Changeset 82173 in webkit

Timestamp:

Mar 28, 2011 4:39:16 PM (13 years ago)

Author:

oliver@apple.com

Message:

2011-03-28 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

instanceof Array test fails when using iframes
​https://bugs.webkit.org/show_bug.cgi?id=17250

Add test cases for correct behaviour

• fast/js/js-constructors-use-correct-global-expected.txt: Added.
• fast/js/js-constructors-use-correct-global.html: Added.
• fast/js/resources/js-constructors-use-correct-global.js: Added.

2011-03-28 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

instanceof Array test fails when using iframes
​https://bugs.webkit.org/show_bug.cgi?id=17250

This is a problem with all built in constructors, the use of
lexicalGlobalObject rather than the constructors own
global object reference means that a builtin will always use
the prototype from the lexical global object rather than that
of the constructors origin.

• API/JSObjectRef.cpp: (JSObjectMakeFunction): (JSObjectMakeRegExp):
• JavaScriptCore.exp:
• runtime/ArrayConstructor.cpp: (JSC::constructArrayWithSizeQuirk):
• runtime/BooleanConstructor.cpp: (JSC::constructBoolean): (JSC::constructBooleanFromImmediateBoolean):
• runtime/BooleanConstructor.h:
• runtime/DateConstructor.cpp: (JSC::constructDate):
• runtime/DateInstance.cpp:
• runtime/DateInstance.h:
• runtime/ErrorConstructor.cpp: (JSC::constructWithErrorConstructor): (JSC::callErrorConstructor):
• runtime/FunctionConstructor.cpp: (JSC::constructWithFunctionConstructor): (JSC::callFunctionConstructor): (JSC::constructFunction):
• runtime/FunctionConstructor.h:
• runtime/JSCell.cpp: (JSC::JSCell::getOwnPropertySlot): (JSC::JSCell::put): (JSC::JSCell::deleteProperty): (JSC::JSCell::toThisObject): (JSC::JSCell::toObject):
• runtime/JSCell.h: (JSC::JSCell::JSValue::toObject):
• runtime/JSNotAnObject.cpp: (JSC::JSNotAnObject::toObject):
• runtime/JSNotAnObject.h:
• runtime/JSObject.cpp: (JSC::JSObject::toObject):
• runtime/JSObject.h:
• runtime/JSString.cpp: (JSC::StringObject::create): (JSC::JSString::toObject): (JSC::JSString::toThisObject):
• runtime/JSString.h:
• runtime/JSValue.cpp: (JSC::JSValue::toObjectSlowCase): (JSC::JSValue::toThisObjectSlowCase): (JSC::JSValue::synthesizeObject):
• runtime/JSValue.h:
• runtime/NumberConstructor.cpp: (JSC::constructWithNumberConstructor):
• runtime/NumberObject.cpp: (JSC::constructNumber):
• runtime/NumberObject.h:
• runtime/ObjectConstructor.cpp: (JSC::constructObject): (JSC::constructWithObjectConstructor): (JSC::callObjectConstructor):
• runtime/RegExpConstructor.cpp: (JSC::constructRegExp): (JSC::constructWithRegExpConstructor): (JSC::callRegExpConstructor):
• runtime/RegExpConstructor.h:
• runtime/StringConstructor.cpp: (JSC::constructWithStringConstructor):
• runtime/StringObject.h:

2011-03-25 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

instanceof Array test fails when using iframes
​https://bugs.webkit.org/show_bug.cgi?id=17250

Up date for new toObject api

• UserObjectImp.cpp: (UserObjectImp::toPrimitive): (UserObjectImp::toBoolean): (UserObjectImp::toNumber): (UserObjectImp::toString):

2011-03-28 Oliver Hunt <​oliver@apple.com>

Reviewed by Geoffrey Garen.

instanceof Array test fails when using iframes
​https://bugs.webkit.org/show_bug.cgi?id=17250

Update for new function and date apis

Test: fast/js/js-constructors-use-correct-global.html

• WebCore.xcodeproj/project.pbxproj:
• bindings/js/JSDOMBinding.cpp: (WebCore::jsDateOrNull):
• bindings/js/JSLazyEventListener.cpp: (WebCore::JSLazyEventListener::initializeJSFunction):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/js-constructors-use-correct-global-expected.txt (added)
• LayoutTests/fast/js/js-constructors-use-correct-global.html (added)
• LayoutTests/fast/js/resources/js-constructors-use-correct-global.js (added)
• Source/JavaScriptCore/API/JSObjectRef.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.exp (modified) (5 diffs)
• Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def (modified) (3 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ArrayConstructor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/BooleanConstructor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/BooleanConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/DateConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/DateInstance.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/DateInstance.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ErrorConstructor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/FunctionConstructor.cpp (modified) (5 diffs)
• Source/JavaScriptCore/runtime/FunctionConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCell.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSCell.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSNotAnObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSNotAnObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSString.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSString.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSValue.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSValue.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/NumberConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/NumberObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/NumberObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ObjectConstructor.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/RegExpConstructor.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/RegExpConstructor.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringObject.h (modified) (1 diff)
• Source/JavaScriptGlue/ChangeLog (modified) (1 diff)
• Source/JavaScriptGlue/UserObjectImp.cpp (modified) (4 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMBinding.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSLazyEventListener.cpp (modified) (1 diff)
• Source/WebCore/bridge/qt/qt_runtime.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-03-28  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        instanceof Array test fails when using iframes
+        https://bugs.webkit.org/show_bug.cgi?id=17250
+
+        Add test cases for correct behaviour
+
+        * fast/js/js-constructors-use-correct-global-expected.txt: Added.
+        * fast/js/js-constructors-use-correct-global.html: Added.
+        * fast/js/resources/js-constructors-use-correct-global.js: Added.
+
 2011-03-28  Vincent Scheib  <scheib@chromium.org>
 

