Changeset 30871 in webkit


Ignore:
Timestamp:
Mar 7, 2008 11:46:33 AM (16 years ago)
Author:
ggaren@apple.com
Message:

JavaScriptCore:

Reviewed by Darin Adler.


Fixed <rdar://problem/5689093> Stricter (ES4) eval semantics


The basic rule is:


  • "eval(s)" is treated as an operator that gives the ES3 eval behavior.

... but only if there is no overriding declaration of "eval" in scope.

  • All other invocations treat eval as a function that evaluates a script in the context of its "this" object.

... but if its "this" object is not the global object it was
originally associated with, eval throws an exception.


Because only expressions of the form "eval(s)" have access to local
scope, the compiler can now statically determine whether a function
needs local scope to be dynamic.

  • kjs/nodes.h: Added FunctionCallEvalNode. It works just like FuncationCallResolveNode, except it statically indicates that the node may execute eval in the ES3 way.
  • kjs/nodes.cpp:
  • kjs/nodes2string.cpp:
  • tests/mozilla/expected.html: This patch happens to fix a Mozilla JS test, but it's a bit of a pyrrhic victory. The test intends to test Mozilla's generic API for calling eval on any object, but, in reality, we only support calling eval on the global object.

LayoutTests:

Reviewed by Darin Adler.

Tests for <rdar://problem/5689093> Stricter (ES4) eval semantics


  • fast/js/eval-cross-window-expected.txt: Added.
  • fast/js/eval-cross-window.html: Added.
  • fast/js/eval-keyword-vs-function-expected.txt: Added.
  • fast/js/eval-keyword-vs-function.html: Added.
  • fast/js/eval-overriding-expected.txt: Added.
  • fast/js/eval-overriding.html: Added.


Tests to make sure not to regress security:

  • http/tests/security/resources/xss-eval2.html: Added.
  • http/tests/security/resources/xss-eval3.html: Added.
  • http/tests/security/xss-eval-expected.txt: Added.
  • http/tests/security/xss-eval.html: Added.

I removed these tests because we no longer match the behavior they
expected, and the new tests are more comprehensive:


  • fast/js/window-eval-context-expected.txt: Removed.
  • fast/js/window-eval-context.html: Removed.
  • fast/js/window-eval-tearoff-expected.txt: Removed.
  • fast/js/window-eval-tearoff.html: Removed.
Location:
trunk
Files:
10 added
4 deleted
16 edited

Legend:

Unmodified
Added
Removed
  • trunk/JavaScriptCore/ChangeLog

    r30862 r30871  
     12008-03-07  Geoffrey Garen  <ggaren@apple.com>
     2
     3        Reviewed by Darin Adler.
     4       
     5        Fixed <rdar://problem/5689093> Stricter (ES4) eval semantics
     6       
     7        The basic rule is:
     8       
     9        - "eval(s)" is treated as an operator that gives the ES3 eval behavior.
     10            ... but only if there is no overriding declaration of "eval" in scope.
     11        - All other invocations treat eval as a function that evaluates a
     12        script in the context of its "this" object.
     13            ... but if its "this" object is not the global object it was
     14            originally associated with, eval throws an exception.
     15       
     16        Because only expressions of the form "eval(s)" have access to local
     17        scope, the compiler can now statically determine whether a function
     18        needs local scope to be dynamic.
     19
     20        * kjs/nodes.h: Added FunctionCallEvalNode. It works just like
     21        FuncationCallResolveNode, except it statically indicates that the node
     22        may execute eval in the ES3 way.
     23        * kjs/nodes.cpp:
     24        * kjs/nodes2string.cpp:
     25
     26        * tests/mozilla/expected.html: This patch happens to fix a Mozilla JS
     27        test, but it's a bit of a pyrrhic victory. The test intends to test
     28        Mozilla's generic API for calling eval on any object, but, in reality,
     29        we only support calling eval on the global object.
     30
    1312008-03-06  Steve Falkenburg  <sfalken@apple.com>
    232
  • trunk/JavaScriptCore/kjs/CommonIdentifiers.h

    r30040 r30871  
    4848    macro(toPrecision) \
    4949    macro(toString) \
    50     macro(valueOf)
     50    macro(valueOf) \
     51    macro(eval)
    5152
    5253namespace KJS {
  • trunk/JavaScriptCore/kjs/ExecState.cpp

    r29810 r30871  
    8686}
    8787
    88 inline ExecState::ExecState(JSGlobalObject* globalObject, EvalNode* evalNode, ExecState* callingExec)
     88inline ExecState::ExecState(JSGlobalObject* globalObject, JSObject* thisObject, EvalNode* evalNode, ExecState* callingExec, const ScopeChain& scopeChain, JSVariableObject* variableObject)
    8989    : m_globalObject(globalObject)
    9090    , m_exception(0)
     
    9797    , m_activation(0)
    9898    , m_localStorage(callingExec->m_localStorage)
    99     , m_scopeChain(callingExec->m_scopeChain)
    100     , m_variableObject(callingExec->m_variableObject)
    101     , m_thisValue(callingExec->m_thisValue)
     99    , m_scopeChain(scopeChain)
     100    , m_variableObject(variableObject)
     101    , m_thisValue(thisObject)
    102102    , m_iterationDepth(0)
    103103    , m_switchDepth(0)
     
