<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[184640] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/184640">184640</a></dd>
<dt>Author</dt> <dd>commit-queue@webkit.org</dd>
<dt>Date</dt> <dd>2015-05-20 09:54:09 -0700 (Wed, 20 May 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>ES6: Should not allow duplicate basic __proto__ properties in Object Literals
https://bugs.webkit.org/show_bug.cgi?id=145138
Patch by Joseph Pecoraro <pecoraro@apple.com> on 2015-05-20
Reviewed by Darin Adler.
Source/JavaScriptCore:
Implement ES6 Annex B.3.1, which disallows duplicate basic __proto__
properties in object literals. This doesn't affect computed properties,
shorthand properties, or getters/setters all of which avoid setting
the actual prototype of the object anyway.
* interpreter/Interpreter.cpp:
(JSC::eval):
Remove out of date comment. Duplicate property names are allowed
now in ES6, they were not in ES5 strict mode.
* parser/ASTBuilder.h:
(JSC::ASTBuilder::getName):
(JSC::ASTBuilder::getType):
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::getName):
Add back getName to get the property name depending on the tree builder.
Also tighten up the parameter types.
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::parse):
In quick JSON literal parsing for eval, we actually need to evaluate
the __proto__ property assignment, instead of just building up a list
of direct properties. Only do this when not doing a strict JSON parse.
* parser/Nodes.h:
Add "Shorthand" to the list of PropertyNode types to allow it to
be distinguished without relying on other information.
* parser/Parser.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseProperty):
Add the Shorthand type when parsing a shorthand property.
(JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate):
(JSC::Parser<LexerType>::parseObjectLiteral):
(JSC::Parser<LexerType>::parseStrictObjectLiteral):
Check for duplicate __proto__ properties, and throw a SyntaxError
if that was the case.
LayoutTests:
* js/dom/JSON-parse-expected.txt:
* js/resources/JSON-parse.js:
Update expected results for JSON parsing using eval() versus JSON.parse.
In eval, an object literal with a "__proto__" property modifies the prototype.
In JSON.parse, all properties are direct/own properties, no matter their name,
so "__proto__" does not get special treatment.
* js/eval-json-proto-expected.txt: Added.
* js/eval-json-proto.html: Added.
* js/script-tests/eval-json-proto.js: Added.
Direct test for LiteralParser behavior, in both eval and JSON.parse.
* js/object-literal-duplicate-properties-expected.txt:
* js/script-tests/object-literal-duplicate-properties.js:
(runProtoTestShouldThrow):
(runProtoTestShouldNotThrow):
Test for all cases of acceptable and unacceptable __proto__ duplicate
properties in literals.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsjsdomJSONparseexpectedtxt">trunk/LayoutTests/js/dom/JSON-parse-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsobjectliteralduplicatepropertiesexpectedtxt">trunk/LayoutTests/js/object-literal-duplicate-properties-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsresourcesJSONparsejs">trunk/LayoutTests/js/resources/JSON-parse.js</a></li>
<li><a href="#trunkLayoutTestsjsscripttestsobjectliteralduplicatepropertiesjs">trunk/LayoutTests/js/script-tests/object-literal-duplicate-properties.js</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterInterpretercpp">trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserASTBuilderh">trunk/Source/JavaScriptCore/parser/ASTBuilder.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserNodesh">trunk/Source/JavaScriptCore/parser/Nodes.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserParsercpp">trunk/Source/JavaScriptCore/parser/Parser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserParserh">trunk/Source/JavaScriptCore/parser/Parser.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserSyntaxCheckerh">trunk/Source/JavaScriptCore/parser/SyntaxChecker.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeLiteralParsercpp">trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsevaljsonprotoexpectedtxt">trunk/LayoutTests/js/eval-json-proto-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsevaljsonprotohtml">trunk/LayoutTests/js/eval-json-proto.html</a></li>
<li><a href="#trunkLayoutTestsjsscripttestsevaljsonprotojs">trunk/LayoutTests/js/script-tests/eval-json-proto.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/LayoutTests/ChangeLog 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -1,5 +1,31 @@
</span><span class="cx"> 2015-05-20 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><ins>+ ES6: Should not allow duplicate basic __proto__ properties in Object Literals
+ https://bugs.webkit.org/show_bug.cgi?id=145138
+
+ Reviewed by Darin Adler.
