[webkit-changes] [295714] trunk/Source/JavaScriptCore/dfg
Title: [295714] trunk/Source/_javascript_Core/dfg Revision 295714 Author shvaikal...@gmail.com Date 2022-06-21 19:38:43 -0700 (Tue, 21 Jun 2022) Log Message [JSC] Use m_structureCacheClearedWatchpoint in more DFG nodes https://bugs.webkit.org/show_bug.cgi?id=241575 Reviewed by Yusuke Suzuki. Not sure if this is observable, but it's worth to align with ObjectCreate for consistency. * Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter::executeEffects): * Source/_javascript_Core/dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): (JSC::DFG::ByteCodeParser::handleCreateInternalFieldObject): * Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants): Canonical link: https://commits.webkit.org/251719@main Modified Paths trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp Diff Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (295713 => 295714) --- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2022-06-22 02:14:04 UTC (rev 295713) +++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2022-06-22 02:38:43 UTC (rev 295714) @@ -3017,7 +3017,8 @@ if (JSValue base = forNode(node->child1()).m_value) { if (auto* function = jsDynamicCast(base)) { if (FunctionRareData* rareData = function->rareData()) { -if (rareData->allocationProfileWatchpointSet().isStillValid()) { +JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic); +if (rareData->allocationProfileWatchpointSet().isStillValid() && m_graph.isWatchingStructureCacheClearedWatchpoint(globalObject)) { if (Structure* structure = rareData->objectAllocationStructure()) { m_graph.freeze(rareData); m_graph.watchpoints().addLazily(rareData->allocationProfileWatchpointSet()); @@ -3046,7 +3047,7 @@ } if (auto* function = jsDynamicCast(base)) { if (FunctionRareData* rareData = function->rareData()) { -if (rareData->allocationProfileWatchpointSet().isStillValid()) { +if (rareData->allocationProfileWatchpointSet().isStillValid() && m_graph.isWatchingStructureCacheClearedWatchpoint(globalObject)) { Structure* structure = rareData->internalFunctionAllocationStructure(); if (structure && structure->classInfoForCells() == (node->isInternalPromise() ? JSInternalPromise::info() : JSPromise::info()) @@ -3074,7 +3075,7 @@ if (JSValue base = forNode(node->child1()).m_value) { if (auto* function = jsDynamicCast(base)) { if (FunctionRareData* rareData = function->rareData()) { -if (rareData->allocationProfileWatchpointSet().isStillValid()) { +if (rareData->allocationProfileWatchpointSet().isStillValid() && m_graph.isWatchingStructureCacheClearedWatchpoint(globalObject)) { Structure* structure = rareData->internalFunctionAllocationStructure(); if (structure && structure->classInfoForCells() == classInfo Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (295713 => 295714) --- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2022-06-22 02:14:04 UTC (rev 295713) +++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2022-06-22 02:38:43 UTC (rev 295714) @@ -5556,7 +5556,8 @@ bool alreadyEmitted = false; if (function) { if (FunctionRareData* rareData = function->rareData()) { -if (rareData->allocationProfileWatchpointSet().isStillValid()) { +JSGlobalObject* globalObject = m_graph.globalObjectFor(currentNodeOrigin().semantic); +if (rareData->allocationProfileWatchpointSet().isStillValid() && m_graph.isWatchingStructureCacheClearedWatchpoint(globalObject)) { Structure* structure = rareData->objectAllocationStructure(); JSObject* prototype = rareData->objectAllocationPrototype(); if (structure @@ -5637,7 +5638,7 @@ if (function) { if (FunctionRareData* rareData = function->rareData()) { -if (rareData->allocationProfileWatchpointSet().isStillValid()) { +if (rareData->allocationProfileWatchpointSet().isStillValid() && m_graph.isWatchingStructureCacheClearedWatchpoint(globalObject)) { Structure* structure = rareData->interna
[webkit-changes] [295704] trunk/Source
Title: [295704] trunk/Source Revision 295704 Author shvaikal...@gmail.com Date 2022-06-21 17:15:30 -0700 (Tue, 21 Jun 2022) Log Message constructJSHTMLElement() should protect `document` and `elementInterface` https://bugs.webkit.org/show_bug.cgi?id=241827 Reviewed by Mark Lam. * Source/WebCore/bindings/js/JSHTMLElementCustom.cpp: (WebCore::constructJSHTMLElement): * Source/WebKit/WebProcess/WebPage/WebPage.cpp: (WebKit::WebPage::runModal): Canonical link: https://commits.webkit.org/251709@main Modified Paths trunk/Source/WebCore/bindings/js/JSHTMLElementCustom.cpp trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp Diff Modified: trunk/Source/WebCore/bindings/js/JSHTMLElementCustom.cpp (295703 => 295704) --- trunk/Source/WebCore/bindings/js/JSHTMLElementCustom.cpp 2022-06-21 23:57:05 UTC (rev 295703) +++ trunk/Source/WebCore/bindings/js/JSHTMLElementCustom.cpp 2022-06-22 00:15:30 UTC (rev 295704) @@ -78,6 +78,9 @@ return throwVMTypeError(lexicalGlobalObject, scope, "new.target does not define a custom element"_s); if (!elementInterface->isUpgradingElement()) { +Ref protectedDocument(document); +Ref protectedElementInterface(*elementInterface); + Structure* baseStructure = getDOMStructure(vm, *newTargetGlobalObject); auto* newElementStructure = InternalFunction::createSubclassStructure(lexicalGlobalObject, newTarget, baseStructure); RETURN_IF_EXCEPTION(scope, { }); Modified: trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp (295703 => 295704) --- trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2022-06-21 23:57:05 UTC (rev 295703) +++ trunk/Source/WebKit/WebProcess/WebPage/WebPage.cpp 2022-06-22 00:15:30 UTC (rev 295704) @@ -5861,7 +5861,6 @@ Ref protector(*this); #endif RunLoop::run(); -ASSERT(!m_isRunningModal); } bool WebPage::canHandleRequest(const WebCore::ResourceRequest& request) ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295659] trunk/Source/JavaScriptCore/runtime/JSFunction.cpp
Title: [295659] trunk/Source/_javascript_Core/runtime/JSFunction.cpp Revision 295659 Author shvaikal...@gmail.com Date 2022-06-18 03:00:32 -0700 (Sat, 18 Jun 2022) Log Message REGRESSION (251613@main): Missing exception check in JSFunction::put() https://bugs.webkit.org/show_bug.cgi?id=241727 Unreviewed follow-up fix. Adds exception check after reifyLazyPropertyIfNeeded() since it may throw. * Source/_javascript_Core/runtime/JSFunction.cpp: (JSC::JSFunction::put): Canonical link: https://commits.webkit.org/251664@main Modified Paths trunk/Source/_javascript_Core/runtime/JSFunction.cpp Diff Modified: trunk/Source/_javascript_Core/runtime/JSFunction.cpp (295658 => 295659) --- trunk/Source/_javascript_Core/runtime/JSFunction.cpp 2022-06-18 06:46:29 UTC (rev 295658) +++ trunk/Source/_javascript_Core/runtime/JSFunction.cpp 2022-06-18 10:00:32 UTC (rev 295659) @@ -397,6 +397,7 @@ } PropertyStatus propertyType = thisObject->reifyLazyPropertyIfNeeded(vm, globalObject, propertyName); +RETURN_IF_EXCEPTION(scope, false); if (isLazy(propertyType)) slot.disableCaching(); RELEASE_AND_RETURN(scope, Base::put(thisObject, globalObject, propertyName, value, slot)); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295610] trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp
Title: [295610] trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp Revision 295610 Author shvaikal...@gmail.com Date 2022-06-16 13:37:38 -0700 (Thu, 16 Jun 2022) Log Message AbsenceOfSetEffect property condition should mind put() overrides https://bugs.webkit.org/show_bug.cgi?id=241574 Reviewed by Yusuke Suzuki. Since JSArray's "length" and RegExpObject's "lastIndex" may be reconfigured as non-writable, we need to handle them separately in AbsenceOfSetEffect property condition to ensure that compiler takes a slow path in that case, following the spec and throwing an exception in strict mode [1]. I'm not sure how to make a test case capturing this though. [1]: https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor (step 2.a) * Source/_javascript_Core/bytecode/PropertyCondition.cpp: (JSC::nonStructurePropertyMayBecomeReadOnlyWithoutTransition): (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const): Canonical link: https://commits.webkit.org/251615@main Modified Paths trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp Diff Modified: trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp (295609 => 295610) --- trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp 2022-06-16 20:33:04 UTC (rev 295609) +++ trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp 2022-06-16 20:37:38 UTC (rev 295610) @@ -69,6 +69,21 @@ dumpInContext(out, nullptr); } +ALWAYS_INLINE static bool nonStructurePropertyMayBecomeReadOnlyWithoutTransition(Structure* structure, UniquedStringImpl* uid) +{ +switch (structure->typeInfo().type()) { +case ArrayType: +case DerivedArrayType: +return uid == structure->vm().propertyNames->length.impl(); + +case RegExpObjectType: +return uid == structure->vm().propertyNames->lastIndex.impl(); + +default: +return false; +} +} + bool PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint( Concurrency concurrency, Structure* structure, JSObject* base) const { @@ -173,6 +188,10 @@ } return false; } +} else if (nonStructurePropertyMayBecomeReadOnlyWithoutTransition(structure, uid())) { +if (PropertyConditionInternal::verbose) +dataLog("Invalid because its put() override may treat ", uid(), " property as read-only.\n"); +return false; } if (structure->hasPolyProto()) { ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [295608] trunk
Title: [295608] trunk Revision 295608 Author shvaikal...@gmail.com Date 2022-06-16 13:11:51 -0700 (Thu, 16 Jun 2022) Log Message CommonSlowPaths::putDirectWithReify() is incorrect for DontDelete properties https://bugs.webkit.org/show_bug.cgi?id=241651 Reviewed by Saam Barati. Provided the base object has no read-only / accessor / custom properties, putDirectWithReify() is incorrect for an object with non-configurable property, whether it's on the structure or a non-reified static none. In that case, putDirectWithReify() ignores existing non-configurable / non-reified descriptor and produces an incorrect property descriptor instead of throwing TypeError. One it's observed in the wild is via an instance field [1]. The issue was due to incorrect ReadOnly-focused check for putDirect() fast path, which would be correct for [[Set]] but not for [[DefineOwnProperty]]. Apart from introducing tighter fast patch check, this change extracts JSFunction::mayHaveNonReifiedPrototype() helper, cleaning up JSFunction's overrides, and removes now unused PutModeDefineOwnPropertyIgnoringExtensibility, which apart from ignoring extensibility, also ignored read-only / accessor / custom properties, which felt a bit counter-intuitive. This change carefully preserves the fast path introduced in webkit.org/b/232479. [1]: https://tc39.es/ecma262/#sec-definefield * Source/_javascript_Core/runtime/CommonSlowPaths.h: (JSC::CommonSlowPaths::originalStructureBeforePut): (JSC::CommonSlowPaths::canPutDirectFast): (JSC::CommonSlowPaths::putDirectWithReify): (JSC::CommonSlowPaths::putDirectAccessorWithReify): * Source/_javascript_Core/runtime/JSFunction.cpp: (JSC::JSFunction::getOwnPropertySlot): (JSC::JSFunction::put): (JSC::JSFunction::deleteProperty): (JSC::JSFunction::defineOwnProperty): (JSC::JSFunction::reifyLazyPropertyIfNeeded): (JSC::JSFunction::reifyLazyPrototypeIfNeeded): * Source/_javascript_Core/runtime/JSFunction.h: * Source/_javascript_Core/runtime/JSFunctionInlines.h: (JSC::JSFunction::mayHaveNonReifiedPrototype): * Source/_javascript_Core/runtime/JSObject.cpp: (JSC::JSObject::putDirectCustomAccessor): (JSC::JSObject::putDirectNonIndexAccessor): * Source/_javascript_Core/runtime/JSObject.h: (JSC::JSObject::putDirect): (JSC::JSObject::putDirectRespectingExtensibility): Deleted. * Source/_javascript_Core/runtime/JSObjectInlines.h: (JSC::JSObject::putDirectInternal): * Source/_javascript_Core/tools/JSDollarVM.cpp: (JSC::JSC_DEFINE_HOST_FUNCTION): (JSC::JSDollarVM::finishCreation): Canonical link: https://commits.webkit.org/251613@main Modified Paths trunk/Source/_javascript_Core/runtime/CommonSlowPaths.h trunk/Source/_javascript_Core/runtime/JSFunction.cpp trunk/Source/_javascript_Core/runtime/JSFunction.h trunk/Source/_javascript_Core/runtime/JSFunctionInlines.h trunk/Source/_javascript_Core/runtime/JSObject.cpp trunk/Source/_javascript_Core/runtime/JSObject.h trunk/Source/_javascript_Core/runtime/JSObjectInlines.h trunk/Source/_javascript_Core/tools/JSDollarVM.cpp Added Paths trunk/JSTests/stress/putDirectWithReify-JSFinalObject.js Diff Added: trunk/JSTests/stress/putDirectWithReify-JSFinalObject.js (0 => 295608) --- trunk/JSTests/stress/putDirectWithReify-JSFinalObject.js (rev 0) +++ trunk/JSTests/stress/putDirectWithReify-JSFinalObject.js 2022-06-16 20:11:51 UTC (rev 295608) @@ -0,0 +1,107 @@ +"use strict"; + +const runs = 1e5; + +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error(`Bad value: ${actual}!