    184184}
    185185
    186 EvalExecState::EvalExecState(JSGlobalObject* globalObject, EvalNode* evalNode, ExecState* callingExec)
    187     : ExecState(globalObject, evalNode, callingExec)
     186EvalExecState::EvalExecState(JSGlobalObject* globalObject, JSObject* thisObj, EvalNode* evalNode, ExecState* callingExec, const ScopeChain& scopeChain, JSVariableObject* variableObject)
     187    : ExecState(globalObject, thisObj, evalNode, callingExec, scopeChain, variableObject)
    188188{
    189189    inlineActiveExecStates().append(this);
  • trunk/JavaScriptCore/kjs/ExecState.h

    r30140 r30871  
    171171        ExecState(JSGlobalObject*);
    172172        ExecState(JSGlobalObject*, JSObject* thisObject, ProgramNode*);
    173         ExecState(JSGlobalObject*, EvalNode*, ExecState* callingExecState);
    174         ExecState(JSGlobalObject*, JSObject* thisObject, FunctionBodyNode*,
    175             ExecState* callingExecState, FunctionImp*, const List& args);
     173        ExecState(JSGlobalObject*, JSObject* thisObject, EvalNode*, ExecState* callingExecState, const ScopeChain&, JSVariableObject*);
     174        ExecState(JSGlobalObject*, JSObject* thisObject, FunctionBodyNode*, ExecState* callingExecState, FunctionImp*, const List& args);
    176175        ~ExecState();
    177176
     
    220219    class EvalExecState : public ExecState {
    221220    public:
    222         EvalExecState(JSGlobalObject*, EvalNode*, ExecState* callingExecState);
     221        EvalExecState(JSGlobalObject*, JSObject* thisObj, EvalNode*, ExecState* callingExec, const ScopeChain&, JSVariableObject*);
    223222        ~EvalExecState();
    224223    };
  • trunk/JavaScriptCore/kjs/JSGlobalObject.cpp

    r30534 r30871  
    228228    d()->URIErrorConstructor = 0;
    229229
     230    d()->evalFunction = 0;
     231
    230232    ExecState* exec = &d()->globalExec;
    231233
     
    316318    // Set global functions.
    317319
    318     putDirectFunction(new PrototypeFunction(exec, d()->functionPrototype, 1, "eval", globalFuncEval), DontEnum);
     320    d()->evalFunction = new PrototypeReflexiveFunction(exec, d()->functionPrototype, 1, exec->propertyNames().eval, globalFuncEval);
     321    putDirectFunction(d()->evalFunction, DontEnum);
    319322    putDirectFunction(new PrototypeFunction(exec, d()->functionPrototype, 2, "parseInt", globalFuncParseInt), DontEnum);
    320323    putDirectFunction(new PrototypeFunction(exec, d()->functionPrototype, 1, "parseFloat", globalFuncParseFloat), DontEnum);
     
    418421    builtins._internal->URIErrorConstructor = d()->URIErrorConstructor;
    419422   
     423    builtins._internal->evalFunction = d()->evalFunction;
     424   
    420425    builtins._internal->objectPrototype = d()->objectPrototype;
    421426    builtins._internal->functionPrototype = d()->functionPrototype;
     
    455460    d()->typeErrorConstructor = builtins._internal->typeErrorConstructor;
    456461    d()->URIErrorConstructor = builtins._internal->URIErrorConstructor;
     462   
     463    d()->evalFunction = builtins._internal->evalFunction;
    457464
    458465    d()->objectPrototype = builtins._internal->objectPrototype;
     
    495502    markIfNeeded(d()->URIErrorConstructor);
    496503   
     504    markIfNeeded(d()->evalFunction);
     505   
    497506    markIfNeeded(d()->objectPrototype);
    498507    markIfNeeded(d()->functionPrototype);
  • trunk/JavaScriptCore/kjs/JSGlobalObject.h

    r30534 r30871  
    4949    class ObjectObjectImp;
    5050    class ObjectPrototype;
     51    class PrototypeReflexiveFunction;
    5152    class RangeError;
    5253    class RangeErrorPrototype;
     
    110111            NativeErrorImp* URIErrorConstructor;
    111112
     113            PrototypeReflexiveFunction* evalFunction;
     114
    112115            ObjectPrototype* objectPrototype;
    113116            FunctionPrototype* functionPrototype;
     
    125128            NativeErrorPrototype* typeErrorPrototype;
    126129            NativeErrorPrototype* URIErrorPrototype;
    127 
     130           
    128131            SymbolTable inlineSymbolTable;
    129132
     
    182185        NativeErrorImp* URIErrorConstructor() const { return d()->URIErrorConstructor; }
    183186
     187        PrototypeReflexiveFunction* evalFunction() const { return d()->evalFunction; }
     188
    184189        ObjectPrototype* objectPrototype() const { return d()->objectPrototype; }
    185190        FunctionPrototype* functionPrototype() const { return d()->functionPrototype; }
  • trunk/JavaScriptCore/kjs/SavedBuiltins.h

    r29663 r30871  
    5656    ProtectedPtr<NativeErrorImp> URIErrorConstructor;
    5757   
     58    ProtectedPtr<PrototypeReflexiveFunction> evalFunction;
     59
    5860    ProtectedPtr<ObjectPrototype> objectPrototype;
    5961    ProtectedPtr<FunctionPrototype> functionPrototype;
  • trunk/JavaScriptCore/kjs/function.cpp

    r30534 r30871  
    704704}
    705705
    706 JSValue* globalFuncEval(ExecState* exec, JSObject* thisObj, const List& args)
     706JSValue* eval(ExecState* exec, const ScopeChain& scopeChain, JSVariableObject* variableObject, JSGlobalObject* globalObject, JSObject* thisObj, const List& args)
    707707{
    708708    JSValue* x = args[0];
     