+
+ * js/dom/JSON-parse-expected.txt:
+ * js/resources/JSON-parse.js:
+ Update expected results for JSON parsing using eval() versus JSON.parse.
+ In eval, an object literal with a "__proto__" property modifies the prototype.
+ In JSON.parse, all properties are direct/own properties, no matter their name,
+ so "__proto__" does not get special treatment.
+
+ * js/eval-json-proto-expected.txt: Added.
+ * js/eval-json-proto.html: Added.
+ * js/script-tests/eval-json-proto.js: Added.
+ Direct test for LiteralParser behavior, in both eval and JSON.parse.
+
+ * js/object-literal-duplicate-properties-expected.txt:
+ * js/script-tests/object-literal-duplicate-properties.js:
+ (runProtoTestShouldThrow):
+ (runProtoTestShouldNotThrow):
+ Test for all cases of acceptable and unacceptable __proto__ duplicate
+ properties in literals.
+
+2015-05-20 Joseph Pecoraro <pecoraro@apple.com>
+
</ins><span class="cx"> Web Inspector: Slightly better node previews in arrays
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=145188
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsjsdomJSONparseexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/dom/JSON-parse-expected.txt (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/dom/JSON-parse-expected.txt 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/LayoutTests/js/dom/JSON-parse-expected.txt 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -69,7 +69,10 @@
</span><span class="cx"> function (jsonObject){
</span><span class="cx"> return jsonObject.parse('{"__proto__":5}');
</span><span class="cx"> }
</span><del>-PASS JSON.stringify(tests[i](nativeJSON)) is JSON.stringify(tests[i](JSON))
</del><ins>+json2.js uses eval and will differ when parsing JSON with __proto__.
+PASS JSON.stringify(tests[i](nativeJSON)) is not JSON.stringify(tests[i](JSON))
+PASS JSON.stringify(tests[i](nativeJSON)) is tests[i].jsonParseExpected
+PASS JSON.stringify(tests[i](JSON)) is tests[i].evalExpected
</ins><span class="cx"> function (jsonObject){
</span><span class="cx"> return jsonObject.parse('{"a":5,}');
</span><span class="cx"> }
</span><span class="lines">@@ -443,7 +446,10 @@
</span><span class="cx"> function (jsonObject){
</span><span class="cx"> return jsonObject.parse('{"__proto__":{"a":5}}', log);
</span><span class="cx"> }
</span><del>-PASS JSON.stringify(tests[i](nativeJSON)) is JSON.stringify(tests[i](JSON))
</del><ins>+json2.js uses eval and will differ when parsing JSON with __proto__.
+PASS JSON.stringify(tests[i](nativeJSON)) is not JSON.stringify(tests[i](JSON))
+PASS JSON.stringify(tests[i](nativeJSON)) is tests[i].jsonParseExpected
+PASS JSON.stringify(tests[i](JSON)) is tests[i].evalExpected
</ins><span class="cx"> function (jsonObject){
</span><span class="cx"> logOrderString = "";
</span><span class="cx"> return jsonObject.parse("true", logOrder);
</span></span></pre></div>
<a id="trunkLayoutTestsjsevaljsonprotoexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/eval-json-proto-expected.txt (0 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/eval-json-proto-expected.txt (rev 0)
+++ trunk/LayoutTests/js/eval-json-proto-expected.txt 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+This test case checks different JSON literal constructions and ensures they handle __proto__ as expected.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS ({__proto__:[]}) instanceof Array is true
+PASS evalResult instanceof Array is true
+PASS jsonParseResult instanceof Array is false
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsevaljsonprotohtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/eval-json-proto.html (0 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/eval-json-proto.html (rev 0)
+++ trunk/LayoutTests/js/eval-json-proto.html 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/eval-json-proto.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsobjectliteralduplicatepropertiesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/object-literal-duplicate-properties-expected.txt (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/object-literal-duplicate-properties-expected.txt 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/LayoutTests/js/object-literal-duplicate-properties-expected.txt 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -205,6 +205,38 @@
</span><span class="cx"> PASS o = {get foo(){return 2}, get foo(){return 2}, ['foo']:3, foo:1}; descriptionString(o, 'foo'); is 'value:1 keys:1 [ECW][Extensible]'
</span><span class="cx"> PASS 'use strict';o = {get foo(){return 2}, get foo(){return 2}, ['foo']:3, foo:1}; descriptionString(o, 'foo'); is 'value:1 keys:1 [ECW][Extensible]'
</span><span class="cx"> PASS (function(){o = {get foo(){return 2}, get foo(){return 2}, ['foo']:3, foo:1}; descriptionString(o, 'foo');})() did not throw exception.
</span><ins>+
+Duplicate simple __proto__ attributes are not allowed
+PASS o = {__proto__:null} did not throw exception.
+PASS 'use strict';o = {__proto__:null} did not throw exception.
+PASS (function(){o = {__proto__:null}})() did not throw exception.
+PASS ({__proto__:null, ['__proto__']:{}}) did not throw exception.
+PASS 'use strict';({__proto__:null, ['__proto__']:{}}) did not throw exception.
+PASS (function(){({__proto__:null, ['__proto__']:{}})})() did not throw exception.
+PASS o = {__proto__:null, ['__proto__']:{}} did not throw exception.
+PASS 'use strict';o = {__proto__:null, ['__proto__']:{}} did not throw exception.
+PASS (function(){o = {__proto__:null, ['__proto__']:{}}})() did not throw exception.
+PASS o = {__proto__:null, get __proto__(){}} did not throw exception.
+PASS 'use strict';o = {__proto__:null, get __proto__(){}} did not throw exception.
+PASS (function(){o = {__proto__:null, get __proto__(){}}})() did not throw exception.
+PASS var __proto__ = null; o = {__proto__:null, __proto__} did not throw exception.
+PASS 'use strict';var __proto__ = null; o = {__proto__:null, __proto__} did not throw exception.
+PASS (function(){var __proto__ = null; o = {__proto__:null, __proto__}})() did not throw exception.
+PASS ({__proto__:[], __proto__:{}}) threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS 'use strict';({__proto__:[], __proto__:{}}) threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS (function(){({__proto__:[], __proto__:{}})})() threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS o = {__proto__:null, '__proto__':{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS 'use strict';o = {__proto__:null, '__proto__':{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS (function(){o = {__proto__:null, '__proto__':{}}})() threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS o = {__proto__:[], __proto__:{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS 'use strict';o = {__proto__:[], __proto__:{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS (function(){o = {__proto__:[], __proto__:{}}})() threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS o = {'__proto__':{}, '__proto__':{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS 'use strict';o = {'__proto__':{}, '__proto__':{}} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS (function(){o = {'__proto__':{}, '__proto__':{}}})() threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS o = {a:1, __proto__:{}, b:2, ['c']:3, __proto__:{}, d:3} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS 'use strict';o = {a:1, __proto__:{}, b:2, ['c']:3, __proto__:{}, d:3} threw exception SyntaxError: Attempted to redefine __proto__ property..
+PASS (function(){o = {a:1, __proto__:{}, b:2, ['c']:3, __proto__:{}, d:3}})() threw exception SyntaxError: Attempted to redefine __proto__ property..
</ins><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span><span class="cx"> TEST COMPLETE
</span></span></pre></div>
<a id="trunkLayoutTestsjsresourcesJSONparsejs"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/resources/JSON-parse.js (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/resources/JSON-parse.js 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/LayoutTests/js/resources/JSON-parse.js 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -67,6 +67,8 @@
</span><span class="cx"> result.push(function(jsonObject){
</span><span class="cx"> return jsonObject.parse('{"__proto__":5}');
</span><span class="cx"> });
</span><ins>+ result[result.length - 1].jsonParseExpected = '{"__proto__":5}';
+ result[result.length - 1].evalExpected = '{}';
</ins><span class="cx"> result.push(function(jsonObject){
</span><span class="cx"> return jsonObject.parse('{"a":5,}');
</span><span class="cx"> });
</span><span class="lines">@@ -403,6 +405,8 @@
</span><span class="cx"> result.push(function(jsonObject){
</span><span class="cx"> return jsonObject.parse('{"__proto__":{"a":5}}', log);
</span><span class="cx"> });
</span><ins>+ result[result.length - 1].jsonParseExpected = '{"":{"__proto__":{"keyType":"string"}},"keyType":"string"}';
+ result[result.length - 1].evalExpected = '{"":{},"keyType":"string"}';
</ins><span class="cx"> var logOrderString;
</span><span class="cx"> function logOrder(key, value) {
</span><span class="cx"> logOrderString += key +":"+JSON.stringify(value);
</span><span class="lines">@@ -567,7 +571,12 @@
</span><span class="cx"> try { shouldBe('JSON.stringify(tests[i](nativeJSON))', "tests[i].expected") } catch(e) { debug("threw - " + e)}
</span><span class="cx"> else if (tests[i].unstringifiedExpected)
</span><span class="cx"> try { shouldBe('tests[i](nativeJSON)', "tests[i].unstringifiedExpected") } catch(e) { debug("threw - " + e)}
</span><del>- else
</del><ins>+ else if (tests[i].evalExpected) {
+ debug("json2.js uses eval and will differ when parsing JSON with __proto__.");
+ try { shouldNotBe('JSON.stringify(tests[i](nativeJSON))', 'JSON.stringify(tests[i](JSON))') } catch(e) { debug("threw - " + e) };
+ try { shouldBe('JSON.stringify(tests[i](nativeJSON))', 'tests[i].jsonParseExpected') } catch(e) { debug("threw - " + e) };
+ try { shouldBe('JSON.stringify(tests[i](JSON))', 'tests[i].evalExpected') } catch(e) { debug("threw - " + e) };
+ } else
</ins><span class="cx"> try { shouldBe('JSON.stringify(tests[i](nativeJSON))', 'JSON.stringify(tests[i](JSON))') } catch(e) { debug("threw - " + e) };
</span><span class="cx"> }catch(e){
</span><span class="cx"> debug(e);
</span></span></pre></div>
<a id="trunkLayoutTestsjsscripttestsevaljsonprotojs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/script-tests/eval-json-proto.js (0 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/script-tests/eval-json-proto.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/eval-json-proto.js 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+description("This test case checks different JSON literal constructions and ensures they handle __proto__ as expected.");
+
+shouldBeTrue("({__proto__:[]}) instanceof Array");
+
+evalResult = eval("({__proto__:[]})");
+shouldBeTrue("evalResult instanceof Array");
+
+jsonParseResult = JSON.parse('{"__proto__":[]}');
+shouldBeFalse("jsonParseResult instanceof Array");
</ins></span></pre></div>
<a id="trunkLayoutTestsjsscripttestsobjectliteralduplicatepropertiesjs"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/script-tests/object-literal-duplicate-properties.js (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/script-tests/object-literal-duplicate-properties.js 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/LayoutTests/js/script-tests/object-literal-duplicate-properties.js 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -182,3 +182,27 @@
</span><span class="cx"> runTest("o = {set foo(x){}, ['foo']:3, set foo(x){}, foo:1}", "'value:1 keys:1 [ECW][Extensible]'");
</span><span class="cx"> runTest("o = {set foo(x){}, foo:1, get foo(){return 2}, ['foo']:3}", "'value:3 keys:1 [ECW][Extensible]'");
</span><span class="cx"> runTest("o = {get foo(){return 2}, get foo(){return 2}, ['foo']:3, foo:1}", "'value:1 keys:1 [ECW][Extensible]'");
</span><ins>+
+// __proto__ duplicates are not allowed.
+function runProtoTestShouldThrow(test) {
+ shouldThrow(test);
+ shouldThrow("'use strict';" + test);
+ shouldThrow("(function(){" + test + "})()");
+}
+function runProtoTestShouldNotThrow(test) {
+ shouldNotThrow(test);
+ shouldNotThrow("'use strict';" + test);
+ shouldNotThrow("(function(){" + test + "})()");
+}
+
+debug(""); debug("Duplicate simple __proto__ attributes are not allowed");
+runProtoTestShouldNotThrow("o = {__proto__:null}");
+runProtoTestShouldNotThrow("({__proto__:null, ['__proto__']:{}})");
+runProtoTestShouldNotThrow("o = {__proto__:null, ['__proto__']:{}}");
+runProtoTestShouldNotThrow("o = {__proto__:null, get __proto__(){}}");
+runProtoTestShouldNotThrow("var __proto__ = null; o = {__proto__:null, __proto__}");
+runProtoTestShouldThrow("({__proto__:[], __proto__:{}})");
+runProtoTestShouldThrow("o = {__proto__:null, '__proto__':{}}");
+runProtoTestShouldThrow("o = {__proto__:[], __proto__:{}}");
+runProtoTestShouldThrow("o = {'__proto__':{}, '__proto__':{}}");
+runProtoTestShouldThrow("o = {a:1, __proto__:{}, b:2, ['c']:3, __proto__:{}, d:3}");
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -1,3 +1,49 @@
</span><ins>+2015-05-20 Joseph Pecoraro <pecoraro@apple.com>
+
+ ES6: Should not allow duplicate basic __proto__ properties in Object Literals
+ https://bugs.webkit.org/show_bug.cgi?id=145138
+
+ Reviewed by Darin Adler.
+
+ Implement ES6 Annex B.3.1, which disallows duplicate basic __proto__
+ properties in object literals. This doesn't affect computed properties,
+ shorthand properties, or getters/setters all of which avoid setting
+ the actual prototype of the object anyway.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::eval):
+ Remove out of date comment. Duplicate property names are allowed
+ now in ES6, they were not in ES5 strict mode.
+
+ * parser/ASTBuilder.h:
+ (JSC::ASTBuilder::getName):
+ (JSC::ASTBuilder::getType):
+ * parser/SyntaxChecker.h:
+ (JSC::SyntaxChecker::getName):
+ Add back getName to get the property name depending on the tree builder.
+ Also tighten up the parameter types.
+
+ * runtime/LiteralParser.cpp:
+ (JSC::LiteralParser<CharType>::parse):
+ In quick JSON literal parsing for eval, we actually need to evaluate
+ the __proto__ property assignment, instead of just building up a list
+ of direct properties. Only do this when not doing a strict JSON parse.
+
+ * parser/Nodes.h:
+ Add "Shorthand" to the list of PropertyNode types to allow it to
+ be distinguished without relying on other information.
+
+ * parser/Parser.h:
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parseProperty):
+ Add the Shorthand type when parsing a shorthand property.
+
+ (JSC::Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate):
+ (JSC::Parser<LexerType>::parseObjectLiteral):
+ (JSC::Parser<LexerType>::parseStrictObjectLiteral):
+ Check for duplicate __proto__ properties, and throw a SyntaxError
+ if that was the case.
+
</ins><span class="cx"> 2015-05-20 Csaba Osztrogonác <ossy@webkit.org>
</span><span class="cx">
</span><span class="cx"> [JSC] Add missing copyrights and licenses for some scripts
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterInterpretercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -151,8 +151,6 @@
</span><span class="cx">
</span><span class="cx"> if (!eval) {
</span><span class="cx"> if (!callerCodeBlock->isStrictMode()) {
</span><del>- // FIXME: We can use the preparser in strict mode, we just need additional logic
- // to prevent duplicates.