trunk/Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -125 +125 @@
     args.append(jsString(exec, body->ustring()));
 
-    JSObject* result = constructFunction(exec, args, nameID, sourceURL->ustring(), startingLineNumber);
+    JSObject* result = constructFunction(exec, exec->lexicalGlobalObject(), args, nameID, sourceURL->ustring(), startingLineNumber);
     if (exec->hadException()) {
         if (exception)
@@ -208 +208 @@
         argList.append(toJS(exec, arguments[i]));
 
-    JSObject* result = constructRegExp(exec, argList);
+    JSObject* result = constructRegExp(exec, exec->lexicalGlobalObject(),  argList);
     if (exec->hadException()) {
         if (exception)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-03-28  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        instanceof Array test fails when using iframes
+        https://bugs.webkit.org/show_bug.cgi?id=17250
+
+        This is a problem with all built in constructors, the use of
+        lexicalGlobalObject rather than the constructors own 
+        global object reference means that a builtin will always use
+        the prototype from the lexical global object rather than that
+        of the constructors origin.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectMakeFunction):
+        (JSObjectMakeRegExp):
+        * JavaScriptCore.exp:
+        * runtime/ArrayConstructor.cpp:
+        (JSC::constructArrayWithSizeQuirk):
+        * runtime/BooleanConstructor.cpp:
+        (JSC::constructBoolean):
+        (JSC::constructBooleanFromImmediateBoolean):
+        * runtime/BooleanConstructor.h:
+        * runtime/DateConstructor.cpp:
+        (JSC::constructDate):
+        * runtime/DateInstance.cpp:
+        * runtime/DateInstance.h:
+        * runtime/ErrorConstructor.cpp:
+        (JSC::constructWithErrorConstructor):
+        (JSC::callErrorConstructor):
+        * runtime/FunctionConstructor.cpp:
+        (JSC::constructWithFunctionConstructor):
+        (JSC::callFunctionConstructor):
+        (JSC::constructFunction):
+        * runtime/FunctionConstructor.h:
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::getOwnPropertySlot):
+        (JSC::JSCell::put):
+        (JSC::JSCell::deleteProperty):
+        (JSC::JSCell::toThisObject):
+        (JSC::JSCell::toObject):
+        * runtime/JSCell.h:
+        (JSC::JSCell::JSValue::toObject):
+        * runtime/JSNotAnObject.cpp:
+        (JSC::JSNotAnObject::toObject):
+        * runtime/JSNotAnObject.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::toObject):
+        * runtime/JSObject.h:
+        * runtime/JSString.cpp:
+        (JSC::StringObject::create):
+        (JSC::JSString::toObject):
+        (JSC::JSString::toThisObject):
+        * runtime/JSString.h:
+        * runtime/JSValue.cpp:
+        (JSC::JSValue::toObjectSlowCase):
+        (JSC::JSValue::toThisObjectSlowCase):
+        (JSC::JSValue::synthesizeObject):
+        * runtime/JSValue.h:
+        * runtime/NumberConstructor.cpp:
+        (JSC::constructWithNumberConstructor):
+        * runtime/NumberObject.cpp:
+        (JSC::constructNumber):
+        * runtime/NumberObject.h:
+        * runtime/ObjectConstructor.cpp:
+        (JSC::constructObject):
+        (JSC::constructWithObjectConstructor):
+        (JSC::callObjectConstructor):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::constructRegExp):
+        (JSC::constructWithRegExpConstructor):
+        (JSC::callRegExpConstructor):
+        * runtime/RegExpConstructor.h:
+        * runtime/StringConstructor.cpp:
+        (JSC::constructWithStringConstructor):
+        * runtime/StringObject.h:
+
 2011-03-28  Geoffrey Garen  <ggaren@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.exp