    724724    }
    725725
    726     // No program node means a syntax occurred
    727726    if (!evalNode)
    728727        return throwError(exec, SyntaxError, errMsg, errLine, sourceId, NULL);
    729728
    730     bool switchGlobal = thisObj && thisObj != exec->dynamicGlobalObject() && thisObj->isGlobalObject();
    731 
    732     // enter a new execution context
    733     exec->dynamicGlobalObject()->tearOffActivation(exec);
    734     JSGlobalObject* globalObject = switchGlobal ? static_cast<JSGlobalObject*>(thisObj) : exec->dynamicGlobalObject();
    735     EvalExecState newExec(globalObject, evalNode.get(), exec);
    736 
    737     if (switchGlobal) {
    738         newExec.pushScope(thisObj);
    739         newExec.setVariableObject(static_cast<JSGlobalObject*>(thisObj));
    740     }
     729    EvalExecState newExec(globalObject, thisObj, evalNode.get(), exec, scopeChain, variableObject);
     730
    741731    JSValue* value = evalNode->execute(&newExec);
    742     if (switchGlobal)
    743         newExec.popScope();
    744732
    745733    if (newExec.completionType() == Throw) {
     
    749737
    750738    return value ? value : jsUndefined();
     739}
     740
     741JSValue* globalFuncEval(ExecState* exec, PrototypeReflexiveFunction* function, JSObject* thisObj, const List& args)
     742{
     743    JSGlobalObject* globalObject = thisObj->isGlobalObject() ? static_cast<JSGlobalObject*>(thisObj) : 0;
     744
     745    if (!globalObject || globalObject->evalFunction() != function)
     746        return throwError(exec, EvalError, "The \"this\" value passed to eval must be the global object from which eval originated");
     747
     748    ScopeChain scopeChain(globalObject);
     749    return eval(exec, scopeChain, globalObject, globalObject, globalObject, args);
    751750}
    752751
     
    892891}
    893892
     893// ------------------------------ PrototypeReflexiveFunction -------------------------------
     894
     895PrototypeReflexiveFunction::PrototypeReflexiveFunction(ExecState* exec, FunctionPrototype* functionPrototype, int len, const Identifier& name, JSMemberFunction function)
     896    : InternalFunctionImp(functionPrototype, name)
     897    , m_function(function)
     898{
     899    ASSERT_ARG(function, function);
     900    putDirect(exec->propertyNames().length, jsNumber(len), DontDelete | ReadOnly | DontEnum);
     901}
     902
     903JSValue* PrototypeReflexiveFunction::callAsFunction(ExecState* exec, JSObject* thisObj, const List& args)
     904{
     905    return m_function(exec, this, thisObj, args);
     906}
     907
    894908} // namespace KJS
  • trunk/JavaScriptCore/kjs/function.h

    r30534 r30871  
    126126  class PrototypeFunction : public InternalFunctionImp {
    127127  public:
    128     typedef KJS::JSValue* (*JSMemberFunction)(ExecState*, JSObject*, const List&);
     128    typedef JSValue* (*JSMemberFunction)(ExecState*, JSObject* thisObj, const List&);
    129129
    130130    PrototypeFunction(ExecState*, int len, const Identifier&, JSMemberFunction);
     
    138138
    139139
     140  // Just like PrototypeFunction, but callbacks also get passed the JS function object.
     141  class PrototypeReflexiveFunction : public InternalFunctionImp {
     142  public:
     143    typedef JSValue* (*JSMemberFunction)(ExecState*, PrototypeReflexiveFunction*, JSObject* thisObj, const List&);
     144
     145    PrototypeReflexiveFunction(ExecState*, FunctionPrototype*, int len, const Identifier&, JSMemberFunction);
     146
     147    virtual JSValue* callAsFunction(ExecState* exec, JSObject* thisObj, const List&);
     148
     149  private:
     150    const JSMemberFunction m_function;
     151  };
     152
    140153    // Global Functions
    141     JSValue* globalFuncEval(ExecState*, JSObject*, const List&);
     154    JSValue* globalFuncEval(ExecState*, PrototypeReflexiveFunction*, JSObject*, const List&);
    142155    JSValue* globalFuncParseInt(ExecState*, JSObject*, const List&);
    143156    JSValue* globalFuncParseFloat(ExecState*, JSObject*, const List&);
     
    154167#endif
    155168
     169    JSValue* eval(ExecState*, const ScopeChain&, JSVariableObject*, JSGlobalObject*, JSObject* thisObj, const List& args);
     170
    156171    static const double mantissaOverflowLowerBound = 9007199254740992.0;
    157172    double parseIntOverflow(const char*, int length, int radix);
  • trunk/JavaScriptCore/kjs/grammar.y

    r30105 r30871  
    11601160    if (func->isResolveNode()) {
    11611161        ResolveNode* resolve = static_cast<ResolveNode*>(func);
    1162         return new FunctionCallResolveNode(resolve->identifier(), args);
     1162        const Identifier& identifier = resolve->identifier();
     1163        if (identifier == CommonIdentifiers::shared()->eval)
     1164            return new EvalFunctionCallNode(args);
     1165        return new FunctionCallResolveNode(identifier, args);
    11631166    }
    11641167    if (func->isBracketAccessorNode()) {
  • trunk/JavaScriptCore/kjs/nodes.cpp

