Commit 04551430 authored by barraclough@apple.com's avatar barraclough@apple.com

Source/JavaScriptCore: https://bugs.webkit.org/show_bug.cgi?id=120034

Remove custom getOwnPropertyDescriptor for global objects

Reviewed by Geoff Garen.

Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.

* runtime/JSGlobalObject.cpp:
    - Remove custom getOwnPropertyDescriptor implementation.
* runtime/JSSymbolTableObject.h:
(JSC::symbolTableGet):
    - The symbol table does not store the DontDelete attribute, we should be adding it back in.
* runtime/PropertyDescriptor.h:
    - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
* runtime/PropertySlot.h:
(JSC::PropertySlot::setUndefined):
    - This is used by WebCore when blocking access to properties on cross-frame access.
      Mark blocked properties as read-only, non-configurable to prevent defineProperty.

Source/WebCore: <https://webkit.org/b/120041> Remove superfluous min calls in RenderBlock::computeOverflow

Patch by Ryosuke Niwa <rniwa@webkit.org> on 2013-08-19
Reviewed by Simon Fraser.

Merge https://chromium.googlesource.com/chromium/blink/+/29cad35d6b4642804e6b7c1a30f0b4435dd7a71d

They are contained in an "if" statement that ensures that textIndent < 0 and so the min will never be 0.