`); +} + +function shouldThrow(func, errorMessage) { +var errorThrown = false; +try { +func(); +} catch (error) { +errorThrown = true; +if (String(error) !== errorMessage) +throw new Error(`Bad error: ${error}!`); +} +if (!errorThrown) +throw new Error(`Didn't throw!`); +} + +(function testFinalObject() { +class TestFinalObjectDontDeleteBase { +constructor() { +Object.defineProperty(this, "foo", { value: 1, writable: true, enumerable: true, configurable: false }); +} +} + +class TestFinalObjectDontDelete extends TestFinalObjectDontDeleteBase { +foo = 1; +} + +for (var i = 0; i < runs; i++) { +shouldThrow(() => { new TestFinalObjectDontDelete(); }, "TypeError: Attempting to change configurable attribute of unconfigurable property."); +} + +/// + +class TestFinalObjectReadOnlyBase { +constructor() { +Object.defineProperty(this, "foo", { value: 1, writable: false, enumerable: false, configurable: true }); +} +} + +class TestFinalObjectReadOnly extends TestFinalObjectReadOnlyBase { +foo = 42; +} + +for (var i = 0; i < runs; i++) { +var object = new TestFinalObjectReadOnly(); +shouldBe(object.foo, 42); + +var fooDesc = Object.getOwnPropertyDescriptor(object, "foo"); +shouldBe(fooDesc.value, 42); +shouldBe(foo
[webkit-changes] [295602] trunk
Title: [295602] trunk Revision 295602 Author shvaikal...@gmail.com Date 2022-06-16 11:49:52 -0700 (Thu, 16 Jun 2022) Log Message [WebIDL] maplike<> and setlike<> declarations should be resilient to tampered prototypes https://bugs.webkit.org/show_bug.cgi?id=241617 Reviewed by Yusuke Suzuki. With this change, maplike<> and setlike<> declarations work as expected if methods of Map.prototype / Set.prototype are removed, as they are suppossed to per spec [1][2]. Usage of backing Map / Set is an implementation detail of WebKit bindings and should not be observable. The fix mirrors all Map / Set prototype methods and "size" getter by private names, which are inacessible to userland code, ensuring that public JSFunction* instances are reused to avoid memory bloat. Also, this change: * saves creating 4 extra JSFunction* instances during init of Map / Set prototypes; * speeds-up call forwarding by retrieving methods from prototypes with getDirect(); * aligns property order with the spec, even though there is no requirement. [1] https://webidl.spec.whatwg.org/#es-maplike [2] https://webidl.spec.whatwg.org/#es-setlike * LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/Highlight-setlike-tampered-Set-prototype-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/Highlight-setlike-tampered-Set-prototype.html: Added. * LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/HighlightRegistry-maplike-tampered-Map-prototype-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/HighlightRegistry-maplike-tampered-Map-prototype.html: Added. * Source/_javascript_Core/DerivedSources-output.xcfilelist: * Source/_javascript_Core/DerivedSources.make: * Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj: * Source/_javascript_Core/builtins/BuiltinNames.h: * Source/_javascript_Core/runtime/MapPrototype.cpp: (JSC::MapPrototype::finishCreation): * Source/_javascript_Core/runtime/SetPrototype.cpp: (JSC::SetPrototype::finishCreation): * Source/WebCore/bindings/js/JSDOMBindingInternals.js: (forEachWrapper): * Source/WebCore/bindings/js/JSDOMMapLike.cpp: (WebCore::getBackingMap): (WebCore::clearBackingMap): (WebCore::setToBackingMap): (WebCore::forwardFunctionCallToBackingMap): * Source/WebCore/bindings/js/JSDOMMapLike.h: (WebCore::forwardSizeToMapLike): (WebCore::forwardEntriesToMapLike): (WebCore::forwardKeysToMapLike): (WebCore::forwardValuesToMapLike): (WebCore::forwardClearToMapLike): (WebCore::forwardGetToMapLike): (WebCore::forwardHasToMapLike): (WebCore::forwardSetToMapLike): (WebCore::forwardDeleteToMapLike): * Source/WebCore/bindings/js/JSDOMSetLike.cpp: (WebCore::getBackingSet): (WebCore::clearBackingSet): (WebCore::addToBackingSet): (WebCore::forwardFunctionCallToBackingSet): * Source/WebCore/bindings/js/JSDOMSetLike.h: (WebCore::forwardSizeToSetLike): (WebCore::forwardEntriesToSetLike): (WebCore::forwardKeysToSetLike): (WebCore::forwardValuesToSetLike): (WebCore::forwardClearToSetLike): (WebCore::forwardHasToSetLike): (WebCore::forwardAddToSetLike): (WebCore::forwardDeleteToSetLike): * Source/WebCore/bindings/js/WebCoreBuiltinNames.h: Canonical link: https://commits.webkit.org/251607@main Modified Paths trunk/Source/_javascript_Core/DerivedSources-output.xcfilelist trunk/Source/_javascript_Core/DerivedSources.make trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj trunk/Source/_javascript_Core/builtins/BuiltinNames.h trunk/Source/_javascript_Core/runtime/MapPrototype.cpp trunk/Source/_javascript_Core/runtime/SetPrototype.cpp trunk/Source/WebCore/bindings/js/JSDOMBindingInternals.js trunk/Source/WebCore/bindings/js/JSDOMMapLike.cpp trunk/Source/WebCore/bindings/js/JSDOMMapLike.h trunk/Source/WebCore/bindings/js/JSDOMSetLike.cpp trunk/Source/WebCore/bindings/js/JSDOMSetLike.h trunk/Source/WebCore/bindings/js/WebCoreBuiltinNames.h Added Paths trunk/LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/ trunk/LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/Highlight-setlike-tampered-Set-prototype-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/Highlight-setlike-tampered-Set-prototype.html trunk/LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/HighlightRegistry-maplike-tampered-Map-prototype-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/HighlightRegistry-maplike-tampered-Map-prototype.html Diff Added: trunk/LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/Highlight-setlike-tampered-Set-prototype-expected.txt (0 => 295602) --- trunk/LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/Highlight-setlike-tampered-Set-prototype-expected.txt (rev 0) +++ trunk/LayoutTests/imported/w3c/web-platform-tests/css/css-highlight-api/Highlight-setlike-tampered-Set-prototype-expected.txt 2022-06-16 18:49:5
[webkit-changes] [294811] trunk/Source/JavaScriptCore/API/tests/testapi.cpp
Title: [294811] trunk/Source/_javascript_Core/API/tests/testapi.cpp Revision 294811 Author shvaikal...@gmail.com Date 2022-05-25 11:13:09 -0700 (Wed, 25 May 2022) Log Message [JSC] TestAPI::promiseUnhandledRejection() predominantly fails on MacOS 12.3 in --debug https://bugs.webkit.org/show_bug.cgi?id=240243 Reviewed by Mark Lam. The failures are caused by an unhandled rejection, that was originated in TestAPI::promiseDrainDoesNotEatExceptions() and ended up in the callback of TestAPI::promiseUnhandledRejection(), with an unexpected promise and reason. That is, the callback of TestAPI::promiseUnhandledRejection() is called twice, with only the first invocation being successful. The failures weren't observed before MacOS 12.3 because TestAPI::promiseDrainDoesNotEatExceptions() is a DYLD_MACOSX_VERSION-conditional test. To fix the tests, this change ensures that TestAPI::promiseUnhandledRejection() performs assertions only on the first run, aligning it with TestAPI::promiseUnhandledRejectionFromUnhandledRejectionCallback(). * Source/_javascript_Core/API/tests/testapi.cpp: (TestAPI::promiseUnhandledRejection): Canonical link: https://commits.webkit.org/250965@main Modified Paths trunk/Source/_javascript_Core/API/tests/testapi.cpp Diff Modified: trunk/Source/_javascript_Core/API/tests/testapi.cpp (294810 => 294811) --- trunk/Source/_javascript_Core/API/tests/testapi.cpp 2022-05-25 18:11:10 UTC (rev 294810) +++ trunk/Source/_javascript_Core/API/tests/testapi.cpp 2022-05-25 18:13:09 UTC (rev 294811) @@ -555,6 +555,8 @@ static TestAPI* tester = this; static bool callbackCalled = false; auto callback = [](JSContextRef ctx, JSObjectRef, JSObjectRef, size_t argumentCount, const JSValueRef arguments[], JSValueRef*) -> JSValueRef { +if (callbackCalled) +return JSValueMakeUndefined(ctx); tester->check(argumentCount && JSValueIsStrictEqual(ctx, arguments[0], promise), "callback should receive rejected promise as first argument"); tester->check(argumentCount > 1 && JSValueIsStrictEqual(ctx, arguments[1], reason), "callback should receive rejection reason as second argument"); tester->check(argumentCount == 2, "callback should not receive a third argument"); ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292886] trunk/Source/JavaScriptCore
Title: [292886] trunk/Source/_javascript_Core Revision 292886 Author shvaikal...@gmail.com Date 2022-04-14 13:19:14 -0700 (Thu, 14 Apr 2022) Log Message InternalFunction::createSubclassStructure() should use base object's global object https://bugs.webkit.org/show_bug.cgi?id=239346 Unreviewed, account for offline feedback by Yusuke Suzuki. * runtime/InternalFunction.cpp: (JSC::InternalFunction::createSubclassStructure): Modified Paths trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/InternalFunction.cpp Diff Modified: trunk/Source/_javascript_Core/ChangeLog (292885 => 292886) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-14 19:52:17 UTC (rev 292885) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-14 20:19:14 UTC (rev 292886) @@ -3,6 +3,16 @@ InternalFunction::createSubclassStructure() should use base object's global object https://bugs.webkit.org/show_bug.cgi?id=239346 +Unreviewed, account for offline feedback by Yusuke Suzuki. + +* runtime/InternalFunction.cpp: +(JSC::InternalFunction::createSubclassStructure): + +2022-04-14 Alexey Shvayka + +InternalFunction::createSubclassStructure() should use base object's global object +https://bugs.webkit.org/show_bug.cgi?id=239346 + Reviewed by Darin Adler. Chrome and Firefox don't agree on interoperable behavior in case of cross-realm Modified: trunk/Source/_javascript_Core/runtime/InternalFunction.cpp (292885 => 292886) --- trunk/Source/_javascript_Core/runtime/InternalFunction.cpp 2022-04-14 19:52:17 UTC (rev 292885) +++ trunk/Source/_javascript_Core/runtime/InternalFunction.cpp 2022-04-14 20:19:14 UTC (rev 292886) @@ -161,7 +161,7 @@ if (JSObject* prototype = jsDynamicCast(vm, prototypeValue)) { // This only happens if someone Reflect.constructs our builtin constructor with another builtin constructor as the new.target. // Thus, we don't care about the cost of looking up the structure from our hash table every time. -return baseGlobalObject->structureCache().emptyStructureForPrototypeFromBaseStructure(globalObject, prototype, baseClass); +return baseGlobalObject->structureCache().emptyStructureForPrototypeFromBaseStructure(baseGlobalObject, prototype, baseClass); } } ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [292883] trunk