    r30726 r30871  
    949949}
    950950
    951 void FunctionCallValueNode::optimizeVariableAccess(const SymbolTable&, const LocalStorage&, NodeStack& nodeStack)
    952 {
    953     nodeStack.append(m_args.get());
    954     nodeStack.append(m_expr.get());
    955 }
    956 
    957 // ECMA 11.2.3
    958 JSValue* FunctionCallValueNode::evaluate(ExecState* exec)
    959 {
    960     JSValue* v = m_expr->evaluate(exec);
    961     KJS_CHECKEXCEPTIONVALUE
    962 
    963     if (!v->isObject()) {
    964         return throwError(exec, TypeError, "Value %s (result of expression %s) is not object.", v, m_expr.get());
    965     }
    966 
    967     JSObject* func = static_cast<JSObject*>(v);
    968 
    969     if (!func->implementsCall()) {
    970         return throwError(exec, TypeError, "Object %s (result of expression %s) does not allow calls.", v, m_expr.get());
    971     }
    972 
    973     List argList;
    974     m_args->evaluateList(exec, argList);
    975     KJS_CHECKEXCEPTIONVALUE
    976 
    977     JSObject* thisObj =  exec->dynamicGlobalObject();
    978 
    979     return func->call(exec, thisObj, argList);
    980 }
    981 
    982 void FunctionCallResolveNode::optimizeVariableAccess(const SymbolTable& symbolTable, const LocalStorage&, NodeStack& nodeStack)
    983 {
    984     nodeStack.append(m_args.get());
    985 
    986     size_t index = symbolTable.get(m_ident.ustring().rep());
    987     if (index != missingSymbolMarker())
    988         new (this) LocalVarFunctionCallNode(index);
    989 }
    990 
    991 // ECMA 11.2.3
    992 JSValue* FunctionCallResolveNode::inlineEvaluate(ExecState* exec)
    993 {
    994     // Check for missed optimization opportunity.
    995     ASSERT(!canSkipLookup(exec, m_ident));
    996 
     951template <ExpressionNode::CallerType callerType>
     952inline JSValue* ExpressionNode::resolveAndCall(ExecState* exec, const Identifier& ident, ArgumentsNode* args)
     953{
    997954    const ScopeChain& chain = exec->scopeChain();
    998955    ScopeChainIterator iter = chain.begin();
     
    1006963    do {
    1007964        base = *iter;
    1008         if (base->getPropertySlot(exec, m_ident, slot)) {
    1009             JSValue* v = slot.getValue(exec, base, m_ident);
     965        if (base->getPropertySlot(exec, ident, slot)) {
     966            JSValue* v = slot.getValue(exec, base, ident);
    1010967            KJS_CHECKEXCEPTIONVALUE
    1011968
    1012969            if (!v->isObject())
    1013                 return throwError(exec, TypeError, "Value %s (result of expression %s) is not object.", v, m_ident);
     970                return throwError(exec, TypeError, "Value %s (result of expression %s) is not object.", v, ident);
    1014971
    1015972            JSObject* func = static_cast<JSObject*>(v);
    1016973
    1017974            if (!func->implementsCall())
    1018                 return throwError(exec, TypeError, "Object %s (result of expression %s) does not allow calls.", v, m_ident);
     975                return throwError(exec, TypeError, "Object %s (result of expression %s) does not allow calls.", v, ident);
    1019976
    1020977            List argList;
    1021             m_args->evaluateList(exec, argList);
     978            args->evaluateList(exec, argList);
    1022979            KJS_CHECKEXCEPTIONVALUE
    1023980
     
    1032989                thisObj = exec->dynamicGlobalObject();
    1033990
     991            if (callerType == EvalOperator) {
     992                if (base == exec->lexicalGlobalObject() && func == exec->lexicalGlobalObject()->evalFunction()) {
     993                    exec->dynamicGlobalObject()->tearOffActivation(exec);
     994                    return eval(exec, exec->scopeChain(), exec->variableObject(), exec->dynamicGlobalObject(), exec->thisValue(), argList);
     995                }
     996            }
    1034997            return func->call(exec, thisObj, argList);
    1035998        }
     
    10371000    } while (iter != end);
    10381001
    1039     return throwUndefinedVariableError(exec, m_ident);
     1002    return throwUndefinedVariableError(exec, ident);
     1003}
     1004
     1005void EvalFunctionCallNode::optimizeVariableAccess(const SymbolTable&, const LocalStorage&, NodeStack& nodeStack)
     1006{
     1007    nodeStack.append(m_args.get());
     1008}
     1009
     1010JSValue* EvalFunctionCallNode::evaluate(ExecState* exec)
     1011{
     1012    return resolveAndCall<EvalOperator>(exec, exec->propertyNames().eval, m_args.get());
     1013}
     1014
     1015void FunctionCallValueNode::optimizeVariableAccess(const SymbolTable&, const LocalStorage&, NodeStack& nodeStack)
     1016{
     1017    nodeStack.append(m_args.get());
     1018    nodeStack.append(m_expr.get());
     1019}
     1020
     1021// ECMA 11.2.3
     1022JSValue* FunctionCallValueNode::evaluate(ExecState* exec)
     1023{
     1024    JSValue* v = m_expr->evaluate(exec);
     1025    KJS_CHECKEXCEPTIONVALUE
     1026
     1027    if (!v->isObject()) {
     1028        return throwError(exec, TypeError, "Value %s (result of expression %s) is not object.", v, m_expr.get());
     1029    }
     1030
     1031    JSObject* func = static_cast<JSObject*>(v);
     1032
     1033    if (!func->implementsCall()) {
     1034        return throwError(exec, TypeError, "Object %s (result of expression %s) does not allow calls.", v, m_expr.get());
     1035    }
     1036
     1037    List argList;
     1038    m_args->evaluateList(exec, argList);
     1039    KJS_CHECKEXCEPTIONVALUE
     1040
     1041    JSObject* thisObj =  exec->dynamicGlobalObject();
     1042
     1043    return func->call(exec, thisObj, argList);
     1044}
     1045
     1046void FunctionCallResolveNode::optimizeVariableAccess(const SymbolTable& symbolTable, const LocalStorage&, NodeStack& nodeStack)
     1047{
     1048    nodeStack.append(m_args.get());
     1049
     1050    size_t index = symbolTable.get(m_ident.ustring().rep());
     1051    if (index != missingSymbolMarker())
     1052        new (this) LocalVarFunctionCallNode(index);
     1053}
     1054
     1055// ECMA 11.2.3
     1056JSValue* FunctionCallResolveNode::inlineEvaluate(ExecState* exec)
     1057{
     1058    // Check for missed optimization opportunity.
     1059    ASSERT(!canSkipLookup(exec, m_ident));
     1060
     1061    return resolveAndCall<FunctionCall>(exec, m_ident, m_args.get());
    10401062}
    10411063
  • trunk/JavaScriptCore/kjs/nodes.h

    r30109 r30871  
    4343namespace KJS {
    4444
     45    class ArgumentsNode;
    4546    class ConstDeclNode;
    4647    class FuncDeclNode;
     