@@ -123 +123 @@
 __ZN3JSC12DateInstance6s_infoE
 __ZN3JSC12DateInstanceC1EPNS_9ExecStateEN3WTF17NonNullPassRefPtrINS_9StructureEEEd
-__ZN3JSC12DateInstanceC1EPNS_9ExecStateEd
 __ZN3JSC12JSGlobalData10ClientDataD2Ev
 __ZN3JSC12JSGlobalData11jsArrayVPtrE
@@ -183 +182 @@
 __ZN3JSC17BytecodeGenerator21setDumpsGeneratedCodeEb
 __ZN3JSC17PropertyNameArray3addEPN3WTF10StringImplE
-__ZN3JSC17constructFunctionEPNS_9ExecStateERKNS_7ArgListERKNS_10IdentifierERKNS_7UStringEi
+__ZN3JSC17constructFunctionEPNS_9ExecStateEPNS_14JSGlobalObjectERKNS_7ArgListERKNS_10IdentifierERKNS_7UStringEi
 __ZN3JSC17createSyntaxErrorEPNS_9ExecStateERKNS_7UStringE
 __ZN3JSC18DebuggerActivationC1ERNS_12JSGlobalDataEPNS_8JSObjectE
@@ -536 +535 @@
 __ZNK3JSC6JSCell14isGetterSetterEv
 __ZNK3JSC6JSCell8toNumberEPNS_9ExecStateE
-__ZNK3JSC6JSCell8toObjectEPNS_9ExecStateE
+__ZNK3JSC6JSCell8toObjectEPNS_9ExecStateEPNS_14JSGlobalObjectE
 __ZNK3JSC6JSCell8toStringEPNS_9ExecStateE
 __ZNK3JSC6JSCell9getStringEPNS_9ExecStateE
@@ -544 +543 @@
 __ZNK3JSC7ArgList8getSliceEiRS0_
 __ZNK3JSC7JSArray12subclassDataEv
-__ZNK3JSC7JSValue16toObjectSlowCaseEPNS_9ExecStateE
+__ZNK3JSC7JSValue16toObjectSlowCaseEPNS_9ExecStateEPNS_14JSGlobalObjectE
 __ZNK3JSC7JSValue19synthesizePrototypeEPNS_9ExecStateE
 __ZNK3JSC7JSValue20toThisObjectSlowCaseEPNS_9ExecStateE
@@ -557 +556 @@
 __ZNK3JSC8JSObject18toStrictThisObjectEPNS_9ExecStateE
 __ZNK3JSC8JSObject8toNumberEPNS_9ExecStateE
-__ZNK3JSC8JSObject8toObjectEPNS_9ExecStateE
+__ZNK3JSC8JSObject8toObjectEPNS_9ExecStateEPNS_14JSGlobalObjectE
 __ZNK3JSC8JSObject8toStringEPNS_9ExecStateE
 __ZNK3JSC8JSObject9classNameEv

trunk/Source/JavaScriptCore/JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.def

@@ -4 +4 @@
     ??0CString@WTF@@QAE@PBDI@Z
     ??0Collator@WTF@@QAE@PBD@Z
-    ??0DateInstance@JSC@@QAE@PAVExecState@1@N@Z
     ??0DateInstance@JSC@@QAE@PAVExecState@1@V?$NonNullPassRefPtr@VStructure@JSC@@@WTF@@N@Z
     ??0DefaultGCActivityCallback@JSC@@QAE@PAVHeap@1@@Z
@@ -95 +94 @@
     ?constructEmptyArray@JSC@@YAPAVJSArray@1@PAVExecState@1@@Z
     ?constructEmptyObject@JSC@@YAPAVJSObject@1@PAVExecState@1@@Z
-    ?constructFunction@JSC@@YAPAVJSObject@1@PAVExecState@1@ABVArgList@1@ABVIdentifier@1@ABVUString@1@H@Z
+    ?constructFunction@JSC@@YAPAVJSObject@1@PAVExecState@1@PAVJSGlobalObject@1@ABVArgList@1@ABVIdentifier@1@ABVUString@1@H@Z
     ?convertUTF16ToUTF8@Unicode@WTF@@YA?AW4ConversionResult@12@PAPB_WPB_WPAPADPAD_N@Z
     ?convertUTF8ToUTF16@Unicode@WTF@@YA?AW4ConversionResult@12@PAPBDPBDPAPA_WPA_W_N@Z
@@ -337 +336 @@
     ?toNumber@JSObject@JSC@@UBENPAVExecState@2@@Z
     ?toNumber@JSString@JSC@@EBENPAVExecState@2@@Z
-    ?toObject@JSCell@JSC@@UBEPAVJSObject@2@PAVExecState@2@@Z
-    ?toObject@JSObject@JSC@@UBEPAV12@PAVExecState@2@@Z
-    ?toObject@JSString@JSC@@EBEPAVJSObject@2@PAVExecState@2@@Z
-    ?toObjectSlowCase@JSValue@JSC@@ABEPAVJSObject@2@PAVExecState@2@@Z
+    ?toObject@JSCell@JSC@@UBEPAVJSObject@2@PAVExecState@2@PAVJSGlobalObject@2@@Z
+    ?toObject@JSObject@JSC@@UBEPAV12@PAVExecState@2@PAVJSGlobalObject@2@@Z
+    ?toObjectSlowCase@JSValue@JSC@@ABEPAVJSObject@2@PAVExecState@2@PAVJSGlobalObject@2@@Z
     ?toPrimitive@JSCell@JSC@@UBE?AVJSValue@2@PAVExecState@2@W4PreferredPrimitiveType@2@@Z
     ?toPrimitive@JSString@JSC@@EBE?AVJSValue@2@PAVExecState@2@W4PreferredPrimitiveType@2@@Z

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -249 +249 @@
     for (SymbolTable::iterator it = symbolTable->begin(); it != end; ++it)
         registerFor(it->second.getIndex()).setIndex(it->second.getIndex() + m_globalVarStorageOffset);
-        
+
     BatchedTransitionOptimizer optimizer(*m_globalData, globalObject);
 

trunk/Source/JavaScriptCore/runtime/ArrayConstructor.cpp

@@ -53 +53 @@
 static inline JSObject* constructArrayWithSizeQuirk(ExecState* exec, const ArgList& args)
 {
+    JSGlobalObject* globalObject = asInternalFunction(exec->callee())->globalObject();
+
     // a single numeric argument denotes the array size (!)
     if (args.size() == 1 && args.at(0).isNumber()) {
@@ -58 +60 @@
         if (n != args.at(0).toNumber(exec))
             return throwError(exec, createRangeError(exec, "Array size is not a small enough positive integer."));
-        return new (exec) JSArray(exec->lexicalGlobalObject()->arrayStructure(), n, CreateInitialized);
+        return new (exec) JSArray(globalObject->arrayStructure(), n, CreateInitialized);
     }
 
     // otherwise the array is constructed with the arguments in it
-    return new (exec) JSArray(exec->globalData(), exec->lexicalGlobalObject()->arrayStructure(), args);
+    return new (exec) JSArray(exec->globalData(), globalObject->arrayStructure(), args);
 }
 

trunk/Source/JavaScriptCore/runtime/BooleanConstructor.cpp

@@ -41 +41 @@
 JSObject* constructBoolean(ExecState* exec, const ArgList& args)
 {
-    BooleanObject* obj = new (exec) BooleanObject(exec->globalData(), exec->lexicalGlobalObject()->booleanObjectStructure());
+    BooleanObject* obj = new (exec) BooleanObject(exec->globalData(), asInternalFunction(exec->callee())->globalObject()->booleanObjectStructure());
     obj->setInternalValue(exec->globalData(), jsBoolean(args.at(0).toBoolean(exec)));
     return obj;
@@ -70 +70 @@
 }
 
-JSObject* constructBooleanFromImmediateBoolean(ExecState* exec, JSValue immediateBooleanValue)
+JSObject* constructBooleanFromImmediateBoolean(ExecState* exec, JSGlobalObject* globalObject, JSValue immediateBooleanValue)
 {
-    BooleanObject* obj = new (exec) BooleanObject(exec->globalData(), exec->lexicalGlobalObject()->booleanObjectStructure());
+    BooleanObject* obj = new (exec) BooleanObject(exec->globalData(), globalObject->booleanObjectStructure());
     obj->setInternalValue(exec->globalData(), immediateBooleanValue);
     return obj;

trunk/Source/JavaScriptCore/runtime/BooleanConstructor.h

@@ -37 +37 @@
     };
 
-    JSObject* constructBooleanFromImmediateBoolean(ExecState*, JSValue);
+    JSObject* constructBooleanFromImmediateBoolean(ExecState*, JSGlobalObject*, JSValue);
     JSObject* constructBoolean(ExecState*, const ArgList&);
 

trunk/Source/JavaScriptCore/runtime/DateConstructor.cpp

@@ -122 +122 @@
     }
 
-    return new (exec) DateInstance(exec, value);
+    return new (exec) DateInstance(exec, asInternalFunction(exec->callee())->globalObject()->dateStructure(), value);
 }
     

trunk/Source/JavaScriptCore/runtime/DateInstance.cpp

@@ -49 +49 @@
 }
 
-DateInstance::DateInstance(ExecState* exec, double time)
-    : JSWrapperObject(exec->lexicalGlobalObject()->dateStructure())
-{
-    ASSERT(inherits(&s_info));
-    setInternalValue(exec->globalData(), jsNumber(timeClip(time)));
-}
-
 const GregorianDateTime* DateInstance::calculateGregorianDateTime(ExecState* exec) const
 {

trunk/Source/JavaScriptCore/runtime/DateInstance.h

@@ -32 +32 @@
     class DateInstance : public JSWrapperObject {
     public:
-        DateInstance(ExecState*, double);
         DateInstance(ExecState*, NonNullPassRefPtr<Structure>, double);
         explicit DateInstance(ExecState*, NonNullPassRefPtr<Structure>);

trunk/Source/JavaScriptCore/runtime/ErrorConstructor.cpp

@@ -43 +43 @@
 {
     JSValue message = exec->argumentCount() ? exec->argument(0) : jsUndefined();
-    Structure* errorStructure = exec->lexicalGlobalObject()->errorStructure();
+    Structure* errorStructure = asInternalFunction(exec->callee())->globalObject()->errorStructure();
     return JSValue::encode(ErrorInstance::create(exec, errorStructure, message));
 }
@@ -56 +56 @@
 {
     JSValue message = exec->argumentCount() ? exec->argument(0) : jsUndefined();
-    Structure* errorStructure = exec->lexicalGlobalObject()->errorStructure();
+    Structure* errorStructure = asInternalFunction(exec->callee())->globalObject()->errorStructure();
     return JSValue::encode(ErrorInstance::create(exec, errorStructure, message));
 }

trunk/Source/JavaScriptCore/runtime/FunctionConstructor.cpp

@@ -50 +50 @@
 {
     ArgList args(exec);
-    return JSValue::encode(constructFunction(exec, args));
+    return JSValue::encode(constructFunction(exec, asInternalFunction(exec->callee())->globalObject(), args));
 }
 