Title: [292883] trunk Revision 292883 Author shvaikal...@gmail.com Date 2022-04-14 12:30:30 -0700 (Thu, 14 Apr 2022) Log Message InternalFunction::createSubclassStructure() should use base object's global object https://bugs.webkit.org/show_bug.cgi?id=239346 Reviewed by Darin Adler. JSTests: * stress/internal-function-subclass-structure-realm.js: Source/_javascript_Core: Chrome and Firefox don't agree on interoperable behavior in case of cross-realm NewTarget's "prototype", so this patch aligns WebKit with Chrome to fix a web-compat issue. * runtime/InternalFunction.cpp: (JSC::InternalFunction::createSubclassStructure): Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/internal-function-subclass-structure-realm.js trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/InternalFunction.cpp Diff Modified: trunk/JSTests/ChangeLog (292882 => 292883) --- trunk/JSTests/ChangeLog 2022-04-14 19:13:11 UTC (rev 292882) +++ trunk/JSTests/ChangeLog 2022-04-14 19:30:30 UTC (rev 292883) @@ -1,3 +1,12 @@ +2022-04-14 Alexey Shvayka + +InternalFunction::createSubclassStructure() should use base object's global object +https://bugs.webkit.org/show_bug.cgi?id=239346 + +Reviewed by Darin Adler. + +* stress/internal-function-subclass-structure-realm.js: + 2022-04-12 Aditi Singh Implement Change Array by copy proposal Modified: trunk/JSTests/stress/internal-function-subclass-structure-realm.js (292882 => 292883) --- trunk/JSTests/stress/internal-function-subclass-structure-realm.js 2022-04-14 19:13:11 UTC (rev 292882) +++ trunk/JSTests/stress/internal-function-subclass-structure-realm.js 2022-04-14 19:30:30 UTC (rev 292883) @@ -9,11 +9,10 @@ for (const newTarget of [ r2[key].bind(), new r2.Function, -new r2.Proxy(new r2.Function, {}), ]) { Object.defineProperty(newTarget, "prototype", { value: new r3.Object }); const instance = Reflect.construct(r1[key], [], newTarget); -if ($vm.globalObjectForObject(instance) !== r3) +if ($vm.globalObjectForObject(instance) !== r2) throw new Error(`Structure of ${key} instance has incorrect global object!`); } } Modified: trunk/Source/_javascript_Core/ChangeLog (292882 => 292883) --- trunk/Source/_javascript_Core/ChangeLog 2022-04-14 19:13:11 UTC (rev 292882) +++ trunk/Source/_javascript_Core/ChangeLog 2022-04-14 19:30:30 UTC (rev 292883) @@ -1,3 +1,16 @@ +2022-04-14 Alexey Shvayka + +InternalFunction::createSubclassStructure() should use base object's global object +https://bugs.webkit.org/show_bug.cgi?id=239346 + +Reviewed by Darin Adler. + +Chrome and Firefox don't agree on interoperable behavior in case of cross-realm +NewTarget's "prototype", so this patch aligns WebKit with Chrome to fix a web-compat issue. + +* runtime/InternalFunction.cpp: +(JSC::InternalFunction::createSubclassStructure): + 2022-04-14 Chris Dumez Drop inefficient String::append() overloads Modified: trunk/Source/_javascript_Core/runtime/InternalFunction.cpp (292882 => 292883) --- trunk/Source/_javascript_Core/runtime/InternalFunction.cpp 2022-04-14 19:13:11 UTC (rev 292882) +++ trunk/Source/_javascript_Core/runtime/InternalFunction.cpp 2022-04-14 19:30:30 UTC (rev 292883) @@ -137,6 +137,7 @@ { VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); +JSGlobalObject* baseGlobalObject = baseClass->globalObject(); ASSERT(baseClass->hasMonoProto()); @@ -146,7 +147,7 @@ if (LIKELY(targetFunction)) { FunctionRareData* rareData = targetFunction->ensureRareData(vm); Structure* structure = rareData->internalFunctionAllocationStructure(); -if (LIKELY(structure && structure->classInfo() == baseClass->classInfo() && structure->globalObject() == baseClass->globalObject())) +if (LIKELY(structure && structure->classInfo() == baseClass->classInfo() && structure->globalObject() == baseGlobalObject)) return structure; // Note, Reflect.construct might cause the profile to churn but we don't care. @@ -153,7 +154,7 @@ JSValue prototypeValue = targetFunction->get(globalObject, vm.propertyNames->prototype); RETURN_IF_EXCEPTION(scope, nullptr); if (JSObject* prototype = jsDynamicCast(vm, prototypeValue)) -return rareData->createInternalFunctionAllocationStructureFromBase(vm, prototype->globalObject(vm), prototype, baseClass); +return rareData->createInternalFunctionAllocationStructureFromBase(vm, baseGlobalObject, prototype, baseClass); } else { JSValue prototypeValue = newTarget->get(globalObject, vm.propertyNames->prototype); RETURN_IF_EXCEPTION(scope, nullptr); @@ -160,8 +161,7 @@ if (JSObject*
[webkit-changes] [292481] trunk/JSTests
Title: [292481] trunk/JSTests Revision 292481 Author shvaikal...@gmail.com Date 2022-04-06 11:21:47 -0700 (Wed, 06 Apr 2022) Log Message ICU was recently updated to use type="long" format if there is {month: "long"} https://bugs.webkit.org/show_bug.cgi?id=238852 Reviewed by Saam Barati. Since this update [1] is not yet released, we can't set expectations based on major / minor ICU version, this patch loosens the tests to accept either of the format types. [1]: https://github.com/unicode-org/icu/commit/23081486ffec0973b01e66e2cbad93a1a7dec267 * stress/date-toLocaleString.js: * stress/intl-datetimeformat.js: Modified Paths trunk/JSTests/ChangeLog trunk/JSTests/stress/date-toLocaleString.js trunk/JSTests/stress/intl-datetimeformat.js Diff Modified: trunk/JSTests/ChangeLog (292480 => 292481) --- trunk/JSTests/ChangeLog 2022-04-06 18:20:48 UTC (rev 292480) +++ trunk/JSTests/ChangeLog 2022-04-06 18:21:47 UTC (rev 292481) @@ -1,3 +1,19 @@ +2022-04-06 Alexey Shvayka + +ICU was recently updated to use type="long" format if there is {month: "long"} +https://bugs.webkit.org/show_bug.cgi?id=238852 + + +Reviewed by Saam Barati. + +Since this update [1] is not yet released, we can't set expectations based on major / minor +ICU version, this patch loosens the tests to accept either of the format types. + +[1]: https://github.com/unicode-org/icu/commit/23081486ffec0973b01e66e2cbad93a1a7dec267 + +* stress/date-toLocaleString.js: +* stress/intl-datetimeformat.js: + 2022-04-01 Angelos Oikonomopoulos Skip flaky test on mips Modified: trunk/JSTests/stress/date-toLocaleString.js (292480 => 292481) --- trunk/JSTests/stress/date-toLocaleString.js 2022-04-06 18:20:48 UTC (rev 292480) +++ trunk/JSTests/stress/date-toLocaleString.js 2022-04-06 18:21:47 UTC (rev 292481) @@ -137,4 +137,8 @@ // If time formats specifed, just use them. shouldBe(new Date(0).toLocaleTimeString('en', { timeZone: 'UTC', hour: 'numeric', minute: '2-digit' }), '12:00 AM'); // Adds hms if no time formats specified. -shouldBe(new Date(0).toLocaleTimeString('en', { timeZone: 'UTC', year: 'numeric', month: 'long' }), 'January 1970, 12:00:00 AM'); +// See https://bugs.webkit.org/show_bug.cgi?id=238852 +const monthLongTimeString = new Date(0).toLocaleTimeString('en', { timeZone: 'UTC', year: 'numeric', month: 'long' }); +if (monthLongTimeString !== 'January 1970, 12:00:00 AM' && +monthLongTimeString !== 'January 1970 at 12:00:00 AM') +throw new Error(`Unexpected time string for {month: 'long'}: ${monthLongTimeString}`); Modified: trunk/JSTests/stress/intl-datetimeformat.js (292480 => 292481) --- trunk/JSTests/stress/intl-datetimeformat.js 2022-04-06 18:20:48 UTC (rev 292480) +++ trunk/JSTests/stress/intl-datetimeformat.js 2022-04-06 18:21:47 UTC (rev 292481) @@ -636,7 +636,7 @@ } // Exceed the 32 character default buffer size -shouldBe( +const actualMonthLongParts = JSON.stringify( Intl.DateTimeFormat('en-US', { hour: 'numeric', minute: 'numeric', second: 'numeric', @@ -643,7 +643,9 @@ year: 'numeric', month: 'long', day: 'numeric', weekday: 'long', timeZoneName: 'long', era: 'long', timeZone: 'America/Los_Angeles' }).formatToParts(0) -), +); + +const getExpectedMonthLongParts = separator => ( JSON.stringify([ { type: 'weekday', value: 'Wednesday' }, { type: 'literal', value: ', ' }, @@ -654,7 +656,7 @@ { type: 'year', value: '1969' }, { type: 'literal', value: ' ' }, { type: 'era', value: 'Anno Domini' }, -{ type: 'literal', value: ', ' }, +{ type: 'literal', value: separator }, { type: 'hour', value: '4' }, { type: 'literal', value: ':' }, { type: 'minute', value: '00' }, @@ -667,6 +669,10 @@ ]) ); +// See https://bugs.webkit.org/show_bug.cgi?id=238852 +if (actualMonthLongParts !== getExpectedMonthLongParts(', ') && actualMonthLongParts !== getExpectedMonthLongParts(' at ')) +throw new Error(`Unexpected format parts for {month: 'long'}: ${actualMonthLongParts}`); + // Tests for relativeYear and yearName const parts = JSON.stringify([ { type: 'relatedYear', value: '1969' }, ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [289892] trunk
Title: [289892] trunk Revision 289892 Author shvaikal...@gmail.com Date 2022-02-16 08:58:48 -0800 (Wed, 16 Feb 2022) Log Message REGRESSION(r287293): EventListener::wasCreatedFromMarkup() is incorrect after replaceJSFunctionForAttributeListener() https://bugs.webkit.org/show_bug.cgi?id=236618 Reviewed by Chris Dumez. Source/WebCore: After r287293, if an inline event handler was replaced with a JSFunction, its execution was still disallowed by the CSP policy. This change fixes detection of inline event handlers (ones that were created from markup) by introducing JSEventListener::m_wasCreatedFromMarkup and unsetting it during replacement of an attribute event listener. Since no virtual calls are added to the hot path, the Speedometer2/Inferno-TodoMVC performance gain is kept. Also, a virtual call is removed from JSEventListener::handleEvent(), which is nice. `sizeof(JSEventListener)` is unchanged. Test: http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced.html * bindings/js/JSErrorHandler.cpp: (WebCore::JSErrorHandler::JSErrorHandler): * bindings/js/JSEventListener.cpp: (WebCore::JSEventListener::JSEventListener): (WebCore::JSEventListener::create): (WebCore::JSEventListener::replaceJSFunctionForAttributeListener): * bindings/js/JSEventListener.h: (WebCore::JSEventListener::wasCreatedFromMarkup const): (WebCore::JSEventListener::wasCreatedFromMarkup): * bindings/js/JSLazyEventListener.cpp: (WebCore::JSLazyEventListener::JSLazyEventListener): * bindings/js/JSLazyEventListener.h: * dom/EventListener.h: (WebCore::EventListener::wasCreatedFromMarkup const): Deleted. * dom/EventListenerMap.cpp: (WebCore::removeFirstListenerCreatedFromMarkup): (WebCore::copyListenersNotCreatedFromMarkupToTarget): * dom/EventTarget.cpp: (WebCore::EventTarget::addEventListener): * svg/SVGElement.cpp: (WebCore::SVGElement::removeEventListener): LayoutTests: * http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced-expected.txt: Added. * http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced.html: Added. Modified Paths trunk/LayoutTests/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSErrorHandler.cpp trunk/Source/WebCore/bindings/js/JSEventListener.cpp trunk/Source/WebCore/bindings/js/JSEventListener.h trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp trunk/Source/WebCore/bindings/js/JSLazyEventListener.h trunk/Source/WebCore/dom/EventListener.h trunk/Source/WebCore/dom/EventListenerMap.cpp trunk/Source/WebCore/dom/EventTarget.cpp trunk/Source/WebCore/svg/SVGElement.cpp Added Paths trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced-expected.txt trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced.html Diff Modified: trunk/LayoutTests/ChangeLog (289891 => 289892) --- trunk/LayoutTests/ChangeLog 2022-02-16 16:54:55 UTC (rev 289891) +++ trunk/LayoutTests/ChangeLog 2022-02-16 16:58:48 UTC (rev 289892) @@ -1,3 +1,14 @@ +2022-02-16 Alexey Shvayka + +REGRESSION(r287293): EventListener::wasCreatedFromMarkup() is incorrect after replaceJSFunctionForAttributeListener() +https://bugs.webkit.org/show_bug.cgi?id=236618 + + +Reviewed by Chris Dumez. + +* http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced-expected.txt: Added. +* http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced.html: Added. + 2022-02-16 Ali Juma Floating point exception in RenderListBox::numVisibleItems Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced-expected.txt (0 => 289892) --- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced-expected.txt (rev 0) +++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced-expected.txt 2022-02-16 16:58:48 UTC (rev 289892) @@ -0,0 +1,3 @@ +CONSOLE MESSAGE: Refused to execute a script for an inline event handler because 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy. +CONSOLE MESSAGE: PASS: clicked is 1 +This test checks that if an inline handler was replaced with a JSFunction, CSP doesn't prevent it from being invoked. It passes if there is one SecurityError and 'PASS' message, with no 'FAIL' logs appearing. Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced.html (0 => 289892) --- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-allowed-after-being-replaced.html (rev 0) +++ trunk/LayoutTests/http/tests/security/