</del><span class="cx"> if (programSource.is8Bit()) {
</span><span class="cx"> LiteralParser<LChar> preparser(callFrame, programSource.characters8(), programSource.length(), NonStrictJSON);
</span><span class="cx"> if (JSValue parsedObject = preparser.tryLiteralParse())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserASTBuilderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/ASTBuilder.h (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/ASTBuilder.h 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/JavaScriptCore/parser/ASTBuilder.h 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -719,9 +719,10 @@
</span><span class="cx"> assignmentStackDepth--;
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><del>-
- PropertyNode::Type getType(Property property) const { return property->type(); }
</del><span class="cx">
</span><ins>+ const Identifier* getName(const Property& property) const { return property->name(); }
+ PropertyNode::Type getType(const Property& property) const { return property->type(); }
+
</ins><span class="cx"> bool isResolve(ExpressionNode* expr) const { return expr->isResolveNode(); }
</span><span class="cx">
</span><span class="cx"> ExpressionNode* createDeconstructingAssignment(const JSTokenLocation& location, PassRefPtr<DeconstructionPatternNode> pattern, ExpressionNode* initializer)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserNodesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/Nodes.h (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/Nodes.h 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/JavaScriptCore/parser/Nodes.h 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -580,7 +580,7 @@
</span><span class="cx">
</span><span class="cx"> class PropertyNode : public ParserArenaFreeable {
</span><span class="cx"> public:
</span><del>- enum Type { Constant = 1, Getter = 2, Setter = 4, Computed = 8 };
</del><ins>+ enum Type { Constant = 1, Getter = 2, Setter = 4, Computed = 8, Shorthand = 16 };
</ins><span class="cx"> enum PutType { Unknown, KnownDirect };
</span><span class="cx">
</span><span class="cx"> PropertyNode(const Identifier&, ExpressionNode*, Type, PutType, SuperBinding);
</span><span class="lines">@@ -598,7 +598,7 @@
</span><span class="cx"> const Identifier* m_name;
</span><span class="cx"> ExpressionNode* m_expression;
</span><span class="cx"> ExpressionNode* m_assign;
</span><del>- unsigned m_type : 4;
</del><ins>+ unsigned m_type : 5;
</ins><span class="cx"> unsigned m_needsSuperBinding : 1;
</span><span class="cx"> unsigned m_putType : 1;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/Parser.cpp (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/Parser.cpp 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/JavaScriptCore/parser/Parser.cpp 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -2035,7 +2035,7 @@
</span><span class="cx"> JSTokenLocation location(tokenLocation());
</span><span class="cx"> currentScope()->useVariable(ident, m_vm->propertyNames->eval == *ident);
</span><span class="cx"> TreeExpression node = context.createResolve(location, ident, start);
</span><del>- return context.createProperty(ident, node, PropertyNode::Constant, PropertyNode::KnownDirect, complete);
</del><ins>+ return context.createProperty(ident, node, static_cast<PropertyNode::Type>(PropertyNode::Constant | PropertyNode::Shorthand), PropertyNode::KnownDirect, complete);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> PropertyNode::Type type;
</span><span class="lines">@@ -2135,14 +2135,27 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> template <typename LexerType>
</span><ins>+template <class TreeBuilder> bool Parser<LexerType>::shouldCheckPropertyForUnderscoreProtoDuplicate(TreeBuilder& context, const TreeProperty& property)
+{
+ if (m_syntaxAlreadyValidated)
+ return false;
+
+ if (!context.getName(property))
+ return false;
+
+ // A Constant property that is not a Computed or Shorthand Constant property.