@@ -62 +62 @@
 {
     ArgList args(exec);
-    return JSValue::encode(constructFunction(exec, args));
+    return JSValue::encode(constructFunction(exec, asInternalFunction(exec->callee())->globalObject(), args));
 }
 
@@ -73 +73 @@
 
 // ECMA 15.3.2 The Function Constructor
-JSObject* constructFunction(ExecState* exec, const ArgList& args, const Identifier& functionName, const UString& sourceURL, int lineNumber)
+JSObject* constructFunction(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args, const Identifier& functionName, const UString& sourceURL, int lineNumber)
 {
     // Functions need to have a space following the opening { due to for web compatibility
@@ -97 +97 @@
     }
 
-    JSGlobalObject* globalObject = exec->lexicalGlobalObject();
     JSGlobalData& globalData = globalObject->globalData();
     SourceCode source = makeSource(program, sourceURL, lineNumber);
@@ -112 +111 @@
 
 // ECMA 15.3.2 The Function Constructor
-JSObject* constructFunction(ExecState* exec, const ArgList& args)
+JSObject* constructFunction(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args)
 {
-    return constructFunction(exec, args, Identifier(exec, "anonymous"), UString(), 1);
+    return constructFunction(exec, globalObject, args, Identifier(exec, "anonymous"), UString(), 1);
 }
 

trunk/Source/JavaScriptCore/runtime/FunctionConstructor.h

@@ -37 +37 @@
     };
 
-    JSObject* constructFunction(ExecState*, const ArgList&, const Identifier& functionName, const UString& sourceURL, int lineNumber);
-    JSObject* constructFunction(ExecState*, const ArgList&);
+    JSObject* constructFunction(ExecState*, JSGlobalObject*, const ArgList&, const Identifier& functionName, const UString& sourceURL, int lineNumber);
+    JSObject* constructFunction(ExecState*, JSGlobalObject*, const ArgList&);
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -120 +120 @@
     // It should only be called by JSValue::get.
     // It calls getPropertySlot, not getOwnPropertySlot.
-    JSObject* object = toObject(exec);
+    JSObject* object = toObject(exec, exec->lexicalGlobalObject());
     slot.setBase(object);
     if (!object->getPropertySlot(exec, identifier, slot))
@@ -132 +132 @@
     // It should only be called by JSValue::get.
     // It calls getPropertySlot, not getOwnPropertySlot.
-    JSObject* object = toObject(exec);
+    JSObject* object = toObject(exec, exec->lexicalGlobalObject());
     slot.setBase(object);
     if (!object->getPropertySlot(exec, identifier, slot))
@@ -141 +141 @@
 void JSCell::put(ExecState* exec, const Identifier& identifier, JSValue value, PutPropertySlot& slot)
 {
-    toObject(exec)->put(exec, identifier, value, slot);
+    toObject(exec, exec->lexicalGlobalObject())->put(exec, identifier, value, slot);
 }
 
 void JSCell::put(ExecState* exec, unsigned identifier, JSValue value)
 {
-    toObject(exec)->put(exec, identifier, value);
+    toObject(exec, exec->lexicalGlobalObject())->put(exec, identifier, value);
 }
 
 bool JSCell::deleteProperty(ExecState* exec, const Identifier& identifier)
 {
-    return toObject(exec)->deleteProperty(exec, identifier);
+    return toObject(exec, exec->lexicalGlobalObject())->deleteProperty(exec, identifier);
 }
 
 bool JSCell::deleteProperty(ExecState* exec, unsigned identifier)
 {
-    return toObject(exec)->deleteProperty(exec, identifier);
+    return toObject(exec, exec->lexicalGlobalObject())->deleteProperty(exec, identifier);
 }
 
 JSObject* JSCell::toThisObject(ExecState* exec) const
 {
-    return toObject(exec);
+    return toObject(exec, exec->lexicalGlobalObject());
 }
 
@@ -204 +204 @@
 }
 
-JSObject* JSCell::toObject(ExecState*) const
+JSObject* JSCell::toObject(ExecState*, JSGlobalObject*) const
 {
     ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -36 +36 @@
 namespace JSC {
 
+    class JSGlobalObject;
+
 #if COMPILER(MSVC)
     // If WTF_MAKE_NONCOPYABLE is applied to JSCell we end up with a bunch of
@@ -107 +109 @@
         virtual double toNumber(ExecState*) const;
         virtual UString toString(ExecState*) const;
-        virtual JSObject* toObject(ExecState*) const;
+        virtual JSObject* toObject(ExecState*, JSGlobalObject*) const;
 
