Changeset 245675 in webkit

Timestamp:

May 23, 2019 12:06:20 AM (5 years ago)

Author:

Tadeu Zagallo

Message:

createListFromArrayLike should throw if value is not an object
​https://bugs.webkit.org/show_bug.cgi?id=198138

Reviewed by Yusuke Suzuki.

JSTests:

• stress/create-list-from-array-like-not-object.js: Added.

(testValid):
(testInvalid):

• stress/proxy-get-own-property-names-should-not-clear-previous-results.js:

(opt):

• stress/proxy-proto-enumerator.js: Added.

(main):

• stress/proxy-proto-own-keys.js: Added.

(assert):
(ownKeys):

Source/JavaScriptCore:

According to the spec[1], createListFromArrayLike should throw a type error if the array-like value
passed in is not an object.
[1]: ​https://www.ecma-international.org/ecma-262/9.0/index.html#sec-createlistfromarraylike

• runtime/JSObjectInlines.h:

(JSC::createListFromArrayLike):

• runtime/ProxyObject.cpp:

(JSC::ProxyObject::performGetOwnPropertyNames):

• runtime/ReflectObject.cpp:

(JSC::reflectObjectConstruct):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/create-list-from-array-like-not-object.js (added)
• JSTests/stress/proxy-get-own-property-names-should-not-clear-previous-results.js (modified) (1 diff)
• JSTests/stress/proxy-proto-enumerator.js (added)
• JSTests/stress/proxy-proto-own-keys.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObjectInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ProxyObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ReflectObject.cpp (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
+
+        createListFromArrayLike should throw if value is not an object
+        https://bugs.webkit.org/show_bug.cgi?id=198138
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/create-list-from-array-like-not-object.js: Added.
+        (testValid):
+        (testInvalid):
+        * stress/proxy-get-own-property-names-should-not-clear-previous-results.js:
+        (opt):
+        * stress/proxy-proto-enumerator.js: Added.
+        (main):
+        * stress/proxy-proto-own-keys.js: Added.
+        (assert):
+        (ownKeys):
+
 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/JSTests/stress/proxy-get-own-property-names-should-not-clear-previous-results.js

@@ -7 +7 @@
 function opt() {
     a.__proto__ = new Proxy(Object,{ownKeys:opt});
-    return 1;
+    return [];
 }
 for(var i=0;i<400;i=i+1) {

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-05-23  Tadeu Zagallo  <tzagallo@apple.com>
+
+        createListFromArrayLike should throw if value is not an object
+        https://bugs.webkit.org/show_bug.cgi?id=198138
+
+        Reviewed by Yusuke Suzuki.
+
+        According to the spec[1], createListFromArrayLike should throw a type error if the array-like value
+        passed in is not an object.
+        [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-createlistfromarraylike
+
+        * runtime/JSObjectInlines.h:
+        (JSC::createListFromArrayLike):
+        * runtime/ProxyObject.cpp:
+        (JSC::ProxyObject::performGetOwnPropertyNames):
+        * runtime/ReflectObject.cpp:
+        (JSC::reflectObjectConstruct):
+
 2019-05-22  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h

@@ -34 +34 @@
 // Section 7.3.17 of the spec.
 template <typename AddFunction> // Add function should have a type like: (JSValue, RuntimeType) -> bool
-void createListFromArrayLike(ExecState* exec, JSValue arrayLikeValue, RuntimeTypeMask legalTypesFilter, const String& errorMessage, AddFunction addFunction)
+void createListFromArrayLike(ExecState* exec, JSValue arrayLikeValue, RuntimeTypeMask legalTypesFilter, const String& notAnObjectErroMessage, const String& illegalTypeErrorMessage, AddFunction addFunction)
 {
     VM& vm = exec->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (!arrayLikeValue.isObject()) {
+        throwTypeError(exec, scope, notAnObjectErroMessage);
+        return;
+    }
     
     Vector<JSValue> result;
@@ -52 +57 @@
         RuntimeType type = runtimeTypeForValue(vm, next);
         if (!(type & legalTypesFilter)) {
-            throwTypeError(exec, scope, errorMessage);
+            throwTypeError(exec, scope, illegalTypeErrorMessage);
             return;
         }

trunk/Source/JavaScriptCore/runtime/ProxyObject.cpp

@@ -975 +975 @@
 
         RuntimeTypeMask dontThrowAnExceptionTypeFilter = TypeString | TypeSymbol;
-        createListFromArrayLike(exec, arrayLikeObject, dontThrowAnExceptionTypeFilter, "Proxy handler's 'ownKeys' method must return an array-like object containing only Strings and Symbols"_s, addPropName);
+        createListFromArrayLike(exec, arrayLikeObject, dontThrowAnExceptionTypeFilter, "Proxy handler's 'ownKeys' method must return an object"_s, "Proxy handler's 'ownKeys' method must return an array-like object containing only Strings and Symbols"_s, addPropName);
         RETURN_IF_EXCEPTION(scope, void());
     }

trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp

@@ -114 +114 @@
         return JSValue::encode(throwTypeError(exec, scope, "Reflect.construct requires the second argument be an object"_s));
 
-    createListFromArrayLike(exec, argumentsObject, RuntimeTypeMaskAllTypes, "This error must not be raised"_s, [&] (JSValue value, RuntimeType) -> bool {
+    createListFromArrayLike(exec, argumentsObject, RuntimeTypeMaskAllTypes, "This error must not be raised"_s, "This error must not be raised"_s, [&] (JSValue value, RuntimeType) -> bool {
         arguments.append(value);
         return false;