[webkit-changes] [WebKit/WebKit] 7c373e: [JSC] TaintedByWithScopeLexicallyScopedFeature sho...

Commit Queue noreply at github.com
Thu Aug 1 19:11:24 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 7c373ebb73d1ccca2d774533ea04d536d1594967
      https://github.com/WebKit/WebKit/commit/7c373ebb73d1ccca2d774533ea04d536d1594967
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2024-08-01 (Thu, 01 Aug 2024)

  Changed paths:
    M Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp
    M Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h
    M Source/JavaScriptCore/runtime/FunctionConstructor.cpp
    M Source/JavaScriptCore/runtime/FunctionConstructor.h
    M Source/JavaScriptCore/runtime/FunctionExecutable.cpp
    M Source/JavaScriptCore/runtime/FunctionExecutable.h
    M Source/WebCore/bindings/js/JSLazyEventListener.cpp
    M Source/WebCore/bindings/js/JSNodeCustom.cpp
    M Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
    M Source/WebCore/bindings/scripts/IDLAttributes.json
    M Source/WebCore/dom/Node.idl
    M Source/WebCore/html/HTMLElement.idl

  Log Message:
  -----------
  [JSC] TaintedByWithScopeLexicallyScopedFeature should account for HTMLElement's event handler attributes
https://bugs.webkit.org/show_bug.cgi?id=277516
<rdar://problem/133018372>

Reviewed by Yijia Huang and Yusuke Suzuki.

Per spec [1], an attribute event handler on a HTMLElement is compiled to a function with a few
object environemnt records in its scope chain: the document, the form owner (if present), and the element.

This change makes constructFunctionSkippingEvalEnabledCheck() accept LexicallyScopeFeatures as an
argument so we could reliably determine during bytecode generation if a op_get_from_scope can possibly
hit a JSWithScope, which is necessary for the upcoming ToThis revamp (webkit.org/b/225397).

Since we need to know if there will be a JSWithScope before parsing, this patch removes dummy
JSNode::pushEventHandlerScope() and now single-use [CustomPushEventHandlerScope] IDL extended attribute
in favor of a type check.

No new tests, no behavior change.

[1]: https://html.spec.whatwg.org/multipage/webappapis.html#getting-the-current-value-of-the-event-handler (step 9)

* Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.cpp:
(JSC::UnlinkedFunctionExecutable::fromGlobalCode):
* Source/JavaScriptCore/bytecode/UnlinkedFunctionExecutable.h:
* Source/JavaScriptCore/runtime/FunctionConstructor.cpp:
(JSC::constructFunction):
(JSC::constructFunctionSkippingEvalEnabledCheck):
* Source/JavaScriptCore/runtime/FunctionConstructor.h:
* Source/JavaScriptCore/runtime/FunctionExecutable.cpp:
(JSC::FunctionExecutable::fromGlobalCode):
* Source/JavaScriptCore/runtime/FunctionExecutable.h:
* Source/WebCore/bindings/js/JSLazyEventListener.cpp:
(WebCore::JSLazyEventListener::initializeJSFunction const):
* Source/WebCore/bindings/js/JSNodeCustom.cpp:
(WebCore::JSNode::pushEventHandlerScope const): Deleted.
* Source/WebCore/bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):
* Source/WebCore/bindings/scripts/IDLAttributes.json:
* Source/WebCore/dom/Node.idl:
* Source/WebCore/html/HTMLElement.idl:

Canonical link: https://commits.webkit.org/281740@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list