+ return context.getType(property) == PropertyNode::Constant;
+}
+
+template <typename LexerType>
</ins><span class="cx"> template <class TreeBuilder> TreeExpression Parser<LexerType>::parseObjectLiteral(TreeBuilder& context)
</span><span class="cx"> {
</span><span class="cx"> auto savePoint = createSavePoint();
</span><span class="cx"> consumeOrFailWithFlags(OPENBRACE, TreeBuilder::DontBuildStrings, "Expected opening '{' at the start of an object literal");
</span><del>- JSTokenLocation location(tokenLocation());
</del><span class="cx">
</span><span class="cx"> int oldNonLHSCount = m_nonLHSCount;
</span><del>-
</del><ins>+
+ JSTokenLocation location(tokenLocation());
</ins><span class="cx"> if (match(CLOSEBRACE)) {
</span><span class="cx"> next();
</span><span class="cx"> return context.createObjectLiteral(location);
</span><span class="lines">@@ -2150,10 +2163,16 @@
</span><span class="cx">
</span><span class="cx"> TreeProperty property = parseProperty(context, false);
</span><span class="cx"> failIfFalse(property, "Cannot parse object literal property");
</span><ins>+
</ins><span class="cx"> if (!m_syntaxAlreadyValidated && context.getType(property) & (PropertyNode::Getter | PropertyNode::Setter)) {
</span><span class="cx"> restoreSavePoint(savePoint);
</span><span class="cx"> return parseStrictObjectLiteral(context);
</span><span class="cx"> }
</span><ins>+
+ bool seenUnderscoreProto = false;
+ if (shouldCheckPropertyForUnderscoreProtoDuplicate(context, property))
+ seenUnderscoreProto = *context.getName(property) == m_vm->propertyNames->underscoreProto;
+
</ins><span class="cx"> TreePropertyList propertyList = context.createPropertyList(location, property);
</span><span class="cx"> TreePropertyList tail = propertyList;
</span><span class="cx"> while (match(COMMA)) {
</span><span class="lines">@@ -2167,6 +2186,12 @@
</span><span class="cx"> restoreSavePoint(savePoint);
</span><span class="cx"> return parseStrictObjectLiteral(context);
</span><span class="cx"> }
</span><ins>+ if (shouldCheckPropertyForUnderscoreProtoDuplicate(context, property)) {
+ if (*context.getName(property) == m_vm->propertyNames->underscoreProto) {
+ semanticFailIfTrue(seenUnderscoreProto, "Attempted to redefine __proto__ property");
+ seenUnderscoreProto = true;
+ }
+ }
</ins><span class="cx"> tail = context.createPropertyList(propertyLocation, property, tail);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -2193,7 +2218,11 @@
</span><span class="cx">
</span><span class="cx"> TreeProperty property = parseProperty(context, true);
</span><span class="cx"> failIfFalse(property, "Cannot parse object literal property");
</span><del>-
</del><ins>+
+ bool seenUnderscoreProto = false;
+ if (shouldCheckPropertyForUnderscoreProtoDuplicate(context, property))
+ seenUnderscoreProto = *context.getName(property) == m_vm->propertyNames->underscoreProto;
+
</ins><span class="cx"> TreePropertyList propertyList = context.createPropertyList(location, property);
</span><span class="cx"> TreePropertyList tail = propertyList;
</span><span class="cx"> while (match(COMMA)) {
</span><span class="lines">@@ -2203,6 +2232,12 @@
</span><span class="cx"> JSTokenLocation propertyLocation(tokenLocation());
</span><span class="cx"> property = parseProperty(context, true);
</span><span class="cx"> failIfFalse(property, "Cannot parse object literal property");
</span><ins>+ if (shouldCheckPropertyForUnderscoreProtoDuplicate(context, property)) {
+ if (*context.getName(property) == m_vm->propertyNames->underscoreProto) {
+ semanticFailIfTrue(seenUnderscoreProto, "Attempted to redefine __proto__ property");
+ seenUnderscoreProto = true;
+ }
+ }