    206207        // Used to optimize those nodes that do extra work when returning a result, even if the result has no semantic relevance
    207208        virtual void optimizeForUnnecessaryResult() { }
     209
     210    protected:
     211        typedef enum { EvalOperator, FunctionCall } CallerType;
     212        template <CallerType> inline JSValue* resolveAndCall(ExecState*, const Identifier&, ArgumentsNode*);
    208213    };
    209214
     
    681686    };
    682687
     688    class EvalFunctionCallNode : public ExpressionNode {
     689    public:
     690        EvalFunctionCallNode(ArgumentsNode* args) KJS_FAST_CALL
     691            : m_args(args)
     692        {
     693        }
     694
     695        virtual void optimizeVariableAccess(const SymbolTable&, const LocalStorage&, NodeStack&) KJS_FAST_CALL;
     696        virtual JSValue* evaluate(ExecState*) KJS_FAST_CALL;
     697        virtual void streamTo(SourceStream&) const KJS_FAST_CALL;
     698        virtual Precedence precedence() const { return PrecCall; }
     699
     700    private:
     701        RefPtr<ArgumentsNode> m_args;
     702    };
     703
    683704    class FunctionCallValueNode : public ExpressionNode {
    684705    public:
  • trunk/JavaScriptCore/kjs/nodes2string.cpp

    r29836 r30871  
    427427}
    428428
     429void EvalFunctionCallNode::streamTo(SourceStream& s) const
     430{
     431    s << "eval" << m_args;
     432}
     433
    429434void FunctionCallValueNode::streamTo(SourceStream& s) const
    430435{
  • trunk/JavaScriptCore/kjs/scope_chain.h

    r29425 r30871  
    6666        ~ScopeChain() { deref(); }
    6767
    68         ScopeChain(const ScopeChain &c) : _node(c._node)
    69             { if (_node) ++_node->refCount; }
     68        ScopeChain(const ScopeChain& c)
     69            : _node(c._node)
     70        {
     71            if (_node)
     72                ++_node->refCount;
     73        }
     74
     75        ScopeChain(JSObject* o)
     76            : _node(new ScopeChainNode(0, o))
     77        {
     78        }
     79
    7080        ScopeChain &operator=(const ScopeChain &);
    7181
  • trunk/JavaScriptCore/tests/mozilla/expected.html

    r29118 r30871  
    88Test List: All tests<br>
    99Skip List: (none)<br>
    10 1135 test(s) selected, 1127 test(s) completed, 52 failures reported (4.61% failed)<br>
    11 Engine command line: /Users/darin/Build/Debug/testkjs <br>
    12 OS type: Darwin Darin-Adlers-Mac-Pro.local 9.1.0 Darwin Kernel Version 9.1.0: Wed Oct 31 17:46:22 PDT 2007; root:xnu-1228.0.2~1/RELEASE_I386 i386<br>
    13 Testcase execution time: 1 minutes, 13 seconds.<br>
    14 Tests completed on Thu Jan  3 00:46:35 2008.<br><br>
     101135 test(s) selected, 1127 test(s) completed, 51 failures reported (4.52% failed)<br>
     11Engine command line: /Volumes/Big/ggaren/build/Debug/testkjs <br>
     12OS type: Darwin il0301e-dhcp191.apple.com 9.2.0 Darwin Kernel Version 9.2.0: Tue Feb  5 16:13:22 PST 2008; root:xnu-1228.3.13~1/RELEASE_I386 i386<br>
     13Testcase execution time: 1 minutes, 50 seconds.<br>
     14Tests completed on Thu Mar  6 13:53:55 2008.<br><br>
    1515[ <a href='#fail_detail'>Failure Details</a> | <a href='#retest_list'>Retest List</a> | <a href='menu.html'>Test Selection Page</a> ]<br>
    1616<hr>
     
    4444(Mon Feb 28 2000 15:59:59 GMT-0800 (PST)).toLocaleTimeString() = 3:59:59 PM PST FAILED! expected: 15:59:59<br>
    4545(Tue Feb 29 2000 00:00:00 GMT-0800 (PST)).toLocaleTimeString() = 12:00:00 AM PST FAILED! expected: 00:00:00<br>
    46 (Thu Jan 03 2008 00:46:22 GMT-0800 (PST)).toLocaleTimeString() = 12:46:22 AM PST FAILED! expected: 00:46:22<br>
    47 (Thu Jan 03 2008 08:46:22 GMT-0800 (PST)).toLocaleTimeString() = 8:46:22 AM PST FAILED! expected: 08:46:22<br>
     46(Thu Mar 06 2008 13:53:32 GMT-0800 (PST)).toLocaleTimeString() = 1:53:32 PM PST FAILED! expected: 13:53:32<br>
     47(Thu Mar 06 2008 21:53:32 GMT-0800 (PST)).toLocaleTimeString() = 9:53:32 PM PST FAILED! expected: 21:53:32<br>
    4848(Fri Dec 31 2004 16:00:00 GMT-0800 (PST)).toLocaleTimeString() = 4:00:00 PM PST FAILED! expected: 16:00:00<br>
    4949(Fri Dec 31 2004 15:59:59 GMT-0800 (PST)).toLocaleTimeString() = 3:59:59 PM PST FAILED! expected: 15:59:59<br>
     
