<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197576] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197576">197576</a></dd>
<dt>Author</dt> <dd>cdumez@apple.com</dd>
<dt>Date</dt> <dd>2016-03-04 11:30:36 -0800 (Fri, 04 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Location.reload should not be writable
https://bugs.webkit.org/show_bug.cgi?id=154989
Reviewed by Gavin Barraclough.
Source/JavaScriptCore:
After <a href="http://trac.webkit.org/projects/webkit/changeset/196770">r196770</a>, operations marked as [Unforgeable] in the IDL (such as
Location.reload) are correctly reported as not writable by
Object.getOwnPropertyDescriptor(). Trying to set such property in JS
is correctly ignored (or throws in strict mode) if the object has
previously been reified. However, due to a bug in putEntry(), it was
still possible to override the property if the object was not reified
yet. This patch fixes the issue by checking in putEntry() that entries
that are functions are not ReadOnly before calling putDirect().
* runtime/Lookup.h:
(JSC::putEntry):
LayoutTests:
Add a layout test to verify that operations marked as [Unforgeable] in
IDL are indeed not writable.
* fast/html/unforgeable-operations-readonly-expected.txt: Added.
* fast/html/unforgeable-operations-readonly.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeLookuph">trunk/Source/JavaScriptCore/runtime/Lookup.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfasthtmlunforgeableoperationsreadonlyexpectedtxt">trunk/LayoutTests/fast/html/unforgeable-operations-readonly-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfasthtmlunforgeableoperationsreadonlyhtml">trunk/LayoutTests/fast/html/unforgeable-operations-readonly.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (197575 => 197576)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-03-04 19:26:23 UTC (rev 197575)
+++ trunk/LayoutTests/ChangeLog 2016-03-04 19:30:36 UTC (rev 197576)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-03-04 Chris Dumez <cdumez@apple.com>
+
+ Location.reload should not be writable
+ https://bugs.webkit.org/show_bug.cgi?id=154989
+
+ Reviewed by Gavin Barraclough.
+
+ Add a layout test to verify that operations marked as [Unforgeable] in
+ IDL are indeed not writable.
+
+ * fast/html/unforgeable-operations-readonly-expected.txt: Added.
+ * fast/html/unforgeable-operations-readonly.html: Added.
+
</ins><span class="cx"> 2016-03-04 Ryan Haddad <ryanhaddad@apple.com>
</span><span class="cx">
</span><span class="cx"> Rebaseline inspector/model/remote-object.html for mac after r197539
</span></span></pre></div>
<a id="trunkLayoutTestsfasthtmlunforgeableoperationsreadonlyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/html/unforgeable-operations-readonly-expected.txt (0 => 197576)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/html/unforgeable-operations-readonly-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/html/unforgeable-operations-readonly-expected.txt 2016-03-04 19:30:36 UTC (rev 197576)
</span><span class="lines">@@ -0,0 +1,55 @@
</span><ins>+Tests that operations marked as [Unforgeable] are indeed readonly.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+* Location (non refied)
+
+- Location.reload
+PASS Object.getOwnPropertyDescriptor(testObject, testPropertyName).writable is false
+PASS testObject[testPropertyName] = false did not throw exception.
+PASS testObject[testPropertyName] is not false
+PASS 'use strict'; testObject[testPropertyName] = 3 threw exception TypeError: Attempted to assign to readonly property..
+PASS testObject[testPropertyName] is not 3
+
+- Location.assign
+PASS Object.getOwnPropertyDescriptor(testObject, testPropertyName).writable is false
+PASS testObject[testPropertyName] = false did not throw exception.
+PASS testObject[testPropertyName] is not false
+PASS 'use strict'; testObject[testPropertyName] = 3 threw exception TypeError: Attempted to assign to readonly property..
+PASS testObject[testPropertyName] is not 3
+
+- Location.replace
+PASS Object.getOwnPropertyDescriptor(testObject, testPropertyName).writable is false
+PASS testObject[testPropertyName] = false did not throw exception.
+PASS testObject[testPropertyName] is not false
+PASS 'use strict'; testObject[testPropertyName] = 3 threw exception TypeError: Attempted to assign to readonly property..
+PASS testObject[testPropertyName] is not 3
+
+* Location (reified)
+
+- Location.reload
+PASS Object.getOwnPropertyDescriptor(testObject, testPropertyName).writable is false
+PASS testObject[testPropertyName] = false did not throw exception.
+PASS testObject[testPropertyName] is not false
+PASS 'use strict'; testObject[testPropertyName] = 3 threw exception TypeError: Attempted to assign to readonly property..
+PASS testObject[testPropertyName] is not 3
+
+- Location.assign
+PASS Object.getOwnPropertyDescriptor(testObject, testPropertyName).writable is false
+PASS testObject[testPropertyName] = false did not throw exception.
+PASS testObject[testPropertyName] is not false
+PASS 'use strict'; testObject[testPropertyName] = 3 threw exception TypeError: Attempted to assign to readonly property..
