
     SetPrototype* jsSetPrototype() const { return m_setPrototype.get(); }
+    JSPromisePrototype* promisePrototype() const { return m_promisePrototype.get(); }
     AsyncGeneratorPrototype* asyncGeneratorPrototype() const { return m_asyncGeneratorPrototype.get(); }
     AsyncGeneratorFunctionPrototype* asyncGeneratorFunctionPrototype() const { return m_asyncGeneratorFunctionPrototype.get(); }

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-01-02  Devin Rousso  <webkit@devinrousso.com>
+
+        Web Inspector: Implement `queryObjects` Command Line API
+        https://bugs.webkit.org/show_bug.cgi?id=176766
+        <rdar://problem/34890689>
+
+        Reviewed by Joseph Pecoraro.
+
+        Test: inspector/console/queryObjects.html
+
+        * inspector/CommandLineAPIModuleSource.js:
+        (CommandLineAPI):
+        (CommandLineAPIImpl.prototype.queryObjects): Added.
+
 2019-01-02  Charles Vazac  <cvazac@gmail.com>
 

trunk/Source/WebCore/inspector/CommandLineAPIModuleSource.js

@@ -58 +58 @@
 
     // Command Line API methods.
-    for (let member of CommandLineAPI.members_) {
-        this[member] = bind(commandLineAPIImpl[member], commandLineAPIImpl);
-        this[member].toString = function() { return "function " + member + "() { [Command Line API] }" };
+    for (let i = 0; i < CommandLineAPI.methods.length; ++i) {
+        let method = CommandLineAPI.methods[i];
+        this[method] = bind(commandLineAPIImpl[method], commandLineAPIImpl);
+        this[method].toString = function() { return "function " + method + "() { [Command Line API] }" };
     }
 }
@@ -68 +69 @@
  * @const
  */
-CommandLineAPI.members_ = [
-    "$", "$$", "$x", "dir", "dirxml", "keys", "values", "profile", "profileEnd", "table",
-    "monitorEvents", "unmonitorEvents", "inspect", "copy", "clear", "getEventListeners"
+CommandLineAPI.methods = [
+    "$",
+    "$$",
+    "$x",
+    "clear",
+    "copy",
+    "dir",
+    "dirxml",
+    "getEventListeners",
+    "inspect",
+    "keys",
+    "monitorEvents",
+    "profile",
+    "profileEnd",
+    "queryObjects",
+    "table",
+    "unmonitorEvents",
+    "values",
 ];
 
@@ -220 +236 @@
     {
         return this._inspect(object);
+    },
+
+    queryObjects()
+    {
+        return InjectedScriptHost.queryObjects(...arguments);
     },
 

trunk/Source/WebInspectorUI/ChangeLog

@@ +1 @@
+2019-01-02  Devin Rousso  <webkit@devinrousso.com>
+
+        Web Inspector: Implement `queryObjects` Command Line API
+        https://bugs.webkit.org/show_bug.cgi?id=176766
+        <rdar://problem/34890689>
+
+        Reviewed by Joseph Pecoraro.
+
+        * UserInterface/Controllers/JavaScriptRuntimeCompletionProvider.js:
+        (WI.JavaScriptRuntimeCompletionProvider.completionControllerCompletionsNeeded.receivedPropertyNames):
+        Add `queryObjects` to the list of command line functions.
+
 2018-12-21  Devin Rousso  <drousso@apple.com>
 

trunk/Source/WebInspectorUI/UserInterface/Controllers/JavaScriptRuntimeCompletionProvider.js

@@ -219 +219 @@
 
             if (!base) {
-                var commandLineAPI = ["$", "$$", "$x", "dir", "dirxml", "keys", "values", "profile", "profileEnd", "monitorEvents", "unmonitorEvents", "inspect", "copy", "clear", "getEventListeners", "$0", "$_"];
+                let commandLineAPI = WI.JavaScriptRuntimeCompletionProvider._commandLineAPI.slice(0);
                 if (WI.debuggerManager.paused) {
                     let targetData = WI.debuggerManager.dataForTarget(WI.runtimeManager.activeExecutionContext.target);
@@ -225 +225 @@
                         commandLineAPI.push("$exception");
                 }
-                for (var i = 0; i < commandLineAPI.length; ++i)
-                    propertyNames[commandLineAPI[i]] = true;
+                for (let name of commandLineAPI)
+                    propertyNames[name] = true;
 
                 // FIXME: Due to caching, sometimes old $n values show up as completion results even though they are not available. We should clear that proactively.
@@ -302 +302 @@
     }
 };
+
+WI.JavaScriptRuntimeCompletionProvider._commandLineAPI = [
+    "$",
+    "$$",
+    "$0",
+    "$_",
+    "$x",
+    "clear",
+    "copy",
+    "dir",
+    "dirxml",
+    "getEventListeners",
+    "inspect",
+    "keys",
+    "monitorEvents",
+    "profile",
+    "profileEnd",
+    "queryObjects",
+    "table",
+    "unmonitorEvents",
+    "values",
+];