    167167Testcase terminated with signal 0<br>
    168168Complete testcase output was:<br>
    169 [82270] ./ecma_3/Statements/regress-194364.js line 1: SyntaxError: Parse error<br>
     169[93325] ./ecma_3/Statements/regress-194364.js line 1: SyntaxError: Parse error<br>
    170170</tt><br>
    171171<a name='failure9'></a><dd><b>Testcase <a target='other_window' href='./ecma_3/Unicode/uc-001.js'>ecma_3/Unicode/uc-001.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=23610' target='other_window'>Bug Number 23610</a><br>
     
    318318Complete testcase output was:<br>
    319319script-001 NativeScript<br>
    320 [82375] ./js1_3/Script/script-001.js line 133: ReferenceError: Can't find variable: Script<br>
     320[93430] ./js1_3/Script/script-001.js line 133: ReferenceError: Can't find variable: Script<br>
    321321</tt><br>
    322322<a name='failure27'></a><dd><b>Testcase <a target='other_window' href='./js1_3/regress/function-001-n.js'>js1_3/regress/function-001-n.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=10278' target='other_window'>Bug Number 10278</a><br>
     
    352352Testcase terminated with signal 0<br>
    353353Complete testcase output was:<br>
    354 [82420] ./js1_5/Exceptions/errstack-001.js line 247: TypeError: Undefined value<br>
     354[93477] ./js1_5/Exceptions/errstack-001.js line 247: TypeError: Undefined value<br>
    355355</tt><br>
    356356<a name='failure32'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Exceptions/regress-50447.js'>js1_5/Exceptions/regress-50447.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=50447' target='other_window'>Bug Number 50447</a><br>
     
    361361BUGNUMBER: 50447<br>
    362362STATUS: Test (non-ECMA) Error object properties fileName, lineNumber<br>
    363 [82421] ./js1_5/Exceptions/regress-50447.js line 65: TypeError: Undefined value<br>
     363[93478] ./js1_5/Exceptions/regress-50447.js line 65: TypeError: Undefined value<br>
    364364</tt><br>
    365365<a name='failure33'></a><dd><b>Testcase <a target='other_window' href='./js1_5/GetSet/getset-001.js'>js1_5/GetSet/getset-001.js</a> failed</b> <br>
     
    386386Testcase terminated with signal 0<br>
    387387Complete testcase output was:<br>
    388 [82436] ./js1_5/Object/regress-90596-001.js line 48: TypeError: Value undefined (result of expression obj.toSource) is not object.<br>
     388[93493] ./js1_5/Object/regress-90596-001.js line 48: TypeError: Value undefined (result of expression obj.toSource) is not object.<br>
    389389</tt><br>
    390390<a name='failure37'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Object/regress-90596-002.js'>js1_5/Object/regress-90596-002.js</a> failed</b> <br>
     
    393393Testcase terminated with signal 0<br>
    394394Complete testcase output was:<br>
    395 [82437] ./js1_5/Object/regress-90596-002.js line 48: ReferenceError: Can't find variable: uneval<br>
     395[93494] ./js1_5/Object/regress-90596-002.js line 48: ReferenceError: Can't find variable: uneval<br>
    396396</tt><br>
    397397<a name='failure38'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Object/regress-96284-001.js'>js1_5/Object/regress-96284-001.js</a> failed</b> <br>
     
    400400Testcase terminated with signal 0<br>
    401401Complete testcase output was:<br>
    402 [82439] ./js1_5/Object/regress-96284-001.js line 49: TypeError: Value undefined (result of expression obj1.toSource) is not object.<br>
     402[93496] ./js1_5/Object/regress-96284-001.js line 49: TypeError: Value undefined (result of expression obj1.toSource) is not object.<br>
    403403</tt><br>
    404404<a name='failure39'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Object/regress-96284-002.js'>js1_5/Object/regress-96284-002.js</a> failed</b> <br>
     
    407407Testcase terminated with signal 0<br>
    408408Complete testcase output was:<br>
    409 [82440] ./js1_5/Object/regress-96284-002.js line 49: ReferenceError: Can't find variable: uneval<br>
     409[93497] ./js1_5/Object/regress-96284-002.js line 49: ReferenceError: Can't find variable: uneval<br>
    410410</tt><br>
    411411<a name='failure40'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-44009.js'>js1_5/Regress/regress-44009.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=44009' target='other_window'>Bug Number 44009</a><br>
     
    416416BUGNUMBER: 44009<br>
    417417STATUS: Testing that we don't crash on obj.toSource()<br>
    418 [82445] ./js1_5/Regress/regress-44009.js line 60: TypeError: Value undefined (result of expression obj.toSource) is not object.<br>
    419 </tt><br>
    420 <a name='failure41'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-68498-003.js'>js1_5/Regress/regress-68498-003.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=68498' target='other_window'>Bug Number 68498</a><br>
     418[93502] ./js1_5/Regress/regress-44009.js line 60: TypeError: Value undefined (result of expression obj.toSource) is not object.<br>
     419</tt><br>
     420<a name='failure41'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-103602.js'>js1_5/Regress/regress-103602.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=103602' target='other_window'>Bug Number 103602</a><br>
    421421 [ <a href='#failure40'>Previous Failure</a> | <a href='#failure42'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    422 <tt>STATUS: Testing calling obj.eval(str)<br>
    423 Failure messages were:<br>
    424 FAILED!: [reported from test()] Testing calling obj.eval(str); currently at expect[1] within test -<br>
    425 FAILED!: [reported from test()] Type mismatch, expected type number, actual type boolean<br>
    426 FAILED!: [reported from test()] Expected value '43', Actual value 'false'<br>
    427 FAILED!: [reported from test()] <br>
    428 </tt><br>
    429 <a name='failure42'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-103602.js'>js1_5/Regress/regress-103602.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=103602' target='other_window'>Bug Number 103602</a><br>
    430  [ <a href='#failure41'>Previous Failure</a> | <a href='#failure43'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    431422<tt>STATUS: Reassignment to a const is NOT an error per ECMA<br>
    432423Failure messages were:<br>
     
    438429FAILED!: [reported from test()] <br>
    439430</tt><br>
    440 <a name='failure43'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-104077.js'>js1_5/Regress/regress-104077.js</a> failed</b> <br>
     431<a name='failure42'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-104077.js'>js1_5/Regress/regress-104077.js</a> failed</b> <br>
     432 [ <a href='#failure41'>Previous Failure</a> | <a href='#failure43'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
     433<tt>Expected exit code 0, got 3<br>
     434Testcase terminated with signal 0<br>
     435Complete testcase output was:<br>
     436Testcase produced no output!</tt><br>
     437<a name='failure43'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-127557.js'>js1_5/Regress/regress-127557.js</a> failed</b> <br>
    441438 [ <a href='#failure42'>Previous Failure</a> | <a href='#failure44'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    442439<tt>Expected exit code 0, got 3<br>
    443440Testcase terminated with signal 0<br>
    444441Complete testcase output was:<br>
    445 Testcase produced no output!</tt><br>
    446 <a name='failure44'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-127557.js'>js1_5/Regress/regress-127557.js</a> failed</b> <br>
     442[93528] ./js1_5/Regress/regress-127557.js line 75: ReferenceError: Can't find variable: clone<br>
     443</tt><br>
     444<a name='failure44'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-172699.js'>js1_5/Regress/regress-172699.js</a> failed</b> <br>
    447445 [ <a href='#failure43'>Previous Failure</a> | <a href='#failure45'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    448446<tt>Expected exit code 0, got 3<br>
    449447Testcase terminated with signal 0<br>
    450448Complete testcase output was:<br>
    451 [82471] ./js1_5/Regress/regress-127557.js line 75: ReferenceError: Can't find variable: clone<br>
    452 </tt><br>
    453 <a name='failure45'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-172699.js'>js1_5/Regress/regress-172699.js</a> failed</b> <br>
     449[93537] ./js1_5/Regress/regress-172699.js line 61: URIError: URI error<br>
     450</tt><br>
     451<a name='failure45'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-179524.js'>js1_5/Regress/regress-179524.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=179524' target='other_window'>Bug Number 179524</a><br>
    454452 [ <a href='#failure44'>Previous Failure</a> | <a href='#failure46'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    455 <tt>Expected exit code 0, got 3<br>
    456 Testcase terminated with signal 0<br>
    457 Complete testcase output was:<br>
    458 [82481] ./js1_5/Regress/regress-172699.js line 61: URIError: URI error<br>
    459 </tt><br>
    460 <a name='failure46'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Regress/regress-179524.js'>js1_5/Regress/regress-179524.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=179524' target='other_window'>Bug Number 179524</a><br>
    461  [ <a href='#failure45'>Previous Failure</a> | <a href='#failure47'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    462453<tt>STATUS: Don't crash on extraneous arguments to str.match(), etc.<br>
    463454Failure messages were:<br>
     
    509500FAILED!: [reported from test()] <br>
    510501</tt><br>
    511 <a name='failure47'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Scope/regress-220584.js'>js1_5/Scope/regress-220584.js</a> failed</b> <br>
     502<a name='failure46'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Scope/regress-220584.js'>js1_5/Scope/regress-220584.js</a> failed</b> <br>
     503 [ <a href='#failure45'>Previous Failure</a> | <a href='#failure47'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
     504<tt>Expected exit code 0, got 3<br>
     505Testcase terminated with signal 0<br>
     506Complete testcase output was:<br>
     507[93562] ./js1_5/Scope/regress-220584.js line 56: ReferenceError: Can't find variable: Script<br>
     508</tt><br>
     509<a name='failure47'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Scope/scope-001.js'>js1_5/Scope/scope-001.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=53268' target='other_window'>Bug Number 53268</a><br>
    512510 [ <a href='#failure46'>Previous Failure</a> | <a href='#failure48'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    513 <tt>Expected exit code 0, got 3<br>
    514 Testcase terminated with signal 0<br>
    515 Complete testcase output was:<br>
    516 [82506] ./js1_5/Scope/regress-220584.js line 56: ReferenceError: Can't find variable: Script<br>
    517 </tt><br>
    518 <a name='failure48'></a><dd><b>Testcase <a target='other_window' href='./js1_5/Scope/scope-001.js'>js1_5/Scope/scope-001.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=53268' target='other_window'>Bug Number 53268</a><br>
    519  [ <a href='#failure47'>Previous Failure</a> | <a href='#failure49'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    520511<tt>STATUS: Testing scope after changing obj.__proto__<br>
    521512Failure messages were:<br>
     