[webkit-changes] [289164] trunk
Title: [289164] trunk Revision 289164 Author shvaikal...@gmail.com Date 2022-02-05 16:14:49 -0800 (Sat, 05 Feb 2022) Log Message Attempting to [[Set]] JSArray's read-only "length" should throw even with current [[Value]] https://bugs.webkit.org/show_bug.cgi?id=221177 Reviewed by Saam Barati. JSTests: * stress/array-prototype-methods-set-length.js: Added. Source/_javascript_Core: As per OrdinarySet algorithm [1]. To achieve that, while ensuring no error is thrown if read-only "length" isn't actually changed via [[DefineOwnProperty]] [2], this patch moves `newLength == oldLength` check to JSArray::defineOwnProperty(). That is guaranteed to be correct because: a) it's the only caller of setLengthWithArrayStorage() that performs [[DefineOwnProperty]], while others implement [[Set]]; b) there can't possibly be array indices that JSArray::defineOwnProperty() has to remove, and even the spec a shortcut here [3]. All code paths in pop() / shift() / push() / unshift() are covered by the newly added test, as well as JSArray's [[DefineOwnProperty]], while slice() / splice() / etc were vetted to [[Set]] "length" according to the spec. Aligns JSC with SpiderMonkey and partly with V8, which is correct for Object.freeze() but not for `Object.defineProperty(array, "length", { writable: false })`. [1]: https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor (step 2.a) [2]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor (step 5 and 7) [3]: https://tc39.es/ecma262/#sec-arraysetlength (step 11) * runtime/JSArray.cpp: (JSC::JSArray::defineOwnProperty): (JSC::JSArray::setLengthWithArrayStorage): Modified Paths trunk/JSTests/ChangeLog trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/runtime/JSArray.cpp Added Paths trunk/JSTests/stress/array-prototype-methods-set-length.js Diff Modified: trunk/JSTests/ChangeLog (289163 => 289164) --- trunk/JSTests/ChangeLog 2022-02-05 23:42:27 UTC (rev 289163) +++ trunk/JSTests/ChangeLog 2022-02-06 00:14:49 UTC (rev 289164) @@ -1,3 +1,12 @@ +2022-02-05 Alexey Shvayka + +Attempting to [[Set]] JSArray's read-only "length" should throw even with current [[Value]] +https://bugs.webkit.org/show_bug.cgi?id=221177 + +Reviewed by Saam Barati. + +* stress/array-prototype-methods-set-length.js: Added. + 2022-02-04 Yusuke Suzuki WeakRef deref can return null instead of undefined Added: trunk/JSTests/stress/array-prototype-methods-set-length.js (0 => 289164) --- trunk/JSTests/stress/array-prototype-methods-set-length.js (rev 0) +++ trunk/JSTests/stress/array-prototype-methods-set-length.js 2022-02-06 00:14:49 UTC (rev 289164) @@ -0,0 +1,144 @@ +function shouldBe(actual, expected) { +if (actual !== expected) +throw new Error(`Bad value: ${actual}!\ncreateTestObject:\n${createTestObject}\nmakeLengthReadOnly: ${makeLengthReadOnly}`); +}; + +function shouldThrow(func, reExpectedError) { +let errorThrown = false; +try { +func(); +} catch (error) { +errorThrown = true; +if (!reExpectedError.test(error.toString())) +throw new Error(`Bad error: ${error}!\ncreateTestObject:\n${createTestObject}\nmakeLengthReadOnly: ${makeLengthReadOnly}`); +} +if (!errorThrown) +throw new Error(`Didn't throw!\ncreateTestObject: ${createTestObject}\nmakeLengthReadOnly: ${makeLengthReadOnly}`); +}; + +var createTestObject; +const createTestObjectFunctions = [ +len => new Array(len), +len => new Proxy(new Array(len), {}), +len => { const obj = Object.create(Array.prototype); obj.length = len; return obj; }, +]; + +var makeLengthReadOnly; +const makeLengthReadOnlyFunctions = [ +arr => { Object.freeze(arr); }, +arr => { Object.defineProperty(arr, "length", { writable: false }); }, +]; + +var testObject; +const expectedTypeError = /^TypeError:.+/; + +for (createTestObject of createTestObjectFunctions) { +for (makeLengthReadOnly of makeLengthReadOnlyFunctions) { + +testObject = createTestObject(0); +makeLengthReadOnly(testObject); +shouldThrow(() => { "use strict"; testObject.length = 0; }, expectedTypeError); +shouldBe(testObject.length, 0); + +testObject = createTestObject(0); +makeLengthReadOnly(testObject); +shouldThrow(() => { testObject.pop(); }, expectedTypeError); +shouldBe(testObject.length, 0); + +testObject = createTestObject(1); +testObject[0] = 1; +makeLengthReadOnly(testObject); +shouldThrow(() => { testObject.pop(); }, expectedTypeError); +shouldBe(testObject.length, 1); + +testObject = createTestObject(0); +makeLengthReadOnly(testObject); +shouldThrow(() => { testObject.push(); }, expectedTypeError); +shouldBe(testObject.length, 0); + +testObject = createTestObject(0); +makeLengthReadOnly(testObject); +shouldThrow(() => { testObject.push(1); }, expectedTypeError); +shouldBe(testObject.leng
[webkit-changes] [288763] trunk
Title: [288763] trunk Revision 288763 Author shvaikal...@gmail.com Date 2022-01-28 16:05:54 -0800 (Fri, 28 Jan 2022) Log Message Remove showModalDialog-specific logic from JSDOMWindow::getOwnPropertySlot() https://bugs.webkit.org/show_bug.cgi?id=234282 Reviewed by Yusuke Suzuki. Source/WebCore: This change removes showModalDialog-specific logic from JSDOMWindow::getOwnPropertySlot() in favor of a setter-less CustomValue property on `window`, which returns a function only if modals are allowed, and can be overriden by userland code. Since we need to support setCanRunModal(true) being called after DOMWindow is initialized, [EnabledByQuirk] and friends could not be used. However, once the function was exposed, there is no point in hiding it, so the CustomValue getter replaces itself with a regular data property to preserve function's identity (covered by fast/dom/wrapper-identity.html). The patch makes JSDOMWindow's getOwnPropertySlot() consistent with its getOwnPropertyNames() regarding the presence of "showModalDialog" property, and fixes JSDOMWindow::getOwnPropertySlot() being ignored by LLInt when accessing "showModalDialog" from scope, which resulted in exposing the function even if modals were disallowed. Test: fast/dom/Window/forbid-showModalDialog.html * bindings/js/JSDOMWindowBase.cpp: (WebCore::JSDOMWindowBase::finishCreation): * bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::getOwnPropertySlot): (WebCore::JSC_DEFINE_CUSTOM_GETTER): (WebCore::JSC_DEFINE_HOST_FUNCTION): (WebCore::JSDOMWindow::showModalDialog): Deleted. * bindings/js/JSDOMWindowCustom.h: * page/DOMWindow.idl: LayoutTests: * fast/dom/Window/forbid-showModalDialog-expected.txt: * fast/dom/Window/forbid-showModalDialog.html: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/fast/dom/Window/forbid-showModalDialog-expected.txt trunk/LayoutTests/fast/dom/Window/forbid-showModalDialog.html trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.h trunk/Source/WebCore/page/DOMWindow.idl Diff Modified: trunk/LayoutTests/ChangeLog (288762 => 288763) --- trunk/LayoutTests/ChangeLog 2022-01-28 23:12:40 UTC (rev 288762) +++ trunk/LayoutTests/ChangeLog 2022-01-29 00:05:54 UTC (rev 288763) @@ -1,3 +1,13 @@ +2022-01-28 Alexey Shvayka + +Remove showModalDialog-specific logic from JSDOMWindow::getOwnPropertySlot() +https://bugs.webkit.org/show_bug.cgi?id=234282 + +Reviewed by Yusuke Suzuki. + +* fast/dom/Window/forbid-showModalDialog-expected.txt: +* fast/dom/Window/forbid-showModalDialog.html: + 2022-01-28 Jon Lee Add copy-to-clipboard button for fuzzy matching meta tag Modified: trunk/LayoutTests/fast/dom/Window/forbid-showModalDialog-expected.txt (288762 => 288763) --- trunk/LayoutTests/fast/dom/Window/forbid-showModalDialog-expected.txt 2022-01-28 23:12:40 UTC (rev 288762) +++ trunk/LayoutTests/fast/dom/Window/forbid-showModalDialog-expected.txt 2022-01-29 00:05:54 UTC (rev 288763) @@ -6,11 +6,12 @@ Make sure window.showModalDialog is undefined when modal dialogs are not allowed. internals.setCanShowModalDialogOverride(false) PASS window.showModalDialog is undefined -PASS window.hasOwnProperty('showModalDialog') is false +PASS window.hasOwnProperty('showModalDialog') is true +PASS Object.getOwnPropertyNames(window).includes('showModalDialog') is true Tests having a named property with name 'showModalDialog'. document.body.append(testFrame) -PASS window.showModalDialog is testFrame.contentWindow +PASS window.showModalDialog is undefined testFrame.remove() PASS window.showModalDialog is undefined @@ -19,6 +20,7 @@ PASS window.showModalDialog is not undefined PASS window.hasOwnProperty('showModalDialog') is true PASS window.showModalDialog is an instance of Function +PASS window.showModalDialog.name is 'showModalDialog' Make sure window.showModalDialog can be shadowed. window.showModalDialog = 1 Modified: trunk/LayoutTests/fast/dom/Window/forbid-showModalDialog.html (288762 => 288763) --- trunk/LayoutTests/fast/dom/Window/forbid-showModalDialog.html 2022-01-28 23:12:40 UTC (rev 288762) +++ trunk/LayoutTests/fast/dom/Window/forbid-showModalDialog.html 2022-01-29 00:05:54 UTC (rev 288763) @@ -8,8 +8,11 @@ debug("Make sure window.showModalDialog is undefined when modal dialogs are not allowed."); evalAndLog("internals.setCanShowModalDialogOverride(false)"); shouldBe("window.showModalDialog", "undefined"); -shouldBeFalse("window.hasOwnProperty('showModalDialog')"); +shouldBeTrue("window.hasOwnProperty('showModalDialog')"); +shouldBeTrue("Object.getOwnPropertyNames(window).includes('showModalDialog')"); +if (showModalDialog !== undefined) +testFailed("showModalDialog !== undefined"); debug(""); debug("Tests having a named property with name 'showModalDialog'."); @@ -16,7 +19,7 @@ va
[webkit-changes] [288640] trunk