+PASS testObject[testPropertyName] is not 3
+
+- Location.replace
+PASS Object.getOwnPropertyDescriptor(testObject, testPropertyName).writable is false
+PASS testObject[testPropertyName] = false did not throw exception.
+PASS testObject[testPropertyName] is not false
+PASS 'use strict'; testObject[testPropertyName] = 3 threw exception TypeError: Attempted to assign to readonly property..
+PASS testObject[testPropertyName] is not 3
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsfasthtmlunforgeableoperationsreadonlyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/html/unforgeable-operations-readonly.html (0 => 197576)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/html/unforgeable-operations-readonly.html (rev 0)
+++ trunk/LayoutTests/fast/html/unforgeable-operations-readonly.html 2016-03-04 19:30:36 UTC (rev 197576)
</span><span class="lines">@@ -0,0 +1,43 @@
</span><ins>+<!DOCTYPE html>
+<script src="../../resources/js-test-pre.js"></script>
+<script>
+description("Tests that operations marked as [Unforgeable] are indeed readonly.");
+
+function className(object) {
+ return Object.prototype.toString.call(object).match(/^\[object\s(.*)\]$/)[1];
+}
+
+function checkReadOnly(object, propertyName)
+{
+ testObject = object;
+ testPropertyName = propertyName;
+
+ debug("");
+ debug("- " + className(object) + "." + propertyName);
+ shouldBeFalse("Object.getOwnPropertyDescriptor(testObject, testPropertyName).writable");
+ // Non strict mode.
+ shouldNotThrow("testObject[testPropertyName] = false");
+ shouldNotBe("testObject[testPropertyName]", "false");
+ // Strict mode.
+ shouldThrow("'use strict'; testObject[testPropertyName] = 3", "'TypeError: Attempted to assign to readonly property.'");
+ shouldNotBe("testObject[testPropertyName]", "3");
+}
+
+debug("* Location (non refied)");
+checkReadOnly(location, "reload");
+checkReadOnly(location, "assign");
+checkReadOnly(location, "replace");
+
+debug("");
+debug("* Location (reified)");
+// Reify location.
+location.newProperty = true;
+delete location.newProperty;
+// Test again.
+checkReadOnly(location, "reload");
+checkReadOnly(location, "assign");
+checkReadOnly(location, "replace");
+
+debug("");
+</script>
+<script src="../../resources/js-test-post.js"></script>
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (197575 => 197576)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-03-04 19:26:23 UTC (rev 197575)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-03-04 19:30:36 UTC (rev 197576)
</span><span class="lines">@@ -1,3 +1,22 @@
</span><ins>+2016-03-04 Chris Dumez <cdumez@apple.com>
+
+ Location.reload should not be writable
+ https://bugs.webkit.org/show_bug.cgi?id=154989
+
+ Reviewed by Gavin Barraclough.
+
+ After r196770, operations marked as [Unforgeable] in the IDL (such as
+ Location.reload) are correctly reported as not writable by
+ Object.getOwnPropertyDescriptor(). Trying to set such property in JS
+ is correctly ignored (or throws in strict mode) if the object has
+ previously been reified. However, due to a bug in putEntry(), it was
+ still possible to override the property if the object was not reified
+ yet. This patch fixes the issue by checking in putEntry() that entries
+ that are functions are not ReadOnly before calling putDirect().
+
+ * runtime/Lookup.h:
+ (JSC::putEntry):
+
</ins><span class="cx"> 2016-03-04 Skachkov Oleksandr <gskachkov@gmail.com>
</span><span class="cx">
</span><span class="cx"> [ES6] Arrow function syntax. Lexical bind "super" inside of the arrow function in generator.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeLookuph"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Lookup.h (197575 => 197576)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Lookup.h 2016-03-04 19:26:23 UTC (rev 197575)
+++ trunk/Source/JavaScriptCore/runtime/Lookup.h 2016-03-04 19:30:36 UTC (rev 197576)
</span><span class="lines">@@ -286,10 +286,13 @@
</span><span class="cx"> // 'slot.thisValue()' is the object the put was originally performed on (in the case of a proxy, the proxy itself).
</span><span class="cx"> inline void putEntry(ExecState* exec, const HashTableValue* entry, JSObject* base, JSObject* thisValue, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
</span><span class="cx"> {
</span><del>- // If this is a function put it as an override property.
</del><span class="cx"> if (entry->attributes() & BuiltinOrFunction) {
</span><del>- if (JSObject* thisObject = jsDynamicCast<JSObject*>(thisValue))
- thisObject->putDirect(exec->vm(), propertyName, value);
</del><ins>+ if (!(entry->attributes() & ReadOnly)) {
+ // If this is a function put it as an override property.
+ if (JSObject* thisObject = jsDynamicCast<JSObject*>(thisValue))
+ thisObject->putDirect(exec->vm(), propertyName, value);
+ } else if (slot.isStrictMode())
+ throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
</ins><span class="cx"> } else if (entry->attributes() & Accessor) {
</span><span class="cx"> if (slot.isStrictMode())
</span><span class="cx"> throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
</span></span></pre>
</div>
</div>
</body>
</html>