    528519FAILED!: [reported from test()] <br>
    529520</tt><br>
    530 <a name='failure49'></a><dd><b>Testcase <a target='other_window' href='./js1_6/Regress/regress-301574.js'>js1_6/Regress/regress-301574.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=301574' target='other_window'>Bug Number 301574</a><br>
    531  [ <a href='#failure48'>Previous Failure</a> | <a href='#failure50'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
     521<a name='failure48'></a><dd><b>Testcase <a target='other_window' href='./js1_6/Regress/regress-301574.js'>js1_6/Regress/regress-301574.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=301574' target='other_window'>Bug Number 301574</a><br>
     522 [ <a href='#failure47'>Previous Failure</a> | <a href='#failure49'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    532523<tt>STATUS: E4X should be enabled even when e4x=1 not specified<br>
    533524Failure messages were:<br>
     
    539530FAILED!: <br>
    540531</tt><br>
    541 <a name='failure50'></a><dd><b>Testcase <a target='other_window' href='./js1_6/Regress/regress-309242.js'>js1_6/Regress/regress-309242.js</a> failed</b> <br>
     532<a name='failure49'></a><dd><b>Testcase <a target='other_window' href='./js1_6/Regress/regress-309242.js'>js1_6/Regress/regress-309242.js</a> failed</b> <br>
     533 [ <a href='#failure48'>Previous Failure</a> | <a href='#failure50'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
     534<tt>Expected exit code 0, got 3<br>
     535Testcase terminated with signal 0<br>
     536Complete testcase output was:<br>
     537Testcase produced no output!</tt><br>
     538<a name='failure50'></a><dd><b>Testcase <a target='other_window' href='./js1_6/Regress/regress-314887.js'>js1_6/Regress/regress-314887.js</a> failed</b> <br>
    542539 [ <a href='#failure49'>Previous Failure</a> | <a href='#failure51'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    543540<tt>Expected exit code 0, got 3<br>
     
    545542Complete testcase output was:<br>
    546543Testcase produced no output!</tt><br>
    547 <a name='failure51'></a><dd><b>Testcase <a target='other_window' href='./js1_6/Regress/regress-314887.js'>js1_6/Regress/regress-314887.js</a> failed</b> <br>
     544<a name='failure51'></a><dd><b>Testcase <a target='other_window' href='./js1_6/String/regress-306591.js'>js1_6/String/regress-306591.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=306591' target='other_window'>Bug Number 306591</a><br>
    548545 [ <a href='#failure50'>Previous Failure</a> | <a href='#failure52'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    549 <tt>Expected exit code 0, got 3<br>
    550 Testcase terminated with signal 0<br>
    551 Complete testcase output was:<br>
    552 Testcase produced no output!</tt><br>
    553 <a name='failure52'></a><dd><b>Testcase <a target='other_window' href='./js1_6/String/regress-306591.js'>js1_6/String/regress-306591.js</a> failed</b> <a href='http://bugzilla.mozilla.org/show_bug.cgi?id=306591' target='other_window'>Bug Number 306591</a><br>
    554  [ <a href='#failure51'>Previous Failure</a> | <a href='#failure53'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
    555546<tt>Expected exit code 0, got 3<br>
    556547Testcase terminated with signal 0<br>
     
    559550STATUS: String static methods<br>
    560551STATUS: See https://bugzilla.mozilla.org/show_bug.cgi?id=304828<br>
    561 [82528] ./js1_6/String/regress-306591.js line 48: TypeError: Value undefined (result of expression String.split) is not object.<br>
     552[93584] ./js1_6/String/regress-306591.js line 48: TypeError: Value undefined (result of expression String.split) is not object.<br>
    562553</tt><br>
    563554</dl>
     
    567558<a name='retest_list'></a>
    568559<h2>Retest List</h2><br>
    569 # Retest List, kjs, generated Thu Jan  3 00:46:35 2008.
     560# Retest List, kjs, generated Thu Mar  6 13:53:55 2008.
    570561# Original test base was: All tests.
    571 # 1127 of 1135 test(s) were completed, 52 failures reported.
     562# 1127 of 1135 test(s) were completed, 51 failures reported.
    572563ecma/TypeConversion/9.3.1-3.js
    573564ecma_2/Exceptions/function-001.js
     
    610601js1_5/Object/regress-96284-002.js
    611602js1_5/Regress/regress-44009.js
    612 js1_5/Regress/regress-68498-003.js
    613603js1_5/Regress/regress-103602.js
    614604js1_5/Regress/regress-104077.js
  • trunk/LayoutTests/ChangeLog

    r30869 r30871  
     12008-03-06  Geoffrey Garen  <ggaren@apple.com>
     2
     3        Reviewed by Darin Adler.
     4
     5        Tests for <rdar://problem/5689093> Stricter (ES4) eval semantics
     6       
     7        * fast/js/eval-cross-window-expected.txt: Added.
     8        * fast/js/eval-cross-window.html: Added.
     9        * fast/js/eval-keyword-vs-function-expected.txt: Added.
     10        * fast/js/eval-keyword-vs-function.html: Added.
     11        * fast/js/eval-overriding-expected.txt: Added.
     12        * fast/js/eval-overriding.html: Added.
     13       
     14        Tests to make sure not to regress security:
     15
     16        * http/tests/security/resources/xss-eval2.html: Added.
     17        * http/tests/security/resources/xss-eval3.html: Added.
     18        * http/tests/security/xss-eval-expected.txt: Added.
     19        * http/tests/security/xss-eval.html: Added.
     20
     21        I removed these tests because we no longer match the behavior they
     22        expected, and the new tests are more comprehensive:
     23       
     24        * fast/js/window-eval-context-expected.txt: Removed.
     25        * fast/js/window-eval-context.html: Removed.
     26        * fast/js/window-eval-tearoff-expected.txt: Removed.
     27        * fast/js/window-eval-tearoff.html: Removed.
     28
    1292008-03-06  Oliver Hunt  <oliver@apple.com>
    230
Note: See TracChangeset for help on using the changeset viewer.