WebKit Bugzilla
Attachment 370492 Details for
Bug 198138
: createListFromArrayLike should throw if value is not an object
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for landing
bug-198138-20190523082650.patch (text/plain), 8.35 KB, created by
Tadeu Zagallo
on 2019-05-22 23:26:51 PDT
(
hide
)
Description:
Patch for landing
Filename:
MIME Type:
Creator:
Tadeu Zagallo
Created:
2019-05-22 23:26:51 PDT
Size:
8.35 KB
patch
obsolete
>Subversion Revision: 245673 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 65d78fb10d803edb7900a7252df4e15d9f344cf9..8914e78b654bc6d793496b4261738bcb4102ab51 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,21 @@ >+2019-05-22 Tadeu Zagallo <tzagallo@apple.com> >+ >+ createListFromArrayLike should throw if value is not an object >+ https://bugs.webkit.org/show_bug.cgi?id=198138 >+ >+ Reviewed by Yusuke Suzuki. >+ >+ According to the spec[1], createListFromArrayLike should throw a type error if the array-like value >+ passed in is not an object. >+ [1]: https://www.ecma-international.org/ecma-262/9.0/index.html#sec-createlistfromarraylike >+ >+ * runtime/JSObjectInlines.h: >+ (JSC::createListFromArrayLike): >+ * runtime/ProxyObject.cpp: >+ (JSC::ProxyObject::performGetOwnPropertyNames): >+ * runtime/ReflectObject.cpp: >+ (JSC::reflectObjectConstruct): >+ > 2019-05-22 Yusuke Suzuki <ysuzuki@apple.com> > > [JSC] UnlinkedMetadataTable's offset table should be small >diff --git a/Source/JavaScriptCore/runtime/JSObjectInlines.h b/Source/JavaScriptCore/runtime/JSObjectInlines.h >index 83dc23dc8cbb5b981e8afc9147899316b7ccc31c..08430f1b1806b50ce72499869c31caf413bec3eb 100644 >--- a/Source/JavaScriptCore/runtime/JSObjectInlines.h >+++ b/Source/JavaScriptCore/runtime/JSObjectInlines.h >@@ -33,10 +33,15 @@ namespace JSC { > > // Section 7.3.17 of the spec. > template <typename AddFunction> // Add function should have a type like: (JSValue, RuntimeType) -> bool >-void createListFromArrayLike(ExecState* exec, JSValue arrayLikeValue, RuntimeTypeMask legalTypesFilter, const String& errorMessage, AddFunction addFunction) >+void createListFromArrayLike(ExecState* exec, JSValue arrayLikeValue, RuntimeTypeMask legalTypesFilter, const String& notAnObjectErroMessage, const String& illegalTypeErrorMessage, AddFunction addFunction) > { > VM& vm = exec->vm(); > auto scope = DECLARE_THROW_SCOPE(vm); >+ >+ if (!arrayLikeValue.isObject()) { >+ throwTypeError(exec, scope, notAnObjectErroMessage); >+ return; >+ } > > Vector<JSValue> result; > JSValue lengthProperty = arrayLikeValue.get(exec, vm.propertyNames->length); >@@ -51,7 +56,7 @@ void createListFromArrayLike(ExecState* exec, JSValue arrayLikeValue, RuntimeTyp > > RuntimeType type = runtimeTypeForValue(vm, next); > if (!(type & legalTypesFilter)) { >- throwTypeError(exec, scope, errorMessage); >+ throwTypeError(exec, scope, illegalTypeErrorMessage); > return; > } > >diff --git a/Source/JavaScriptCore/runtime/ProxyObject.cpp b/Source/JavaScriptCore/runtime/ProxyObject.cpp >index 7ca2921df2a8d86f94434f27bd6e8d9be4f3a3ed..a5d382ca83946359b22d8581c758e5b9cc90a35e 100644 >--- a/Source/JavaScriptCore/runtime/ProxyObject.cpp >+++ b/Source/JavaScriptCore/runtime/ProxyObject.cpp >@@ -974,7 +974,7 @@ void ProxyObject::performGetOwnPropertyNames(ExecState* exec, PropertyNameArray& > }; > > RuntimeTypeMask dontThrowAnExceptionTypeFilter = TypeString | TypeSymbol; >- createListFromArrayLike(exec, arrayLikeObject, dontThrowAnExceptionTypeFilter, "Proxy handler's 'ownKeys' method must return an array-like object containing only Strings and Symbols"_s, addPropName); >+ createListFromArrayLike(exec, arrayLikeObject, dontThrowAnExceptionTypeFilter, "Proxy handler's 'ownKeys' method must return an object"_s, "Proxy handler's 'ownKeys' method must return an array-like object containing only Strings and Symbols"_s, addPropName); > RETURN_IF_EXCEPTION(scope, void()); > } > >diff --git a/Source/JavaScriptCore/runtime/ReflectObject.cpp b/Source/JavaScriptCore/runtime/ReflectObject.cpp >index 42dec273a7e977963e9afe8bdf12b3a721ec4bd6..85609b3c0fe89a64dbc38b13521a00aaf8a298f0 100644 >--- a/Source/JavaScriptCore/runtime/ReflectObject.cpp >+++ b/Source/JavaScriptCore/runtime/ReflectObject.cpp >@@ -113,7 +113,7 @@ EncodedJSValue JSC_HOST_CALL reflectObjectConstruct(ExecState* exec) > if (!argumentsObject) > return