         // Garbage collection.
@@ -337 +339 @@
     inline JSObject* JSValue::toObject(ExecState* exec) const
     {
-        return isCell() ? asCell()->toObject(exec) : toObjectSlowCase(exec);
+        return isCell() ? asCell()->toObject(exec, exec->lexicalGlobalObject()) : toObjectSlowCase(exec, exec->lexicalGlobalObject());
+    }
+
+    inline JSObject* JSValue::toObject(ExecState* exec, JSGlobalObject* globalObject) const
+    {
+        return isCell() ? asCell()->toObject(exec, globalObject) : toObjectSlowCase(exec, globalObject);
     }
 

trunk/Source/JavaScriptCore/runtime/JSNotAnObject.cpp

@@ -68 +68 @@
 }
 
-JSObject* JSNotAnObject::toObject(ExecState* exec) const
+JSObject* JSNotAnObject::toObject(ExecState* exec, JSGlobalObject*) const
 {
     ASSERT_UNUSED(exec, exec->hadException());

trunk/Source/JavaScriptCore/runtime/JSNotAnObject.h

@@ -59 +59 @@
         virtual double toNumber(ExecState*) const;
         virtual UString toString(ExecState*) const;
-        virtual JSObject* toObject(ExecState*) const;
+        virtual JSObject* toObject(ExecState*, JSGlobalObject*) const;
 
         // JSObject methods

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -490 +490 @@
 }
 
-JSObject* JSObject::toObject(ExecState*) const
+JSObject* JSObject::toObject(ExecState*, JSGlobalObject*) const
 {
     return const_cast<JSObject*>(this);

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -139 +139 @@
         virtual double toNumber(ExecState*) const;
         virtual UString toString(ExecState*) const;
-        virtual JSObject* toObject(ExecState*) const;
+        virtual JSObject* toObject(ExecState*, JSGlobalObject*) const;
 
         virtual JSObject* toThisObject(ExecState*) const;

trunk/Source/JavaScriptCore/runtime/JSString.cpp

@@ -254 +254 @@
 }
 
-inline StringObject* StringObject::create(ExecState* exec, JSString* string)
-{
-    return new (exec) StringObject(exec->globalData(), exec->lexicalGlobalObject()->stringObjectStructure(), string);
-}
-
-JSObject* JSString::toObject(ExecState* exec) const
-{
-    return StringObject::create(exec, const_cast<JSString*>(this));
+inline StringObject* StringObject::create(ExecState* exec, JSGlobalObject* globalObject, JSString* string)
+{
+    return new (exec) StringObject(exec->globalData(), globalObject->stringObjectStructure(), string);
+}
+
+JSObject* JSString::toObject(ExecState* exec, JSGlobalObject* globalObject) const
+{
+    return StringObject::create(exec, globalObject, const_cast<JSString*>(this));
 }
 
 JSObject* JSString::toThisObject(ExecState* exec) const
 {
-    return StringObject::create(exec, const_cast<JSString*>(this));
+    return StringObject::create(exec, exec->lexicalGlobalObject(), const_cast<JSString*>(this));
 }
 

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -403 +403 @@
         virtual bool toBoolean(ExecState*) const;
         virtual double toNumber(ExecState*) const;
-        virtual JSObject* toObject(ExecState*) const;
+        virtual JSObject* toObject(ExecState*, JSGlobalObject*) const;
         virtual UString toString(ExecState*) const;
 

trunk/Source/JavaScriptCore/runtime/JSValue.cpp

@@ -55 +55 @@
 }
 
-JSObject* JSValue::toObjectSlowCase(ExecState* exec) const
+JSObject* JSValue::toObjectSlowCase(ExecState* exec, JSGlobalObject* globalObject) const
 {
     ASSERT(!isCell());
 
     if (isInt32() || isDouble())
-        return constructNumber(exec, asValue());
+        return constructNumber(exec, globalObject, asValue());
     if (isTrue() || isFalse())
-        return constructBooleanFromImmediateBoolean(exec, asValue());
+        return constructBooleanFromImmediateBoolean(exec, globalObject, asValue());
 
     ASSERT(isUndefinedOrNull());
@@ -74 +74 @@
 
     if (isInt32() || isDouble())
-        return constructNumber(exec, asValue());
+        return constructNumber(exec, exec->lexicalGlobalObject(), asValue());
     if (isTrue() || isFalse())
-        return constructBooleanFromImmediateBoolean(exec, asValue());
+        return constructBooleanFromImmediateBoolean(exec, exec->lexicalGlobalObject(), asValue());
     ASSERT(isUndefinedOrNull());
     return exec->globalThisValue();
@@ -85 +85 @@
     ASSERT(!isCell());
     if (isNumber())
-        return constructNumber(exec, asValue());
+        return constructNumber(exec, exec->lexicalGlobalObject(), asValue());
     if (isBoolean())
-        return constructBooleanFromImmediateBoolean(exec, asValue());
+        return constructBooleanFromImmediateBoolean(exec, exec->lexicalGlobalObject(), asValue());
 
     ASSERT(isUndefinedOrNull());

trunk/Source/JavaScriptCore/runtime/JSValue.h

@@ -38 +38 @@
     class JSCell;
     class JSGlobalData;
+    class JSGlobalObject;
     class JSImmediate;
     class JSObject;
@@ -190 +191 @@
         UString toPrimitiveString(ExecState*) const;
         JSObject* toObject(ExecState*) const;
+        JSObject* toObject(ExecState*, JSGlobalObject*) const;
 