Title: [288640] trunk Revision 288640 Author shvaikal...@gmail.com Date 2022-01-26 12:10:15 -0800 (Wed, 26 Jan 2022) Log Message globalThis.queueMicrotask() should report thrown exceptions https://bugs.webkit.org/show_bug.cgi?id=235614 Reviewed by Geoff Garen. LayoutTests/imported/w3c: Rebaseline WPT tests that are now passing. * web-platform-tests/html/webappapis/microtask-queuing/queue-microtask-exceptions.any-expected.txt: * web-platform-tests/html/webappapis/microtask-queuing/queue-microtask-exceptions.any.serviceworker-expected.txt: * web-platform-tests/html/webappapis/microtask-queuing/queue-microtask-exceptions.any.worker-expected.txt: Source/_javascript_Core: 1. Move JSGlobalObject::hasDebugger() to the header to facilitate inlining as it's used in a rather hot Microtask execution code. 2. Export a few Debugger methods for JSDOMMicrotask::run(). 3. Remove the now-unused createJSMicrotask() overload. * debugger/Debugger.h: * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::hasDebugger const): Deleted. * runtime/JSGlobalObject.h: (JSC::JSGlobalObject::hasDebugger const): * runtime/JSMicrotask.cpp: * runtime/JSMicrotask.h: Source/WebCore: This patch introduces WebCore::JSDOMMicrotask so the queueMicrotask() could report a thrown exception as per spec [1] and to avoid invocation of a userland function from detached , which aligns WebKit with Blink and Gecko. Both this changes align the callback of queueMicrotask() with generated callback functions / interfaces (see bug 232387) that are implemented via JSCallbackData. [1] https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#microtask-queuing:report-the-exception Tests: imported/w3c/web-platform-tests/html/webappapis/microtask-queuing/queue-microtask-exceptions.any.js fast/dom/callback-function-detached-frame-queue-microtask.html * Headers.cmake: * Sources.txt: * WebCore.xcodeproj/project.pbxproj: * bindings/js/JSDOMMicrotask.cpp: Added. (WebCore::createJSDOMMicrotask): (WebCore::JSDOMMicrotask::run): * bindings/js/JSDOMMicrotask.h: Added. * bindings/js/JSDOMWindowCustom.cpp: (WebCore::JSDOMWindow::queueMicrotask): * bindings/js/JSWorkerGlobalScopeCustom.cpp: (WebCore::JSWorkerGlobalScope::queueMicrotask): * dom/EventLoop.h: LayoutTests: * TestExpectations: Unskip 3 WPT tests that are now passing. * fast/dom/callback-function-detached-frame-queue-microtask-expected.txt: Added. * fast/dom/callback-function-detached-frame-queue-microtask.html: Added. * fast/dom/resources/callback-function-detached-frame-queue-microtask-iframe.html: Added. * inspector/debugger/break-on-uncaught-exception-expected.txt: * platform/mac-wk1/TestExpectations: Skip Service Worker test. Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/TestExpectations trunk/LayoutTests/imported/w3c/ChangeLog trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/microtask-queuing/queue-microtask-exceptions.any-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/microtask-queuing/queue-microtask-exceptions.any.serviceworker-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/microtask-queuing/queue-microtask-exceptions.any.worker-expected.txt trunk/LayoutTests/inspector/debugger/break-on-uncaught-exception-expected.txt trunk/LayoutTests/platform/mac-wk1/TestExpectations trunk/Source/_javascript_Core/ChangeLog trunk/Source/_javascript_Core/debugger/Debugger.h trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp trunk/Source/_javascript_Core/runtime/JSGlobalObject.h trunk/Source/_javascript_Core/runtime/JSMicrotask.cpp trunk/Source/_javascript_Core/runtime/JSMicrotask.h trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Headers.cmake trunk/Source/WebCore/Sources.txt trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp trunk/Source/WebCore/bindings/js/JSWorkerGlobalScopeCustom.cpp trunk/Source/WebCore/dom/EventLoop.h Added Paths trunk/LayoutTests/fast/dom/callback-function-detached-frame-queue-microtask-expected.txt trunk/LayoutTests/fast/dom/callback-function-detached-frame-queue-microtask.html trunk/LayoutTests/fast/dom/resources/callback-function-detached-frame-queue-microtask-iframe.html trunk/Source/WebCore/bindings/js/JSDOMMicrotask.cpp trunk/Source/WebCore/bindings/js/JSDOMMicrotask.h Diff Modified: trunk/LayoutTests/ChangeLog (288639 => 288640) --- trunk/LayoutTests/ChangeLog 2022-01-26 20:06:29 UTC (rev 288639) +++ trunk/LayoutTests/ChangeLog 2022-01-26 20:10:15 UTC (rev 288640) @@ -1,3 +1,17 @@ +2022-01-26 Alexey Shvayka + +globalThis.queueMicrotask() should report thrown exceptions +https://bugs.webkit.org/show_bug.cgi?id=235614 + +Reviewed by Geoff Garen. + +* TestExpectations: Unskip 3 WPT tests that are now passing. +* fast/dom/callback-function-detached-frame-queue-microtask-expected.txt: Added. +* fast/dom/callback-function-detached-frame
[webkit-changes] [288589] trunk
Title: [288589] trunk Revision 288589 Author shvaikal...@gmail.com Date 2022-01-25 16:31:38 -0800 (Tue, 25 Jan 2022) Log Message XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls https://bugs.webkit.org/show_bug.cgi?id=235500 Reviewed by Darin Adler. LayoutTests/imported/w3c: Import WPT tests from https://github.com/web-platform-tests/wpt/pull/32544. * web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt: Added. * web-platform-tests/domxpath/xpath-evaluate-crash.html: Added. Source/WebCore: This patch adds null checks for results of Attr::ownerElement() to avoid crashes when evaluating XPath expressions with an orphaned Attr as the context node. Inspired by the recent Blink fix [1], yet this change covers all null pointer dereferencing sites, as proven by the updated test. [1] https://bugs.chromium.org/p/chromium/issues/detail?id=1236967 Test: imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html * xml/XPathStep.cpp: (WebCore::XPath::Step::nodesInAxis const): Modified Paths trunk/LayoutTests/imported/w3c/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/xml/XPathStep.cpp Added Paths trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html Diff Modified: trunk/LayoutTests/imported/w3c/ChangeLog (288588 => 288589) --- trunk/LayoutTests/imported/w3c/ChangeLog 2022-01-26 00:14:48 UTC (rev 288588) +++ trunk/LayoutTests/imported/w3c/ChangeLog 2022-01-26 00:31:38 UTC (rev 288589) @@ -1,3 +1,15 @@ +2022-01-25 Alexey Shvayka + +XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls +https://bugs.webkit.org/show_bug.cgi?id=235500 + +Reviewed by Darin Adler. + +Import WPT tests from https://github.com/web-platform-tests/wpt/pull/32544. + +* web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt: Added. +* web-platform-tests/domxpath/xpath-evaluate-crash.html: Added. + 2022-01-25 Antti Koivisto [CSS Container Queries] Parsing support for container shorthand property Added: trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt (0 => 288589) --- trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt (rev 0) +++ trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash-expected.txt 2022-01-26 00:31:38 UTC (rev 288589) @@ -0,0 +1,3 @@ + +PASS Evaluating XPath expressions with orhpaned Attr as context node doesn't crash + Added: trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html (0 => 288589) --- trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html (rev 0) +++ trunk/LayoutTests/imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html 2022-01-26 00:31:38 UTC (rev 288589) @@ -0,0 +1,23 @@ + + +Evaluating XPath expressions with orhpaned Attr as context node doesn't crash + + +test(() => { +for (const _expression_ of [ +"..", +"parent", +"ancestor::*", +"ancestor-or-self::*", +"following::*", +"preceding::*", +]) { +const orphanedAttr = document.createAttribute("foo"); +new XPathEvaluator().evaluate(_expression_, orphanedAttr, null, 2); +} +}); + Modified: trunk/Source/WebCore/ChangeLog (288588 => 288589) --- trunk/Source/WebCore/ChangeLog 2022-01-26 00:14:48 UTC (rev 288588) +++ trunk/Source/WebCore/ChangeLog 2022-01-26 00:31:38 UTC (rev 288589) @@ -1,3 +1,23 @@ +2022-01-25 Alexey Shvayka + +XPath::Step::nodesInAxis(): add null checks after Attr::ownerElement() calls +https://bugs.webkit.org/show_bug.cgi?id=235500 + +Reviewed by Darin Adler. + +This patch adds null checks for results of Attr::ownerElement() to avoid crashes +when evaluating XPath expressions with an orphaned Attr as the context node. + +Inspired by the recent Blink fix [1], yet this change covers all null pointer +dereferencing sites, as proven by the updated test. + +[1] https://bugs.chromium.org/p/chromium/issues/detail?id=1236967 + +Test: imported/w3c/web-platform-tests/domxpath/xpath-evaluate-crash.html + +* xml/XPathStep.cpp: +(WebCore::XPath::Step::nodesInAxis const): + 2022-01-25 Simon Fraser Fix some spelling errors in Color functions Modified: trunk/Source/WebCore/xml/XPathStep.cpp (288588 => 288589) --- trunk/Source/WebCore/xml/XPathStep.cpp 2022-01-26 00:14:48 UTC (rev 288588) +++ trunk/Source/WebCore/xml/XPathStep.cpp 2022-01-26 00:31:38 UTC (rev 288589) @@ -258,7 +258,7 @@ case ParentAxis: if (context.isAttributeNode()) { Element* node = static_cast(context).ownerElement(); -if (nodeMatches(*node, ParentAxis, m_nodeTest)) +
[webkit-changes] [288584] trunk/Source/WebCore
Title: [288584] trunk/Source/WebCore Revision 288584 Author shvaikal...@gmail.com Date 2022-01-25 14:09:07 -0800 (Tue, 25 Jan 2022) Log Message Remove unused Document::ListenerType enumerators https://bugs.webkit.org/show_bug.cgi?id=235049 Reviewed by Sam Weinig. Except for RESIZE_LISTENER, which just seems to be left behind, legacyType() of EventTarget.cpp handles all other event types, deleted in this patch, according to the spec [1]. [1] https://dom.spec.whatwg.org/#concept-event-listener-invoke (step 9) No new tests, no behavior change. * dom/Document.cpp: (WebCore::Document::addListenerTypeIfNeeded): * dom/Document.h: Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/dom/Document.cpp trunk/Source/WebCore/dom/Document.h Diff Modified: trunk/Source/WebCore/ChangeLog (288583 => 288584) --- trunk/Source/WebCore/ChangeLog 2022-01-25 21:55:44 UTC (rev 288583) +++ trunk/Source/WebCore/ChangeLog 2022-01-25 22:09:07 UTC (rev 288584) @@ -1,3 +1,21 @@ +2022-01-25 Alexey Shvayka + +Remove unused Document::ListenerType enumerators +https://bugs.webkit.org/show_bug.cgi?id=235049 + +Reviewed by Sam Weinig. + +Except for RESIZE_LISTENER, which just seems to be left behind, legacyType() of EventTarget.cpp +handles all other event types, deleted in this patch, according to the spec [1]. + +[1] https://dom.spec.whatwg.org/#concept-event-listener-invoke (step 9) + +No new tests, no behavior change. + +* dom/Document.cpp: +(WebCore::Document::addListenerTypeIfNeeded): +* dom/Document.h: + 2022-01-25 Antti Koivisto [CSS Container Queries] Parsing support for container shorthand property Modified: trunk/Source/WebCore/dom/Document.cpp (288583 => 288584) --- trunk/Source/WebCore/dom/Document.cpp 2022-01-25 21:55:44 UTC (rev 288583) +++ trunk/Source/WebCore/dom/Document.cpp 2022-01-25 22:09:07 UTC (rev 288584) @@ -5220,14 +5220,6 @@ addListenerType(DOMCHARACTERDATAMODIFIED_LISTENER); else if (eventType == eventNames().overflowchangedEvent) addListenerType(OVERFLOWCHANGED_LISTENER); -else if (eventType == eventNames().webkitAnimationStartEvent || eventType == eventNames().animationstartEvent) -addListenerType(ANIMATIONSTART_LISTENER); -else if (eventType == eventNames().webkitAnimationEndEvent || eventType == eventNames().animationendEvent) -addListenerType(ANIMATIONEND_LISTENER); -else if (eventType == eventNames().webkitAnimationIterationEvent || eventType == eventNames().animationiterationEvent) -addListenerType(ANIMATIONITERATION_LISTENER); -else if (eventType == eventNames().webkitTransitionEndEvent || eventType == eventNames().transitionendEvent) -addListenerType(TRANSITIONEND_LISTENER); else if (eventType == eventNames().beforeloadEvent) addListenerType(BEFORELOAD_LISTENER); else if (eventType == eventNames().scrollEvent) @@ -5240,8 +5232,6 @@ addListenerType(FORCEDOWN_LISTENER); else if (eventType == eventNames().webkitmouseforceupEvent) addListenerType(FORCEUP_LISTENER); -else if (eventType == eventNames().resizeEvent) -addListenerType(RESIZE_LISTENER); else if (eventType == eventNames().focusinEvent) addListenerType(FOCUSIN_LISTENER); else if (eventType == eventNames().focusoutEvent) Modified: trunk/Source/WebCore/dom/Document.h (288583 => 288584) --- trunk/Source/WebCore/dom/Document.h 2022-01-25 21:55:44 UTC (rev 288583) +++ trunk/Source/WebCore/dom/Document.h 2022-01-25 22:09:07 UTC (rev 288584) @@ -889,6 +889,7 @@ // keep track of what types of event listeners are registered, so we don't // dispatch events unnecessarily +// FIXME: Consider using OptionSet. enum ListenerType { DOMSUBTREEMODIFIED_LISTENER = 1, DOMNODEINSERTED_LISTENER = 1 << 1, @@ -897,19 +898,15 @@ DOMNODEINSERTEDINTODOCUMENT_LISTENER = 1 << 4, DOMCHARACTERDATAMODIFIED_LISTENER= 1 << 5, OVERFLOWCHANGED_LISTENER = 1 << 6, -ANIMATIONEND_LISTENER= 1 << 7, -ANIMATIONSTART_LISTENER = 1 << 8, -ANIMATIONITERATION_LISTENER = 1 << 9, -TRANSITIONEND_LISTENER = 1 << 10, -BEFORELOAD_LISTENER = 1 << 11, -SCROLL_LISTENER = 1 << 12, -FORCEWILLBEGIN_LISTENER = 1 << 13, -FORCECHANGED_LISTENER= 1 << 14, -FORCEDOWN_LISTENER = 1 << 15, -FORCEUP_LISTENER = 1 << 16, -RESIZE_LISTENER = 1 << 17, -FOCUSIN_LISTENER = 1 << 18, -FOCUSOUT_LISTENER= 1 << 19, +TRANSITIONEND_LISTENER = 1 << 7, +BEFORELOAD_LISTENER = 1 << 8, +