JSValue::encode(throwTypeError(exec, scope, "Reflect.construct requires the second argument be an object"_s)); > >- createListFromArrayLike(exec, argumentsObject, RuntimeTypeMaskAllTypes, "This error must not be raised"_s, [&] (JSValue value, RuntimeType) -> bool { >+ createListFromArrayLike(exec, argumentsObject, RuntimeTypeMaskAllTypes, "This error must not be raised"_s, "This error must not be raised"_s, [&] (JSValue value, RuntimeType) -> bool { > arguments.append(value); > return false; > }); >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 68120f3fb08f9ca5ff3a69539bc570a2a1d9694e..e2a57d64495f90ed79eea9122642bdc13c206d11 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,21 @@ >+2019-05-22 Tadeu Zagallo <tzagallo@apple.com> >+ >+ createListFromArrayLike should throw if value is not an object >+ https://bugs.webkit.org/show_bug.cgi?id=198138 >+ >+ Reviewed by Yusuke Suzuki. >+ >+ * stress/create-list-from-array-like-not-object.js: Added. >+ (testValid): >+ (testInvalid): >+ * stress/proxy-get-own-property-names-should-not-clear-previous-results.js: >+ (opt): >+ * stress/proxy-proto-enumerator.js: Added. >+ (main): >+ * stress/proxy-proto-own-keys.js: Added. >+ (assert): >+ (ownKeys): >+ > 2019-05-22 Yusuke Suzuki <ysuzuki@apple.com> > > [JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler >diff --git a/JSTests/stress/create-list-from-array-like-not-object.js b/JSTests/stress/create-list-from-array-like-not-object.js >new file mode 100644 >index 0000000000000000000000000000000000000000..144096aa015404d52182c7b27bd19ef2f702605b >--- /dev/null >+++ b/JSTests/stress/create-list-from-array-like-not-object.js >@@ -0,0 +1,25 @@ >+function testValid(value) { >+ const foo = {x: 0}; >+ foo.__proto__ = new Proxy({}, { ownKeys() { return value; } }); >+ for (const x in foo) { } >+} >+ >+testValid({}); >+testValid([]); >+testValid(["x", Symbol("y")]); >+testValid({ length: 1, 0: 'x' }); >+ >+function testInvalid(value) { >+ try { >+ testValid(value); >+ throw new Error('should have thrown'); >+ } catch (err) { >+ if (err.message !== "Proxy handler's 'ownKeys' method must return an object") >+ throw new Error("Expected createListFromArrayLike error"); >+ } >+} >+ >+testInvalid(true); >+testInvalid(false); >+testInvalid(null); >+testInvalid(0); >diff --git a/JSTests/stress/proxy-get-own-property-names-should-not-clear-previous-results.js b/JSTests/stress/proxy-get-own-property-names-should-not-clear-previous-results.js >index 6de8ada5d1725a456eabc44d7011587b30558be0..652da8589e0d041adcd87e7dca2c4f4ca0e09f3c 100644 >--- a/JSTests/stress/proxy-get-own-property-names-should-not-clear-previous-results.js >+++ b/JSTests/stress/proxy-get-own-property-names-should-not-clear-previous-results.js >@@ -6,7 +6,7 @@ function shouldBe(actual, expected) { > a = {defineProperties:Object}; > function opt() { > a.__proto__ = new Proxy(Object,{ownKeys:opt}); >- return 1; >+ return []; > } > for(var i=0;i<400;i=i+1) { > var prop = null; >diff --git a/JSTests/stress/proxy-proto-enumerator.js b/JSTests/stress/proxy-proto-enumerator.js >new file mode 100644 >index 0000000000000000000000000000000000000000..d26aad0fb656c03a10d36596c87fdcb59e1f2d07 >--- /dev/null >+++ b/JSTests/stress/proxy-proto-enumerator.js >@@ -0,0 +1,10 @@ >+//@ requireOptions("--forceEagerCompilation=true", "--useConcurrentJIT=false") >+ >+function main() { >+ const foo = {x: 0}; >+ foo.__proto__ = new Proxy({}, { ownKeys() { return []; } }); >+ for (const x in foo) { } >+} >+ >+for (let i = 0; i < 0x1000; i++) >+ main(); >diff --git a/JSTests/stress/proxy-proto-own-keys.js b/JSTests/stress/proxy-proto-own-keys.js >new file mode 100644 >index 0000000000000000000000000000000000000000..5ac59fdfd904fa941235852b9fc932419f29de27 >--- /dev/null >+++ b/JSTests/stress/proxy-proto-own-keys.js >@@ -0,0 +1,15 @@ >+function assert(condition, message) { >+ if (!condition) >+ throw new Error(message); >+} >+ >+const foo = {x: 0}; >+foo.__proto__ = new Proxy({y: 1}, { ownKeys() { return ['y']; } }); >+const keys = []; >+for (const x in foo) { >+ keys.push(x); >+} >+ >+assert(keys.length == 2, "Should have 2 keys"); >+assert(keys.includes("x"), "Should have key `x`"); >+assert(keys.includes("y"), "Should have key `y`");
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=370492">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198138
:
370440
|
370448
| 370492