Changeset 48331 in webkit

Timestamp:

Sep 11, 2009 9:52:39 PM (15 years ago)

Author:

oliver@apple.com

Message:

getPropertyNames caching is invalid when the prototype chain contains objects with custom getPropertyNames
​https://bugs.webkit.org/show_bug.cgi?id=29214

Reviewed by Sam Weinig.

Add a flag to TypeInfo to indicate whether a type overrides getPropertyNames.
This flag is used to make sure that caching of the property name data is safe.

Location:

trunk

Files:

• JavaScriptCore/API/JSCallbackConstructor.h (modified) (1 diff)
• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/debugger/DebuggerActivation.h (modified) (1 diff)
• JavaScriptCore/runtime/BooleanObject.h (modified) (1 diff)
• JavaScriptCore/runtime/DatePrototype.h (modified) (1 diff)
• JavaScriptCore/runtime/FunctionPrototype.h (modified) (1 diff)
• JavaScriptCore/runtime/JSONObject.h (modified) (1 diff)
• JavaScriptCore/runtime/JSObject.h (modified) (1 diff)
• JavaScriptCore/runtime/JSTypeInfo.h (modified) (2 diffs)
• JavaScriptCore/runtime/JSVariableObject.h (modified) (1 diff)
• JavaScriptCore/runtime/JSWrapperObject.h (modified) (1 diff)
• JavaScriptCore/runtime/MathObject.h (modified) (1 diff)
• JavaScriptCore/runtime/NumberConstructor.h (modified) (1 diff)
• JavaScriptCore/runtime/NumberObject.h (modified) (1 diff)
• JavaScriptCore/runtime/RegExpConstructor.h (modified) (1 diff)
• JavaScriptCore/runtime/RegExpObject.h (modified) (1 diff)
• JavaScriptCore/runtime/StructureChain.cpp (modified) (1 diff)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/for-in-cached-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/resources/for-in-cached.js (modified) (1 diff)

trunk/JavaScriptCore/API/JSCallbackConstructor.h

@@ -42 +42 @@
     static PassRefPtr<Structure> createStructure(JSValue proto) 
     { 
-        return Structure::create(proto, TypeInfo(ObjectType, ImplementsHasInstance | HasStandardGetOwnPropertySlot | HasDefaultMark)); 
+        return Structure::create(proto, TypeInfo(ObjectType, ImplementsHasInstance | HasStandardGetOwnPropertySlot | HasDefaultMark | HasDefaultGetPropertyNames)); 
     }
 

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2009-09-11  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        getPropertyNames caching is invalid when the prototype chain contains objects with custom getPropertyNames
+        https://bugs.webkit.org/show_bug.cgi?id=29214
+
+        Add a flag to TypeInfo to indicate whether a type overrides getPropertyNames.
+        This flag is used to make sure that caching of the property name data is safe.
+
+        * API/JSCallbackConstructor.h:
+        (JSC::JSCallbackConstructor::createStructure):
+        * debugger/DebuggerActivation.h:
+        (JSC::DebuggerActivation::createStructure):
+        * runtime/BooleanObject.h:
+        (JSC::BooleanObject::createStructure):
+        * runtime/DatePrototype.h:
+        (JSC::DatePrototype::createStructure):
+        * runtime/FunctionPrototype.h:
+        (JSC::FunctionPrototype::createStructure):
+        * runtime/JSONObject.h:
+        (JSC::JSONObject::createStructure):
+        * runtime/JSObject.h:
+        (JSC::JSObject::createStructure):
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::hasDefaultGetPropertyNames):
+        * runtime/JSVariableObject.h:
+        (JSC::JSVariableObject::createStructure):
+        * runtime/JSWrapperObject.h:
+        (JSC::JSWrapperObject::createStructure):
+        * runtime/MathObject.h:
+        (JSC::MathObject::createStructure):
+        * runtime/NumberConstructor.h:
+        (JSC::NumberConstructor::createStructure):
+        * runtime/NumberObject.h:
+        (JSC::NumberObject::createStructure):
+        * runtime/RegExpConstructor.h:
+        (JSC::RegExpConstructor::createStructure):
+        * runtime/RegExpObject.h:
+        (JSC::RegExpObject::createStructure):
+        * runtime/StructureChain.cpp:
+        (JSC::StructureChain::isCacheable):
+
 2009-09-11  Alexey Proskuryakov  <ap@webkit.org>
 