         // Integer conversions.
@@ -245 +247 @@
 
         inline const JSValue asValue() const { return *this; }
-        JSObject* toObjectSlowCase(ExecState*) const;
+        JSObject* toObjectSlowCase(ExecState*, JSGlobalObject*) const;
         JSObject* toThisObjectSlowCase(ExecState*) const;
 

trunk/Source/JavaScriptCore/runtime/NumberConstructor.cpp

@@ -105 +105 @@
 static EncodedJSValue JSC_HOST_CALL constructWithNumberConstructor(ExecState* exec)
 {
-    NumberObject* object = new (exec) NumberObject(exec->globalData(), exec->lexicalGlobalObject()->numberObjectStructure());
+    NumberObject* object = new (exec) NumberObject(exec->globalData(), asInternalFunction(exec->callee())->globalObject()->numberObjectStructure());
     double n = exec->argumentCount() ? exec->argument(0).toNumber(exec) : 0;
     object->setInternalValue(exec->globalData(), jsNumber(n));

trunk/Source/JavaScriptCore/runtime/NumberObject.cpp

@@ -43 +43 @@
 }
 
-NumberObject* constructNumber(ExecState* exec, JSValue number)
+NumberObject* constructNumber(ExecState* exec, JSGlobalObject* globalObject, JSValue number)
 {
-    NumberObject* object = new (exec) NumberObject(exec->globalData(), exec->lexicalGlobalObject()->numberObjectStructure());
+    NumberObject* object = new (exec) NumberObject(exec->globalData(), globalObject->numberObjectStructure());
     object->setInternalValue(exec->globalData(), number);
     return object;

trunk/Source/JavaScriptCore/runtime/NumberObject.h

@@ -41 +41 @@
     };
 
-    NumberObject* constructNumber(ExecState*, JSValue);
+    NumberObject* constructNumber(ExecState*, JSGlobalObject*, JSValue);
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -96 +96 @@
 
 // ECMA 15.2.2
-static ALWAYS_INLINE JSObject* constructObject(ExecState* exec, const ArgList& args)
+static ALWAYS_INLINE JSObject* constructObject(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args)
 {
     JSValue arg = args.at(0);
     if (arg.isUndefinedOrNull())
-        return constructEmptyObject(exec);
-    return arg.toObject(exec);
+        return constructEmptyObject(exec, globalObject);
+    return arg.toObject(exec, globalObject);
 }
 
@@ -107 +107 @@
 {
     ArgList args(exec);
-    return JSValue::encode(constructObject(exec, args));
+    return JSValue::encode(constructObject(exec, asInternalFunction(exec->callee())->globalObject(), args));
 }
 
@@ -119 +119 @@
 {
     ArgList args(exec);
-    return JSValue::encode(constructObject(exec, args));
+    return JSValue::encode(constructObject(exec, asInternalFunction(exec->callee())->globalObject(), args));
 }
 

trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp

@@ -294 +294 @@
 
 // ECMA 15.10.4
-JSObject* constructRegExp(ExecState* exec, const ArgList& args)
+JSObject* constructRegExp(ExecState* exec, JSGlobalObject* globalObject, const ArgList& args)
 {
     JSValue arg0 = args.at(0);
@@ -321 +321 @@
     if (!regExp->isValid())
         return throwError(exec, createSyntaxError(exec, regExp->errorMessage()));
-    return new (exec) RegExpObject(exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->regExpStructure(), regExp.release());
+    return new (exec) RegExpObject(exec->lexicalGlobalObject(), globalObject->regExpStructure(), regExp.release());
 }
 
@@ -327 +327 @@
 {
     ArgList args(exec);
-    return JSValue::encode(constructRegExp(exec, args));
+    return JSValue::encode(constructRegExp(exec, asInternalFunction(exec->callee())->globalObject(), args));
 }
 
@@ -340 +340 @@
 {
     ArgList args(exec);
-    return JSValue::encode(constructRegExp(exec, args));
+    return JSValue::encode(constructRegExp(exec, asInternalFunction(exec->callee())->globalObject(), args));
 }
 

trunk/Source/JavaScriptCore/runtime/RegExpConstructor.h

@@ -97 +97 @@
     RegExpConstructor* asRegExpConstructor(JSValue);
 
-    JSObject* constructRegExp(ExecState*, const ArgList&);
+    JSObject* constructRegExp(ExecState*, JSGlobalObject*, const ArgList&);
 
     inline RegExpConstructor* asRegExpConstructor(JSValue value)

trunk/Source/JavaScriptCore/runtime/StringConstructor.cpp

@@ -68 +68 @@
 static EncodedJSValue JSC_HOST_CALL constructWithStringConstructor(ExecState* exec)
 {
+    JSGlobalObject* globalObject = asInternalFunction(exec->callee())->globalObject();
     if (!exec->argumentCount())
-        return JSValue::encode(new (exec) StringObject(exec, exec->lexicalGlobalObject()->stringObjectStructure()));
-    return JSValue::encode(new (exec) StringObject(exec, exec->lexicalGlobalObject()->stringObjectStructure(), exec->argument(0).toString(exec)));
+        return JSValue::encode(new (exec) StringObject(exec, globalObject->stringObjectStructure()));
+    return JSValue::encode(new (exec) StringObject(exec, globalObject->stringObjectStructure(), exec->argument(0).toString(exec)));
 }
 

trunk/Source/JavaScriptCore/runtime/StringObject.h

@@ -32 +32 @@
         StringObject(ExecState*, NonNullPassRefPtr<Structure>, const UString&);
 