</ins><span class="cx"> tail = context.createPropertyList(propertyLocation, property, tail);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserParserh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/Parser.h (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/Parser.h 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/JavaScriptCore/parser/Parser.h 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -784,6 +784,8 @@
</span><span class="cx"> template <class TreeBuilder> NEVER_INLINE typename TreeBuilder::TemplateLiteral parseTemplateLiteral(TreeBuilder&, typename LexerType::RawStringsBuildMode);
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+ template <class TreeBuilder> ALWAYS_INLINE bool shouldCheckPropertyForUnderscoreProtoDuplicate(TreeBuilder&, const TreeProperty&);
+
</ins><span class="cx"> ALWAYS_INLINE int isBinaryOperator(JSTokenType);
</span><span class="cx"> bool allowAutomaticSemicolon();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserSyntaxCheckerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/SyntaxChecker.h (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/SyntaxChecker.h 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/JavaScriptCore/parser/SyntaxChecker.h 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -293,6 +293,7 @@
</span><span class="cx">
</span><span class="cx"> void assignmentStackAppend(int, int, int, int, int, Operator) { }
</span><span class="cx"> int createAssignment(const JSTokenLocation&, int, int, int, int, int) { RELEASE_ASSERT_NOT_REACHED(); return AssignmentExpr; }
</span><ins>+ const Identifier* getName(const Property& property) const { return property.name; }
</ins><span class="cx"> PropertyNode::Type getType(const Property& property) const { return property.type; }
</span><span class="cx"> bool isResolve(ExpressionType expr) const { return expr == ResolveExpr || expr == ResolveEvalExpr; }
</span><span class="cx"> ExpressionType createDeconstructingAssignment(const JSTokenLocation&, int, ExpressionType)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeLiteralParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp (184639 => 184640)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp 2015-05-20 16:18:03 UTC (rev 184639)
+++ trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp 2015-05-20 16:54:09 UTC (rev 184640)
</span><span class="lines">@@ -548,6 +548,7 @@
</span><span class="cx"> JSValue lastValue;
</span><span class="cx"> Vector<ParserState, 16, UnsafeVectorOverflow> stateStack;
</span><span class="cx"> Vector<Identifier, 16, UnsafeVectorOverflow> identifierStack;
</span><ins>+ HashSet<JSObject*> visitedUnderscoreProto;
</ins><span class="cx"> while (1) {
</span><span class="cx"> switch(state) {
</span><span class="cx"> startParseArray:
</span><span class="lines">@@ -649,10 +650,20 @@
</span><span class="cx"> {
</span><span class="cx"> JSObject* object = asObject(objectStack.last());
</span><span class="cx"> PropertyName ident = identifierStack.last();
</span><del>- if (Optional<uint32_t> index = parseIndex(ident))
- object->putDirectIndex(m_exec, index.value(), lastValue);
- else
- object->putDirect(m_exec->vm(), ident, lastValue);
</del><ins>+ if (m_mode != StrictJSON && ident == m_exec->vm().propertyNames->underscoreProto) {
+ if (!visitedUnderscoreProto.add(object).isNewEntry) {
+ m_parseErrorMessage = ASCIILiteral("Attempted to redefine __proto__ property");
+ return JSValue();
+ }
+ CodeBlock* codeBlock = m_exec->codeBlock();
+ PutPropertySlot slot(object, codeBlock ? codeBlock->isStrictMode() : false);
+ objectStack.last().put(m_exec, ident, lastValue, slot);
+ } else {
+ if (Optional<uint32_t> index = parseIndex(ident))
+ object->putDirectIndex(m_exec, index.value(), lastValue);
+ else
+ object->putDirect(m_exec->vm(), ident, lastValue);
+ }
</ins><span class="cx"> identifierStack.removeLast();
</span><span class="cx"> if (m_lexer.currentToken().type == TokComma)
</span><span class="cx"> goto doParseObjectStartExpression;
</span></span></pre>
</div>
</div>
</body>
</html>