trunk/JavaScriptCore/debugger/DebuggerActivation.h

@@ -52 +52 @@
         static PassRefPtr<Structure> createStructure(JSValue prototype) 
         {
-            return Structure::create(prototype, TypeInfo(ObjectType)); 
+            return Structure::create(prototype, TypeInfo(ObjectType, HasDefaultGetPropertyNames)); 
         }
 

trunk/JavaScriptCore/runtime/BooleanObject.h

@@ -35 +35 @@
         static PassRefPtr<Structure> createStructure(JSValue prototype)
         {
-            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultMark));
+            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultMark | HasDefaultGetPropertyNames));
         }
     };

trunk/JavaScriptCore/runtime/DatePrototype.h

@@ -40 +40 @@
         static PassRefPtr<Structure> createStructure(JSValue prototype)
         {
-            return Structure::create(prototype, TypeInfo(ObjectType));
+            return Structure::create(prototype, TypeInfo(ObjectType, HasDefaultGetPropertyNames));
         }
     };

trunk/JavaScriptCore/runtime/FunctionPrototype.h

@@ -35 +35 @@
         static PassRefPtr<Structure> createStructure(JSValue proto)
         {
-            return Structure::create(proto, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultMark));
+            return Structure::create(proto, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultMark | HasDefaultGetPropertyNames));
         }
 

trunk/JavaScriptCore/runtime/JSONObject.h

@@ -42 +42 @@
         static PassRefPtr<Structure> createStructure(JSValue prototype)
         {
-            return Structure::create(prototype, TypeInfo(ObjectType, HasDefaultMark));
+            return Structure::create(prototype, TypeInfo(ObjectType, HasDefaultMark | HasDefaultGetPropertyNames));
         }
 

trunk/JavaScriptCore/runtime/JSObject.h

@@ -206 +206 @@
         static PassRefPtr<Structure> createStructure(JSValue prototype)
         {
-            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultMark));
+            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultMark | HasDefaultGetPropertyNames));
         }
 

trunk/JavaScriptCore/runtime/JSTypeInfo.h

@@ -43 +43 @@
     static const unsigned HasStandardGetOwnPropertySlot = 1 << 5;
     static const unsigned HasDefaultMark = 1 << 6;
+    static const unsigned HasDefaultGetPropertyNames = 1 << 7;
 
     class TypeInfo {
@@ -65 +66 @@
         bool hasStandardGetOwnPropertySlot() const { return m_flags & HasStandardGetOwnPropertySlot; }
         bool hasDefaultMark() const { return m_flags & HasDefaultMark; }
+        bool hasDefaultGetPropertyNames() const { return m_flags & HasDefaultGetPropertyNames; }
         unsigned flags() const { return m_flags; }
 

trunk/JavaScriptCore/runtime/JSVariableObject.h

@@ -59 +59 @@
         Register& registerAt(int index) const { return d->registers[index]; }
 
+        static PassRefPtr<Structure> createStructure(JSValue prototype)
+        {
+            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultMark));
+        }
+        
     protected:
         // Subclasses of JSVariableObject can subclass this struct to add data

trunk/JavaScriptCore/runtime/JSWrapperObject.h

@@ -39 +39 @@
         static PassRefPtr<Structure> createStructure(JSValue prototype) 
         { 
-            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot));
+            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultGetPropertyNames));
         }
 

trunk/JavaScriptCore/runtime/MathObject.h

@@ -38 +38 @@
         static PassRefPtr<Structure> createStructure(JSValue prototype)
         {
-            return Structure::create(prototype, TypeInfo(ObjectType, HasDefaultMark));
+            return Structure::create(prototype, TypeInfo(ObjectType, HasDefaultMark | HasDefaultGetPropertyNames));
         }
     };

trunk/JavaScriptCore/runtime/NumberConstructor.h

@@ -40 +40 @@
         static PassRefPtr<Structure> createStructure(JSValue proto) 
         { 
-            return Structure::create(proto, TypeInfo(ObjectType, ImplementsHasInstance | HasDefaultMark)); 
+            return Structure::create(proto, TypeInfo(ObjectType, ImplementsHasInstance | HasDefaultMark | HasDefaultGetPropertyNames)); 
         }
 

trunk/JavaScriptCore/runtime/NumberObject.h

@@ -34 +34 @@
         static PassRefPtr<Structure> createStructure(JSValue prototype)
         {
-            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot));
+            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultGetPropertyNames));
         }
 #else
         static PassRefPtr<Structure> createStructure(JSValue prototype)
         {
-            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultMark));
+            return Structure::create(prototype, TypeInfo(ObjectType, HasStandardGetOwnPropertySlot | HasDefaultMark | HasDefaultGetPropertyNames));
         }
 #endif

trunk/JavaScriptCore/runtime/RegExpConstructor.h

@@ -37 +37 @@
         static PassRefPtr<Structure> createStructure(JSValue prototype)
         {
-            return Structure::create(prototype, TypeInfo(ObjectType, ImplementsHasInstance | HasDefaultMark));
+            return Structure::create(prototype, TypeInfo(ObjectType, ImplementsHasInstance | HasDefaultMark | HasDefaultGetPropertyNames));
         }
 

trunk/JavaScriptCore/runtime/RegExpObject.h

@@ -50 +50 @@
         static PassRefPtr<Structure> createStructure(JSValue prototype)
         {
-            return Structure::create(prototype, TypeInfo(ObjectType, HasDefaultMark));
+            return Structure::create(prototype, TypeInfo(ObjectType, HasDefaultMark | HasDefaultGetPropertyNames));
         }
 

trunk/JavaScriptCore/runtime/StructureChain.cpp

@@ -52 +52 @@
     
     while (m_vector[i]) {
-        if (m_vector[i++]->isDictionary())
+        if (m_vector[i]->isDictionary())
+            return false;
+        if (!m_vector[i++]->typeInfo().hasDefaultGetPropertyNames())
             return false;
     }

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2009-09-11  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        getPropertyNames caching is invalid when the prototype chain contains objects with custom getPropertyNames
+        https://bugs.webkit.org/show_bug.cgi?id=29214
+
+        Add test case for for-in caching.
+
+        * fast/js/for-in-cached-expected.txt:
+        * fast/js/resources/for-in-cached.js:
+        (forIn4):
+
 2009-09-10  Chris Fleizach  <cfleizach@apple.com>
 

trunk/LayoutTests/fast/js/for-in-cached-expected.txt

@@ -9 +9 @@
 PASS forIn3({ y2 : 2, __proto__: null }) is ['x', 'y2']
 PASS forIn3({ __proto__: { __proto__: { y3 : 2 } } }) is ['x', 'y3']
+PASS forIn4(objectWithArrayAsProto) is []
+PASS forIn4(objectWithArrayAsProto) is ['0']
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/js/resources/for-in-cached.js

@@ -44 +44 @@
 shouldBe("forIn3({ __proto__: { __proto__: { y3 : 2 } } })", "['x', 'y3']");
 
+function forIn4(o) {
+    var result = [];
+    for (var p in o)
+        result.push(p);
+    return result;
+}
+var objectWithArrayAsProto = {};
+objectWithArrayAsProto.__proto__ = [];
+shouldBe("forIn4(objectWithArrayAsProto)", "[]");
+objectWithArrayAsProto.__proto__[0]=1;
+shouldBe("forIn4(objectWithArrayAsProto)", "['0']");
+
 var successfullyParsed = true;