-        static StringObject* create(ExecState*, JSString*);
+        static StringObject* create(ExecState*, JSGlobalObject*, JSString*);
 
         virtual bool getOwnPropertySlot(ExecState*, const Identifier& propertyName, PropertySlot&);

trunk/Source/JavaScriptGlue/ChangeLog

@@ +1 @@
+2011-03-25  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        instanceof Array test fails when using iframes
+        https://bugs.webkit.org/show_bug.cgi?id=17250
+
+        Up date for new toObject api
+
+        * UserObjectImp.cpp:
+        (UserObjectImp::toPrimitive):
+        (UserObjectImp::toBoolean):
+        (UserObjectImp::toNumber):
+        (UserObjectImp::toString):
+
 2011-03-26  Adam Barth  <abarth@webkit.org>
 

trunk/Source/JavaScriptGlue/UserObjectImp.cpp

@@ -168 +168 @@
 {
     JSValue result = jsUndefined();
-    JSUserObject* jsObjPtr = KJSValueToJSObject(toObject(exec), exec);
+    JSUserObject* jsObjPtr = KJSValueToJSObject(toObject(exec, exec->lexicalGlobalObject()), exec);
     CFTypeRef cfValue = jsObjPtr ? jsObjPtr->CopyCFValue() : 0;
     if (cfValue) {
@@ -205 +205 @@
 {
     bool result = false;
-    JSUserObject* jsObjPtr = KJSValueToJSObject(toObject(exec), exec);
+    JSUserObject* jsObjPtr = KJSValueToJSObject(toObject(exec, exec->lexicalGlobalObject()), exec);
     CFTypeRef cfValue = jsObjPtr ? jsObjPtr->CopyCFValue() : 0;
     if (cfValue)
@@ -285 +285 @@
 {
     double result = 0;
-    JSUserObject* jsObjPtr = KJSValueToJSObject(toObject(exec), exec);
+    JSUserObject* jsObjPtr = KJSValueToJSObject(toObject(exec, exec->lexicalGlobalObject()), exec);
     CFTypeRef cfValue = jsObjPtr ? jsObjPtr->CopyCFValue() : 0;
     if (cfValue)
@@ -319 +319 @@
 {
     UString result;
-    JSUserObject* jsObjPtr = KJSValueToJSObject(toObject(exec), exec);
+    JSUserObject* jsObjPtr = KJSValueToJSObject(toObject(exec, exec->lexicalGlobalObject()), exec);
     CFTypeRef cfValue = jsObjPtr ? jsObjPtr->CopyCFValue() : 0;
     if (cfValue)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-03-28  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        instanceof Array test fails when using iframes
+        https://bugs.webkit.org/show_bug.cgi?id=17250
+
+        Update for new function and date apis
+
+        Test: fast/js/js-constructors-use-correct-global.html
+
+        * WebCore.xcodeproj/project.pbxproj:
+        * bindings/js/JSDOMBinding.cpp:
+        (WebCore::jsDateOrNull):
+        * bindings/js/JSLazyEventListener.cpp:
+        (WebCore::JSLazyEventListener::initializeJSFunction):
+
 2011-03-28  Beth Dakin  <bdakin@apple.com>
 

trunk/Source/WebCore/bindings/js/JSDOMBinding.cpp

@@ -484 +484 @@
     if (!isfinite(value))
         return jsNull();
-    return new (exec) DateInstance(exec, value);
+    return new (exec) DateInstance(exec, exec->lexicalGlobalObject()->dateStructure(), value);
 }
 

trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp

@@ -98 +98 @@
     args.append(jsString(exec, m_code));
 
-    JSObject* jsFunction = constructFunction(exec, args, Identifier(exec, stringToUString(m_functionName)), stringToUString(m_sourceURL), m_lineNumber); // FIXME: is globalExec ok?
+    JSObject* jsFunction = constructFunction(exec, exec->lexicalGlobalObject(), args, Identifier(exec, stringToUString(m_functionName)), stringToUString(m_sourceURL), m_lineNumber); // FIXME: is globalExec ok?
     if (exec->hadException()) {
         exec->clearException();

trunk/Source/WebCore/bridge/qt/qt_runtime.cpp

@@ -884 +884 @@
         double ms = gregorianDateTimeToMS(exec, dt, time.msec(), /*inputIsUTC*/ false);
 
-        return new (exec) DateInstance(exec, trunc(ms));
+        return new (exec) DateInstance(exec, exec->lexicalGlobalObject()->dateStructure(), trunc(ms));
     }