[webkit-changes] [287095] trunk/Source/WebCore
Title: [287095] trunk/Source/WebCore Revision 287095 Author shvaikal...@gmail.com Date 2021-12-15 12:14:08 -0800 (Wed, 15 Dec 2021) Log Message [WebIDL] Remove the now-unused [DocumentEventHandler] extended attribute https://bugs.webkit.org/show_bug.cgi?id=234047 Reviewed by Darin Adler. [DocumentEventHandler] was originally introduced just to accommodate onselectionchange IDL attribute, which became unnecessary as of r287089. Also, HTML spec has no concept of reflecting event handlers to Document, only to Window [1]. [1] https://html.spec.whatwg.org/multipage/webappapis.html#window-reflecting-body-element-event-handler-set No new tests, no behavior change. * bindings/js/JSEventListener.cpp: (WebCore::documentEventHandlerAttribute): Deleted. (WebCore::setDocumentEventHandlerAttribute): Deleted. * bindings/js/JSEventListener.h: * bindings/scripts/CodeGeneratorJS.pm: (GenerateAttributeGetterBodyDefinition): (GenerateAttributeSetterBodyDefinition): * bindings/scripts/IDLAttributes.json: Modified Paths trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSEventListener.cpp trunk/Source/WebCore/bindings/js/JSEventListener.h trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm trunk/Source/WebCore/bindings/scripts/IDLAttributes.json Diff Modified: trunk/Source/WebCore/ChangeLog (287094 => 287095) --- trunk/Source/WebCore/ChangeLog 2021-12-15 20:09:13 UTC (rev 287094) +++ trunk/Source/WebCore/ChangeLog 2021-12-15 20:14:08 UTC (rev 287095) @@ -1,3 +1,27 @@ +2021-12-15 Alexey Shvayka + +[WebIDL] Remove the now-unused [DocumentEventHandler] extended attribute +https://bugs.webkit.org/show_bug.cgi?id=234047 + +Reviewed by Darin Adler. + +[DocumentEventHandler] was originally introduced just to accommodate onselectionchange +IDL attribute, which became unnecessary as of r287089. Also, HTML spec has no concept +of reflecting event handlers to Document, only to Window [1]. + +[1] https://html.spec.whatwg.org/multipage/webappapis.html#window-reflecting-body-element-event-handler-set + +No new tests, no behavior change. + +* bindings/js/JSEventListener.cpp: +(WebCore::documentEventHandlerAttribute): Deleted. +(WebCore::setDocumentEventHandlerAttribute): Deleted. +* bindings/js/JSEventListener.h: +* bindings/scripts/CodeGeneratorJS.pm: +(GenerateAttributeGetterBodyDefinition): +(GenerateAttributeSetterBodyDefinition): +* bindings/scripts/IDLAttributes.json: + 2021-12-15 Jer Noble [Mac] Adopt -[NSScreen safeAreaInsets] Modified: trunk/Source/WebCore/bindings/js/JSEventListener.cpp (287094 => 287095) --- trunk/Source/WebCore/bindings/js/JSEventListener.cpp 2021-12-15 20:09:13 UTC (rev 287094) +++ trunk/Source/WebCore/bindings/js/JSEventListener.cpp 2021-12-15 20:14:08 UTC (rev 287095) @@ -316,29 +316,4 @@ setEventHandlerAttribute(lexicalGlobalObject, wrapper, window, eventType, value); } -JSC::JSValue documentEventHandlerAttribute(HTMLElement& element, const AtomString& eventType, DOMWrapperWorld& isolatedWorld) -{ -auto& document = element.document(); -return eventHandlerAttribute(document.attributeEventListener(eventType, isolatedWorld), document); -} - -void setDocumentEventHandlerAttribute(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSObject& wrapper, HTMLElement& element, const AtomString& eventType, JSC::JSValue value) -{ -ASSERT(wrapper.globalObject()); -auto& document = element.document(); -auto* documentWrapper = JSC::jsCast(toJS(&lexicalGlobalObject, JSC::jsCast(wrapper.globalObject()), document)); -ASSERT(documentWrapper); -document.setAttributeEventListener(eventType, createEventListenerForEventHandlerAttribute(lexicalGlobalObject, value, *documentWrapper), currentWorld(lexicalGlobalObject)); -} - -JSC::JSValue documentEventHandlerAttribute(Document& document, const AtomString& eventType, DOMWrapperWorld& isolatedWorld) -{ -return eventHandlerAttribute(document, eventType, isolatedWorld); -} - -void setDocumentEventHandlerAttribute(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSObject& wrapper, Document& document, const AtomString& eventType, JSC::JSValue value) -{ -setEventHandlerAttribute(lexicalGlobalObject, wrapper, document, eventType, value); -} - } // namespace WebCore Modified: trunk/Source/WebCore/bindings/js/JSEventListener.h (287094 => 287095) --- trunk/Source/WebCore/bindings/js/JSEventListener.h 2021-12-15 20:09:13 UTC (rev 287094) +++ trunk/Source/WebCore/bindings/js/JSEventListener.h 2021-12-15 20:14:08 UTC (rev 287095) @@ -92,12 +92,6 @@ JSC::JSValue windowEventHandlerAttribute(DOMWindow&, const AtomString& eventType, DOMWrapperWorld&); void setWindowEventHandlerAttribute(JSC::JSGlobalObject&, JSC::JSObject&, DOMWindow&, const AtomString& eventType, JSC::JSValue); -// Like the functions above, but for attributes that forward event handlers to the document r
[webkit-changes] [287089] trunk
Title: [287089] trunk Revision 287089 Author shvaikal...@gmail.com Date 2021-12-15 11:37:58 -0800 (Wed, 15 Dec 2021) Log Message [WebIDL] onselectionchange IDL attribute should not Document-reflect event listeners https://bugs.webkit.org/show_bug.cgi?id=234349 Reviewed by Darin Adler. Source/WebCore: onselectionchange IDL attribute should not forward event listeners from to Document because: a) the attribute is being standardized as a global event handler [1]; b) "selectionchange" event should be emitted on Document only for selection changes of ranges [2], while it should bubble to only when selection changes occur in / elements; c) HTML spec has no concept of reflecting event handlers to Document, only to Window [3]. While this patch aligns WebKit with Blink and Gecko, event listener forwarding is preserved for "onselectionchange" content attribute in order to ensure web-compatibility in the following case: * a userland listener that relies on `document.activeElement` to handle selection changes, including ones that occur in / elements. This is caught by the fast/events/selectionchange-user-initiated.html test as well. [1] https://w3c.github.io/selection-api/#extensions-to-globaleventhandlers-interface [2] https://w3c.github.io/selection-api/#selectionchange-event [3] https://html.spec.whatwg.org/multipage/webappapis.html#window-reflecting-body-element-event-handler-set Test: fast/dom/event-handler-attributes.html * html/HTMLBodyElement.cpp: (WebCore::HTMLBodyElement::parseAttribute): * html/HTMLBodyElement.idl: LayoutTests: * fast/dom/event-handler-attributes-expected.txt: * fast/dom/event-handler-attributes.html: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/fast/dom/event-handler-attributes-expected.txt trunk/LayoutTests/fast/dom/event-handler-attributes.html trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/html/HTMLBodyElement.cpp trunk/Source/WebCore/html/HTMLBodyElement.idl Diff Modified: trunk/LayoutTests/ChangeLog (287088 => 287089) --- trunk/LayoutTests/ChangeLog 2021-12-15 18:55:46 UTC (rev 287088) +++ trunk/LayoutTests/ChangeLog 2021-12-15 19:37:58 UTC (rev 287089) @@ -1,3 +1,13 @@ +2021-12-15 Alexey Shvayka + +[WebIDL] onselectionchange IDL attribute should not Document-reflect event listeners +https://bugs.webkit.org/show_bug.cgi?id=234349 + +Reviewed by Darin Adler. + +* fast/dom/event-handler-attributes-expected.txt: +* fast/dom/event-handler-attributes.html: + 2021-12-15 Yoshiaki Jitsukawa JPEG XL decoder should support understand color profiles Modified: trunk/LayoutTests/fast/dom/event-handler-attributes-expected.txt (287088 => 287089) --- trunk/LayoutTests/fast/dom/event-handler-attributes-expected.txt 2021-12-15 18:55:46 UTC (rev 287088) +++ trunk/LayoutTests/fast/dom/event-handler-attributes-expected.txt 2021-12-15 19:37:58 UTC (rev 287089) @@ -581,10 +581,6 @@ PASS testElementAttribute(bodyElement, "storage") is "window" PASS testElementAttribute(bodyElement, "unload") is "window" -Event names we expect to be forwarded from element to document) - -PASS testElementAttribute(bodyElement, "selectionchange") is "document" - Non-forwarded event names on element PASS testElementAttribute(bodyElement, "abort") is "target" @@ -641,6 +637,7 @@ PASS testElementAttribute(bodyElement, "seeked") is "target" PASS testElementAttribute(bodyElement, "seeking") is "target" PASS testElementAttribute(bodyElement, "select") is "target" +FAIL testElementAttribute(bodyElement, "selectionchange") should be target. Was script: target; content: document. PASS testElementAttribute(bodyElement, "selectstart") is "target" PASS testElementAttribute(bodyElement, "stalled") is "target" PASS testElementAttribute(bodyElement, "submit") is "target" @@ -680,10 +677,6 @@ PASS testElementAttribute(framesetElement, "storage") is "window" PASS testElementAttribute(framesetElement, "unload") is "window" -Event names we expect to be forwarded from element to document) - -FAIL testElementAttribute(framesetElement, "selectionchange") should be document. Was target. - Non-forwarded event names on element PASS testElementAttribute(framesetElement, "abort") is "target" @@ -740,6 +733,7 @@ PASS testElementAttribute(framesetElement, "seeked") is "target" PASS testElementAttribute(framesetElement, "seeking") is "target" PASS testElementAttribute(framesetElement, "select") is "target" +PASS testElementAttribute(framesetElement, "selectionchange") is "target" PASS testElementAttribute(framesetElement, "selectstart") is "target" PASS testElementAttribute(framesetElement, "stalled") is "target" PASS testElementAttribute(framesetElement, "submit") is "target" @@ -942,6 +936,10 @@ PASS testElementAttribute(nonHTMLElement, "webkittransitionend") is "none" PASS testElementAttribute(nonHTMLElement, "wheel") is "none" +onselectionchange IDL attribute doesn't forward event listen
[webkit-changes] [286898] trunk