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::computeOverflow):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154313 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 70b7f396
2013-08-19 Gavin Barraclough <barraclough@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=120034
Remove custom getOwnPropertyDescriptor for global objects
Reviewed by Geoff Garen.
Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
* runtime/JSGlobalObject.cpp:
- Remove custom getOwnPropertyDescriptor implementation.
* runtime/JSSymbolTableObject.h:
(JSC::symbolTableGet):
- The symbol table does not store the DontDelete attribute, we should be adding it back in.
* runtime/PropertyDescriptor.h:
- JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
* runtime/PropertySlot.h:
(JSC::PropertySlot::setUndefined):
- This is used by WebCore when blocking access to properties on cross-frame access.
Mark blocked properties as read-only, non-configurable to prevent defineProperty.
2013-08-17 Filip Pizlo <fpizlo@apple.com>
DFG should inline typedArray.byteOffset
......
......@@ -641,13 +641,7 @@ bool JSGlobalObject::getOwnPropertySlot(JSObject* object, ExecState* exec, Prope
return symbolTableGet(thisObject, propertyName, slot);
}
bool JSGlobalObject::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, PropertyName propertyName, PropertyDescriptor& descriptor)
{
JSGlobalObject* thisObject = jsCast<JSGlobalObject*>(object);
if (getStaticFunctionDescriptor<Base>(exec, ExecState::globalObjectTable(exec), thisObject, propertyName, descriptor))
return true;
return symbolTableGet(thisObject, propertyName, descriptor);
}
GET_OWN_PROPERTY_DESCRIPTOR_IMPL(JSGlobalObject)
void JSGlobalObject::clearRareData(JSCell* cell)
{
......
......@@ -79,7 +79,7 @@ inline bool symbolTableGet(
return false;
SymbolTableEntry::Fast entry = iter->value;
ASSERT(!entry.isNull());
slot.setValue(object, entry.getAttributes(), object->registerAt(entry.getIndex()).get());
slot.setValue(object, entry.getAttributes() | DontDelete, object->registerAt(entry.getIndex()).get());
return true;
}
......@@ -111,7 +111,7 @@ inline bool symbolTableGet(
return false;
SymbolTableEntry::Fast entry = iter->value;
ASSERT(!entry.isNull());
slot.setValue(object, entry.getAttributes(), object->registerAt(entry.getIndex()).get());
slot.setValue(object, entry.getAttributes() | DontDelete, object->registerAt(entry.getIndex()).get());
slotIsWriteable = !entry.isReadOnly();
return true;
}
......
......@@ -91,6 +91,9 @@ bool ClassName::getOwnPropertyDescriptor(JSC::JSObject* object, JSC::ExecState*
JSC::PropertySlot slot(object); \
if (!getOwnPropertySlot(object, exec, propertyName, slot)) \
return false; \
/* Workaround, JSDOMWindow::getOwnPropertySlot searches the prototype chain. :-( */ \
if (slot.slotBase() && slot.slotBase() != object) \
return false; \
if (slot.isGetter()) \
descriptor.setAccessorDescriptor(slot.getterSetter(), slot.attributes()); \
else \
......
......@@ -200,6 +200,7 @@ public:
void setUndefined()
{
m_data.value = JSValue::encode(jsUndefined());
m_attributes = ReadOnly | DontDelete | DontEnum;
m_slotBase = 0;
m_propertyType = TypeValue;
......
......@@ -51,6 +51,20 @@
tree to see if this document is being loaded as part of b/f navigation (which was
add in bug 90870).
2013-08-19 Gavin Barraclough <barraclough@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=120034
Remove custom getOwnPropertyDescriptor for global objects
Reviewed by Geoff Garen.
Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::getOwnPropertySlot):
- Remove custom getOwnPropertyDescriptor implementation, on cross-frame access ensure
all properties are marked as read-only, non-configurable to prevent defineProperty.
2013-08-19 Gavin Barraclough <barraclough@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=119995
......@@ -161,22 +161,22 @@ bool JSDOMWindow::getOwnPropertySlot(JSObject* object, ExecState* exec, Property
if (entry->attributes() & JSC::Function) {
if (entry->function() == jsDOMWindowPrototypeFunctionBlur) {
if (!allowsAccess) {
slot.setCustom(thisObject, entry->attributes(), nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionBlur, 0>);
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionBlur, 0>);
return true;
}
} else if (entry->function() == jsDOMWindowPrototypeFunctionClose) {
if (!allowsAccess) {
slot.setCustom(thisObject, entry->attributes(), nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionClose, 0>);
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionClose, 0>);
return true;
}
} else if (entry->function() == jsDOMWindowPrototypeFunctionFocus) {
if (!allowsAccess) {
slot.setCustom(thisObject, entry->attributes(), nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionFocus, 0>);
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionFocus, 0>);
return true;
}
} else if (entry->function() == jsDOMWindowPrototypeFunctionPostMessage) {
if (!allowsAccess) {
slot.setCustom(thisObject, entry->attributes(), nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionPostMessage, 2>);
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionPostMessage, 2>);
return true;
}
} else if (entry->function() == jsDOMWindowPrototypeFunctionShowModalDialog) {
......@@ -198,7 +198,7 @@ bool JSDOMWindow::getOwnPropertySlot(JSObject* object, ExecState* exec, Property
entry = JSDOMWindow::info()->propHashTable(exec)->entry(exec, propertyName);
if (entry) {
slot.setCustom(thisObject, entry->attributes(), entry->propertyGetter());
slot.setCustom(thisObject, allowsAccess ? entry->attributes() : ReadOnly | DontDelete | DontEnum, entry->propertyGetter());
return true;
}
......@@ -331,78 +331,7 @@ bool JSDOMWindow::getOwnPropertySlotByIndex(JSObject* object, ExecState* exec, u
return Base::getOwnPropertySlotByIndex(thisObject, exec, index, slot);
}
bool JSDOMWindow::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, PropertyName propertyName, PropertyDescriptor& descriptor)
{
JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
// Never allow cross-domain getOwnPropertyDescriptor
if (!BindingSecurity::shouldAllowAccessToDOMWindow(exec, thisObject->impl()))
return false;
const HashEntry* entry;
// We don't want any properties other than "close" and "closed" on a closed window.
if (!thisObject->impl()->frame()) {
// The following code is safe for cross-domain and same domain use.
// It ignores any custom properties that might be set on the DOMWindow (including a custom prototype).
entry = s_info.propHashTable(exec)->entry(exec, propertyName);
if (entry && !(entry->attributes() & JSC::Function) && entry->propertyGetter() == jsDOMWindowClosed) {
descriptor.setDescriptor(jsBoolean(true), ReadOnly | DontDelete | DontEnum);
return true;
}
entry = JSDOMWindowPrototype::info()->propHashTable(exec)->entry(exec, propertyName);
if (entry && (entry->attributes() & JSC::Function) && entry->function() == jsDOMWindowPrototypeFunctionClose) {
PropertySlot slot(thisObject);
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionClose, 0>);
descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
return true;
}
descriptor.setUndefined();
return true;
}
entry = JSDOMWindow::info()->propHashTable(exec)->entry(exec, propertyName);
if (entry) {
PropertySlot slot(thisObject);
slot.setCustom(thisObject, entry->attributes(), entry->propertyGetter());
descriptor.setDescriptor(slot.getValue(exec, propertyName), entry->attributes());
return true;
}
// Check for child frames by name before built-in properties to
// match Mozilla. This does not match IE, but some sites end up
// naming frames things that conflict with window properties that
// are in Moz but not IE. Since we have some of these, we have to do
// it the Moz way.
if (thisObject->impl()->frame()->tree()->scopedChild(propertyNameToAtomicString(propertyName))) {
PropertySlot slot(thisObject);
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, childFrameGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
return true;
}
unsigned i = propertyName.asIndex();
if (i < thisObject->impl()->frame()->tree()->scopedChildCount()) {
ASSERT(i != PropertyName::NotAnIndex);
PropertySlot slot(thisObject);
slot.setCustomIndex(thisObject, ReadOnly | DontDelete | DontEnum, i, indexGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
return true;
}
// Allow shortcuts like 'Image1' instead of document.images.Image1
Document* document = thisObject->impl()->frame()->document();
if (document->isHTMLDocument()) {
AtomicStringImpl* atomicPropertyName = findAtomicString(propertyName);
if (atomicPropertyName && toHTMLDocument(document)->hasWindowNamedItem(atomicPropertyName)) {
PropertySlot slot(thisObject);
slot.setCustom(thisObject, ReadOnly | DontDelete | DontEnum, namedItemGetter);
descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
return true;
}
}
return Base::getOwnPropertyDescriptor(thisObject, exec, propertyName, descriptor);
}
GET_OWN_PROPERTY_DESCRIPTOR_IMPL(JSDOMWindow)
void JSDOMWindow::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
{
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment