Skip to content
  • barraclough@apple.com's avatar
    https://bugs.webkit.org/show_bug.cgi?id=64250 · 19afeced
    barraclough@apple.com authored
    Global strict mode function leaking global object as "this".
    
    Reviewed by Oliver Hunt.
    
    Source/JavaScriptCore: 
    
    The root problem here is that we pass the wrong values into
    calls, and then try to fix them up in the callee. Correct
    behaviour per the spec is to pass in the value undefined,
    as this unless either (1) the function call is based on an
    explicit property access or (2) the base of the call comes
    directly from a 'with'.
    
    This change does away with the need for this conversion of
    objects (non strict code should only box primitives), and
    does away with all this conversion for strict functions.
    
    This patch may have web compatibility ramifications, and may
    require some advocacy.
    
    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::dump):
        - Removed op_convert_this_strict, added op_resolve_with_this.
    * bytecode/Opcode.h:
        - Removed op_convert_this_strict, added op_resolve_with_this.
    * bytecompiler/BytecodeGenerator.cpp:
    (JSC::BytecodeGenerator::BytecodeGenerator):
    (JSC::BytecodeGenerator::emitResolveWithThis):
        - Removed op_convert_this_strict, added op_resolve_with_this.
    * bytecompiler/BytecodeGenerator.h:
        - Removed op_convert_this_strict, added op_resolve_with_this.
    * bytecompiler/NodesCodegen.cpp:
    (JSC::EvalFunctionCallNode::emitBytecode):
    (JSC::FunctionCallResolveNode::emitBytecode):
        - Removed op_convert_this_strict, added op_resolve_with_this.
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
        - Change NeedsThisConversion check to test for JSString's vptr
          (objects no longer need conversion).
    * interpreter/Interpreter.cpp:
    (JSC::Interpreter::resolveThisAndProperty):
        - Based on resolveBaseAndProperty, but produce correct this value.
    (JSC::Interpreter::privateExecute):
        - Removed op_convert_this_strict, added op_resolve_with_this.
    * interpreter/Interpreter.h:
    * jit/JIT.cpp:
    (JSC::JIT::privateCompileMainPass):
    (JSC::JIT::privateCompileSlowCases):
        - Removed op_convert_this_strict, added op_resolve_with_this.
    * jit/JIT.h:
    * jit/JITOpcodes.cpp:
    (JSC::JIT::emit_op_resolve_with_this):
        - Removed op_convert_this_strict, added op_resolve_with_this.
    (JSC::JIT::emit_op_convert_this):
    (JSC::JIT::emitSlow_op_convert_this):
        - Change NeedsThisConversion check to test for JSString's vptr
          (objects no longer need conversion).
    * jit/JITOpcodes32_64.cpp:
    (JSC::JIT::emit_op_resolve_with_this):
        - Removed op_convert_this_strict, added op_resolve_with_this.
    (JSC::JIT::emit_op_convert_this):
    (JSC::JIT::emitSlow_op_convert_this):
        - Change NeedsThisConversion check to test for JSString's vptr
          (objects no longer need conversion).
    * jit/JITStubs.cpp:
    (JSC::DEFINE_STUB_FUNCTION):
        - Removed op_convert_this_strict, added op_resolve_with_this.
    * jit/JITStubs.h:
        - Removed op_convert_this_strict, added op_resolve_with_this.
    * runtime/JSActivation.h:
        - removed NeedsThisConversion flag, added IsEnvironmentRecord.
    * runtime/JSStaticScopeObject.h:
        - removed NeedsThisConversion flag, added IsEnvironmentRecord.
    * runtime/JSString.h:
    (JSC::RopeBuilder::createStructure):
        - removed NeedsThisConversion.
    * runtime/JSTypeInfo.h:
    (JSC::TypeInfo::isEnvironmentRecord):
    (JSC::TypeInfo::overridesHasInstance):
        - removed NeedsThisConversion flag, added IsEnvironmentRecord.
    * runtime/JSValue.h:
        - removed NeedsThisConversion.
    * runtime/JSVariableObject.h:
        - Corrected StructureFlags inheritance.
    * runtime/StrictEvalActivation.h:
    (JSC::StrictEvalActivation::createStructure):
        - Added IsEnvironmentRecord to StructureFlags, addded createStructure.
    * runtime/Structure.h:
        - removed NeedsThisConversion.
    * tests/mozilla/ecma/String/15.5.4.6-2.js:
    (getTestCases):
        - Removed invalid test case.
    
    Source/WebCore: 
    
    * bindings/js/JSMainThreadExecState.h:
    (WebCore::JSMainThreadExecState::call):
    * bindings/scripts/CodeGeneratorJS.pm:
    (GenerateHeader):
        - Change call to pass DOM Window shell, instead of the global varaible object.
    
    Source/WebKit/mac: 
    
    * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
    (WebKit::NetscapePluginInstanceProxy::invoke):
    (WebKit::NetscapePluginInstanceProxy::invokeDefault):
        - Change call to pass DOM Window shell, instead of the global varaible object.
    
    Source/WebKit2: 
    
    * WebProcess/Plugins/Netscape/NPJSObject.cpp:
    (WebKit::NPJSObject::invoke):
        - Change call to pass DOM Window shell, instead of the global varaible object.
    
    LayoutTests: 
    
    Add test case / update test results.
    
    * fast/js/call-base-resolution-expected.txt: Added.
    * fast/js/call-base-resolution.html: Added.
        - Add test for ES5 correct this value resolution in calls.
    * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.4_String.prototype.charAt/S15.5.4.4_A1_T3-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.5_String.prototype.charCodeAt/S15.5.4.5_A1_T3-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt:
    * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt:
        - Check in failing results for these tests - these tests were asserting incorrect behaviour,
          and have since been fixed in test-262, see https://bugs.ecmascript.org/show_bug.cgi?id=117
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@91095 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    19afeced