Title: [286898] trunk Revision 286898 Author shvaikal...@gmail.com Date 2021-12-10 19:02:38 -0800 (Fri, 10 Dec 2021) Log Message Setting "onselectionchange" content attribute should add an event listener https://bugs.webkit.org/show_bug.cgi?id=234167 Reviewed by Darin Adler. LayoutTests/imported/w3c: Import WPT tests from https://github.com/web-platform-tests/wpt/pull/32013. * web-platform-tests/selection/textcontrols: Added. * web-platform-tests/selection/textcontrols/onselectionchange-content-attribute-expected.txt: Added. * web-platform-tests/selection/textcontrols/onselectionchange-content-attribute.html: Added. Source/WebCore: This patch implements full support for "onselectionchange" content attribute, enabling it to add an event listener on any element, which fixes regression introduced in r268745 and aligns "onselectionchange" with "onselectstart". Aligns WebKit with Gecko and the spec [1]. [1] https://w3c.github.io/selection-api/#extensions-to-globaleventhandlers-interface Tests: fast/dom/event-handler-attributes.html imported/w3c/web-platform-tests/selection/textcontrols/onselectionchange-content-attribute.html * html/HTMLElement.cpp: (WebCore::HTMLElement::createEventHandlerNameMap): LayoutTests: * fast/dom/event-handler-attributes-expected.txt: Modified Paths trunk/LayoutTests/ChangeLog trunk/LayoutTests/fast/dom/event-handler-attributes-expected.txt trunk/LayoutTests/imported/w3c/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/html/HTMLElement.cpp Added Paths trunk/LayoutTests/imported/w3c/web-platform-tests/selection/textcontrols/ trunk/LayoutTests/imported/w3c/web-platform-tests/selection/textcontrols/onselectionchange-content-attribute-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/selection/textcontrols/onselectionchange-content-attribute.html Diff Modified: trunk/LayoutTests/ChangeLog (286897 => 286898) --- trunk/LayoutTests/ChangeLog 2021-12-11 02:45:31 UTC (rev 286897) +++ trunk/LayoutTests/ChangeLog 2021-12-11 03:02:38 UTC (rev 286898) @@ -1,3 +1,12 @@ +2021-12-10 Alexey Shvayka + +Setting "onselectionchange" content attribute should add an event listener +https://bugs.webkit.org/show_bug.cgi?id=234167 + +Reviewed by Darin Adler. + +* fast/dom/event-handler-attributes-expected.txt: + 2021-12-10 Joonghun Park Don't do simplification for percentage comparison resolution against negative reference values. Modified: trunk/LayoutTests/fast/dom/event-handler-attributes-expected.txt (286897 => 286898) --- trunk/LayoutTests/fast/dom/event-handler-attributes-expected.txt 2021-12-11 02:45:31 UTC (rev 286897) +++ trunk/LayoutTests/fast/dom/event-handler-attributes-expected.txt 2021-12-11 03:02:38 UTC (rev 286898) @@ -252,7 +252,7 @@ PASS testElementAttribute(element, "seeked") is "target" PASS testElementAttribute(element, "seeking") is "target" PASS testElementAttribute(element, "select") is "target" -FAIL testElementAttribute(element, "selectionchange") should be target. Was script: target; content: none. +PASS testElementAttribute(element, "selectionchange") is "target" PASS testElementAttribute(element, "selectstart") is "target" PASS testElementAttribute(element, "stalled") is "target" PASS testElementAttribute(element, "submit") is "target" @@ -345,7 +345,7 @@ PASS testElementAttribute(inputElement, "seeked") is "target" PASS testElementAttribute(inputElement, "seeking") is "target" PASS testElementAttribute(inputElement, "select") is "target" -FAIL testElementAttribute(inputElement, "selectionchange") should be target. Was script: target; content: none. +PASS testElementAttribute(inputElement, "selectionchange") is "target" PASS testElementAttribute(inputElement, "selectstart") is "target" PASS testElementAttribute(inputElement, "stalled") is "target" PASS testElementAttribute(inputElement, "submit") is "target" @@ -438,7 +438,7 @@ PASS testElementAttribute(audioElement, "seeked") is "target" PASS testElementAttribute(audioElement, "seeking") is "target" PASS testElementAttribute(audioElement, "select") is "target" -FAIL testElementAttribute(audioElement, "selectionchange") should be target. Was script: target; content: none. +PASS testElementAttribute(audioElement, "selectionchange") is "target" PASS testElementAttribute(audioElement, "selectstart") is "target" PASS testElementAttribute(audioElement, "stalled") is "target" PASS testElementAttribute(audioElement, "submit") is "target" @@ -531,7 +531,7 @@ PASS testElementAttribute(videoElement, "seeked") is "target" PASS testElementAttribute(videoElement, "seeking") is "target" PASS testElementAttribute(videoElement, "select") is "target" -FAIL testElementAttribute(videoElement, "selectionchange") should be target. Was script: target; content: none. +PASS testElementAttribute(videoElement, "selectionchange") is "target" PASS testElementAttribute(videoElement, "selectstart") is "target" PASS testEl
[webkit-changes] [286873] trunk
Title: [286873] trunk Revision 286873 Author shvaikal...@gmail.com Date 2021-12-10 13:28:43 -0800 (Fri, 10 Dec 2021) Log Message Extend the scope where the Window's current event is set https://bugs.webkit.org/show_bug.cgi?id=233833 Reviewed by Ryosuke Niwa. LayoutTests/imported/w3c: Import WPT tests from https://github.com/web-platform-tests/wpt/pull/31894. * web-platform-tests/dom/events/event-global-is-still-set-when-coercing-beforeunload-result-expected.txt: Added. * web-platform-tests/dom/events/event-global-is-still-set-when-coercing-beforeunload-result.html: Added. * web-platform-tests/dom/events/event-global-set-before-handleEvent-lookup.any-expected.txt: Added. * web-platform-tests/dom/events/event-global-set-before-handleEvent-lookup.any.html: Added. * web-platform-tests/dom/events/event-global-set-before-handleEvent-lookup.any.js: Added. * web-platform-tests/dom/events/resources/event-global-is-still-set-when-coercing-beforeunload-result-frame.html: Added. Source/WebCore: Inner invoke algorithm [1] sets window.event from step 8.2 until step 12 (inclusive). That includes calling a callback interface [2], which performs "handleEvent" lookup (step 10.1) and coerces return value of "beforeunload" handler (step 14). Before this patch, window.event was not set during these user-observable operations. Now WebKit is aligned with Blink and Gecko. JSErrorHandler is correct: although reportException() may call userland "error" handler, it will have window.event on its own. [1] https://dom.spec.whatwg.org/#concept-event-listener-inner-invoke [2] https://webidl.spec.whatwg.org/#call-a-user-objects-operation Tests: imported/w3c/web-platform-tests/dom/events/event-global-is-still-set-when-coercing-beforeunload-result.html imported/w3c/web-platform-tests/dom/events/event-global-set-before-handleEvent-lookup.any.html * bindings/js/JSEventListener.cpp: (WebCore::JSEventListener::handleEvent): ScopeExit is used since the method has so many exit points. Modified Paths trunk/LayoutTests/imported/w3c/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSEventListener.cpp Added Paths trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-is-still-set-when-coercing-beforeunload-result-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-is-still-set-when-coercing-beforeunload-result.html trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-set-before-handleEvent-lookup.any-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-set-before-handleEvent-lookup.any.html trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-set-before-handleEvent-lookup.any.js trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/resources/event-global-is-still-set-when-coercing-beforeunload-result-frame.html Diff Modified: trunk/LayoutTests/imported/w3c/ChangeLog (286872 => 286873) --- trunk/LayoutTests/imported/w3c/ChangeLog 2021-12-10 21:25:01 UTC (rev 286872) +++ trunk/LayoutTests/imported/w3c/ChangeLog 2021-12-10 21:28:43 UTC (rev 286873) @@ -1,5 +1,21 @@ 2021-12-10 Alexey Shvayka +Extend the scope where the Window's current event is set +https://bugs.webkit.org/show_bug.cgi?id=233833 + +Reviewed by Ryosuke Niwa. + +Import WPT tests from https://github.com/web-platform-tests/wpt/pull/31894. + +* web-platform-tests/dom/events/event-global-is-still-set-when-coercing-beforeunload-result-expected.txt: Added. +* web-platform-tests/dom/events/event-global-is-still-set-when-coercing-beforeunload-result.html: Added. +* web-platform-tests/dom/events/event-global-set-before-handleEvent-lookup.any-expected.txt: Added. +* web-platform-tests/dom/events/event-global-set-before-handleEvent-lookup.any.html: Added. +* web-platform-tests/dom/events/event-global-set-before-handleEvent-lookup.any.js: Added. +* web-platform-tests/dom/events/resources/event-global-is-still-set-when-coercing-beforeunload-result-frame.html: Added. + +2021-12-10 Alexey Shvayka + JSErrorHandler should not set window.event if invocation target is in shadow tree https://bugs.webkit.org/show_bug.cgi?id=233834 Added: trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-is-still-set-when-coercing-beforeunload-result-expected.txt (0 => 286873) --- trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-is-still-set-when-coercing-beforeunload-result-expected.txt (rev 0) +++ trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-is-still-set-when-coercing-beforeunload-result-expected.txt 2021-12-10 21:28:43 UTC (rev 286873) @@ -0,0 +1,4 @@ + + +PASS window.event is still set when 'beforeunload' result is coerced to string + Added: trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-
[webkit-changes] [286871] trunk
Title: [286871] trunk Revision 286871 Author shvaikal...@gmail.com Date 2021-12-10 13:24:43 -0800 (Fri, 10 Dec 2021) Log Message JSErrorHandler should not set window.event if invocation target is in shadow tree https://bugs.webkit.org/show_bug.cgi?id=233834 Reviewed by Ryosuke Niwa. LayoutTests/imported/w3c: Update the test per https://github.com/web-platform-tests/wpt/pull/31893 as well as its expectations. * web-platform-tests/dom/events/event-global-expected.txt: * web-platform-tests/dom/events/event-global.html: Source/WebCore: This patch brings r233489 for JSErrorHandler (window.onerror handler for ErrorEvent), implementing the spec [1] and aligning WebKit with Blink and Gecko. [1] https://dom.spec.whatwg.org/#ref-for-window-current-event%E2%91%A1 Test: imported/w3c/web-platform-tests/dom/events/event-global.html * bindings/js/JSErrorHandler.cpp: (WebCore::JSErrorHandler::handleEvent): Modified Paths trunk/LayoutTests/imported/w3c/ChangeLog trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global.html trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSErrorHandler.cpp Diff Modified: trunk/LayoutTests/imported/w3c/ChangeLog (286870 => 286871) --- trunk/LayoutTests/imported/w3c/ChangeLog 2021-12-10 21:15:46 UTC (rev 286870) +++ trunk/LayoutTests/imported/w3c/ChangeLog 2021-12-10 21:24:43 UTC (rev 286871) @@ -1,3 +1,15 @@ +2021-12-10 Alexey Shvayka + +JSErrorHandler should not set window.event if invocation target is in shadow tree +https://bugs.webkit.org/show_bug.cgi?id=233834 + +Reviewed by Ryosuke Niwa. + +Update the test per https://github.com/web-platform-tests/wpt/pull/31893 as well as its expectations. + +* web-platform-tests/dom/events/event-global-expected.txt: +* web-platform-tests/dom/events/event-global.html: + 2021-12-10 Patrick Griffis CSP: Implement protections against nonce-hijacking Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-expected.txt (286870 => 286871) --- trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-expected.txt 2021-12-10 21:15:46 UTC (rev 286870) +++ trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global-expected.txt 2021-12-10 21:24:43 UTC (rev 286871) @@ -3,6 +3,7 @@ PASS window.event is only defined during dispatch PASS window.event is undefined if the target is in a shadow tree (event dispatched outside shadow tree) PASS window.event is undefined if the target is in a shadow tree (event dispatched inside shadow tree) +PASS window.event is undefined inside window.onerror if the target is in a shadow tree (ErrorEvent dispatched inside shadow tree) PASS window.event is set to the current event during dispatch PASS window.event is set to the current event, which is the event passed to dispatch Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global.html (286870 => 286871) --- trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global.html 2021-12-10 21:15:46 UTC (rev 286870) +++ trunk/LayoutTests/imported/w3c/web-platform-tests/dom/events/event-global.html 2021-12-10 21:24:43 UTC (rev 286871) @@ -5,6 +5,8 @@
[webkit-changes] [284761] trunk
Title: [284761] trunk Revision 284761 Author shvaikal...@gmail.com Date 2021-10-24 10:37:41 -0700 (Sun, 24 Oct 2021) Log Message Assertions in IDBTransaction::request*() methods fail on cross-realm methods https://bugs.webkit.org/show_bug.cgi?id=230128 Reviewed by Sihui Liu. LayoutTests/imported/w3c: * web-platform-tests/IndexedDB/idbindex-cross-realm-methods-expected.txt: Added. * web-platform-tests/IndexedDB/idbindex-cross-realm-methods.html: Added. * web-platform-tests/IndexedDB/idbobjectstore-cross-realm-methods-expected.txt: Added. * web-platform-tests/IndexedDB/idbobjectstore-cross-realm-methods.html: Added. Source/WebCore: Except when used with constructors, [CallWith=GlobalObject] WebIDL attribute passes _current_ global object [1], one that the function was created in. A method from another realm has different ScriptExecutionContext than the IDBTransaction, and it's fine: function's global object is used only for IDBKey parsing and structure cloning as per spec [2]. This patch removes incorrect assertions, fixing IDBObjectStore / IDBIndex cross-realm methods not to crash --debug build, and removes now unused JSGlobalObject parameters. [1] https://html.spec.whatwg.org/multipage/webappapis.html#concept-current-everything [2] https://www.w3.org/TR/IndexedDB/#ref-for-retrieve-a-value-from-an-object-store Tests: imported/w3c/web-platform-tests/IndexedDB/idbindex-cross-realm-methods.html imported/w3c/web-platform-tests/IndexedDB/idbobjectstore-cross-realm-methods.html * Modules/indexeddb/IDBCursor.cpp: (WebCore::IDBCursor::deleteFunction): * Modules/indexeddb/IDBCursor.h: * Modules/indexeddb/IDBCursor.idl: * Modules/indexeddb/IDBIndex.cpp: (WebCore::IDBIndex::doOpenCursor): (WebCore::IDBIndex::openCursor): (WebCore::IDBIndex::doOpenKeyCursor): (WebCore::IDBIndex::openKeyCursor): (WebCore::IDBIndex::count): (WebCore::IDBIndex::doCount): (WebCore::IDBIndex::get): (WebCore::IDBIndex::doGet): (WebCore::IDBIndex::getKey): (WebCore::IDBIndex::doGetKey): (WebCore::IDBIndex::doGetAll): (WebCore::IDBIndex::getAll): (WebCore::IDBIndex::doGetAllKeys): (WebCore::IDBIndex::getAllKeys): * Modules/indexeddb/IDBIndex.h: * Modules/indexeddb/IDBIndex.idl: * Modules/indexeddb/IDBObjectStore.cpp: (WebCore::IDBObjectStore::doOpenCursor): (WebCore::IDBObjectStore::openCursor): (WebCore::IDBObjectStore::doOpenKeyCursor): (WebCore::IDBObjectStore::openKeyCursor): (WebCore::IDBObjectStore::get): (WebCore::IDBObjectStore::getKey): (WebCore::IDBObjectStore::putOrAdd): Use IDBObjectStore's context instead of _current_ global object for private browsing check as per recommendation for spec authors [1]. This doesn't seem to be observable. (WebCore::IDBObjectStore::deleteFunction): (WebCore::IDBObjectStore::doDelete): (WebCore::IDBObjectStore::clear): (WebCore::IDBObjectStore::createIndex): (WebCore::IDBObjectStore::count): (WebCore::IDBObjectStore::doCount): (WebCore::IDBObjectStore::doGetAll): (WebCore::IDBObjectStore::getAll): (WebCore::IDBObjectStore::doGetAllKeys): (WebCore::IDBObjectStore::getAllKeys): * Modules/indexeddb/IDBObjectStore.h: * Modules/indexeddb/IDBObjectStore.idl: * Modules/indexeddb/IDBTransaction.cpp: (WebCore::IDBTransaction::requestOpenCursor): (WebCore::IDBTransaction::doRequestOpenCursor): (WebCore::IDBTransaction::requestGetAllObjectStoreRecords): (WebCore::IDBTransaction::requestGetAllIndexRecords): (WebCore::IDBTransaction::requestGetRecord): (WebCore::IDBTransaction::requestGetValue): (WebCore::IDBTransaction::requestGetKey): (WebCore::IDBTransaction::requestIndexRecord): (WebCore::IDBTransaction::requestCount): (WebCore::IDBTransaction::requestDeleteRecord): (WebCore::IDBTransaction::requestClearObjectStore): (WebCore::IDBTransaction::requestPutOrAdd): * Modules/indexeddb/IDBTransaction.h: * inspector/agents/InspectorIndexedDBAgent.cpp: Modified Paths trunk/LayoutTests/imported/w3c/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Modules/indexeddb/IDBCursor.cpp trunk/Source/WebCore/Modules/indexeddb/IDBCursor.h trunk/Source/WebCore/Modules/indexeddb/IDBCursor.idl trunk/Source/WebCore/Modules/indexeddb/IDBIndex.cpp trunk/Source/WebCore/Modules/indexeddb/IDBIndex.h trunk/Source/WebCore/Modules/indexeddb/IDBIndex.idl trunk/Source/WebCore/Modules/indexeddb/IDBObjectStore.cpp trunk/Source/WebCore/Modules/indexeddb/IDBObjectStore.h trunk/Source/WebCore/Modules/indexeddb/IDBObjectStore.idl trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.cpp trunk/Source/WebCore/Modules/indexeddb/IDBTransaction.h trunk/Source/WebCore/inspector/agents/InspectorIndexedDBAgent.cpp Added Paths trunk/LayoutTests/imported/w3c/web-platform-tests/IndexedDB/idbindex-cross-realm-methods-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/IndexedDB/idbindex-cross-realm-methods.html trunk/LayoutTests/imported/w3c/web-platform-tests/IndexedDB/idbobjectstore-cross-realm-methods-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/IndexedDB/idbobjectstore-cross-realm-me
[webkit-changes] [284758] trunk
Title: [284758] trunk Revision 284758 Author shvaikal...@gmail.com Date 2021-10-24 09:01:14 -0700 (Sun, 24 Oct 2021) Log Message document.open() and friends use incorrect document as a source for reseted document's URL https://bugs.webkit.org/show_bug.cgi?id=230131 Reviewed by Chris Dumez. LayoutTests/imported/w3c: * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/origin-check-in-document-open-same-origin-domain.sub-expected.txt: * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/resources/url-entry-document-incumbent-frame.html: Added. * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window-expected.txt: Added. * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.html: Added. * web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.js: Added. Source/WebCore: With this patch, Document's open() / write() / writeln() methods receive entry global object's document [1] as an argument, which is used to perform same-origin security check and to set the URL of reseted document from. Aligns WebKit with Blink and Gecko. Instead of maintaining consistency with FirstWindow, EntryDocument is named to match the spec and because it's not always the "first" (topmost) document, but rather a document of closest or inline event handler. ResponsibleDocument is removed because it's now unused and, in terms of implementation, a poor man's IncumbentWindow. Also, the spec describes different concept by that name [2]. [1] https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#opening-the-input-stream:entry-global-object [2] https://html.spec.whatwg.org/multipage/webappapis.html#responsible-document Tests: http/tests/security/aboutBlank/security-context-grandchildren-lexical.html http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical.html imported/w3c/web-platform-tests/html/webappapis/dynamic-markup-insertion/opening-the-input-stream/url-entry-document-sync-call.window.html * bindings/js/JSDOMWindowBase.cpp: (WebCore::responsibleDocument): Deleted. * bindings/js/JSDOMWindowBase.h: * bindings/scripts/CodeGeneratorJS.pm: (GenerateCallWith): * bindings/scripts/IDLAttributes.json: * dom/Document+HTML.idl: * dom/Document.cpp: (WebCore::Document::open): (WebCore::Document::write): (WebCore::Document::writeln): * dom/Document.h: LayoutTests: * http/tests/security/aboutBlank/security-context-grandchildren-lexical.html: * http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html: * http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical.html: Tweak _javascript_: URLs to evaluate as `undefined` so the tests could be run in Firefox. * http/tests/security/aboutBlank/security-context-grandchildren-lexical-expected.txt: * http/tests/security/aboutBlank/security-context-grandchildren-write-lexical-expected.txt: * http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical-expected.txt: Align expectations with Blink and Gecko. * http/tests/security/resources/parent-document-open.html: Added. * http/tests/security/xss-DENIED-xsl-document-securityOrigin.xml: The test relied on behavior that wasn't spec-compliant, causing timeouts once document.open() is fixed. This patch preserves the test semantics of calling document.open() with iframe's global object. Similar Blink bug: crbug.com/579493.Modified Paths
- trunk/LayoutTests/ChangeLog
- trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-lexical-expected.txt
- trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-lexical.html
- trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-write-lexical-expected.txt
- trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html
- trunk/LayoutTests/http/tests/security/aboutBlank/security-context-grandchildren-writeln-lexical-expected.txt
[webkit-changes] [284756] trunk
Title: [284756] trunk Revision 284756 Author shvaikal...@gmail.com Date 2021-10-24 08:18:35 -0700 (Sun, 24 Oct 2021) Log Message Add my GitHub username to contributors.json and update credentials Unreviewed. * metadata/contributors.json: Modified Paths trunk/ChangeLog trunk/metadata/contributors.json Diff Modified: trunk/ChangeLog (284755 => 284756) --- trunk/ChangeLog 2021-10-24 14:50:04 UTC (rev 284755) +++ trunk/ChangeLog 2021-10-24 15:18:35 UTC (rev 284756) @@ -1,3 +1,11 @@ +2021-10-24 Alexey Shvayka + +Add my GitHub username to contributors.json and update credentials + +Unreviewed. + +* metadata/contributors.json: + 2021-10-22 Guillaume Emont Add Guillaume Emont's github username to contributors.json Modified: trunk/metadata/contributors.json (284755 => 284756) --- trunk/metadata/contributors.json 2021-10-24 14:50:04 UTC (rev 284755) +++ trunk/metadata/contributors.json 2021-10-24 15:18:35 UTC (rev 284756) @@ -412,11 +412,14 @@ }, { "emails" : [ + "ashva...@apple.com", "shvaikal...@gmail.com" ], "expertise" : "_javascript_/ECMAScript, _javascript_ DOM Bindings", + "github" : "shvaikalesh", "name" : "Alexey Shvayka", "nicks" : [ + "ashvayka", "shvaikalesh" ], "status" : "reviewer" ___ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes
[webkit-changes] [284241] trunk
Title: [284241] trunk Revision 284241 Author shvaikal...@gmail.com Date 2021-10-15 03:24:43 -0700 (Fri, 15 Oct 2021) Log Message [WebIDL] JSDOMBuiltinConstructor instances should support subclassing https://bugs.webkit.org/show_bug.cgi?id=231689 Reviewed by Youenn Fablet. LayoutTests/imported/w3c: * web-platform-tests/streams/queuing-strategies.any-expected.txt: * web-platform-tests/streams/queuing-strategies.any.worker-expected.txt: * web-platform-tests/streams/readable-streams/general.any-expected.txt: * web-platform-tests/streams/readable-streams/general.any.worker-expected.txt: * web-platform-tests/streams/transform-streams/general.any-expected.txt: * web-platform-tests/streams/transform-streams/general.any.worker-expected.txt: Source/WebCore: This patch: 1. Removes JSDOMObjectInspector and related conditional createJSObject() / callConstructor() overloads: they aren't necessary because code generator guarantees that built-in constructors are called only on JSDOMObjectInspector::isBuiltin objects. 2. Implements proper subclassing [1] for built-in constructors, ensuring exception checking and rare cases are kept off the fast path. For simplicity and consistency with JSC built-ins and setSubclassStructureIfNeeded(), getFunctionRealm() is called before "prototype" lookup, which is non-observable. 3. Further improves constructor's fast path by replacing slowish argument-copying callFunctionWithCurrentArguments() with ArgList(CallFrame*) constructor. [1] https://webidl.spec.whatwg.org/#internally-create-a-new-object-implementing-the-interface (step 3) Tests: imported/w3c/web-platform-tests/streams/queuing-strategies.any.js imported/w3c/web-platform-tests/streams/readable-streams/general.any.js imported/w3c/web-platform-tests/streams/transform-streams/general.any.js * bindings/js/JSDOMBuiltinConstructor.h: (WebCore::JSDOMBuiltinConstructor::getDOMStructureForJSObject): (WebCore::JSDOMBuiltinConstructor::construct): (WebCore::JSDOMBuiltinConstructor::callConstructor): Deleted. (WebCore::createJSObject): Deleted. * bindings/js/JSDOMBuiltinConstructorBase.cpp: (WebCore::JSDOMBuiltinConstructorBase::callFunctionWithCurrentArguments): Deleted. * bindings/js/JSDOMBuiltinConstructorBase.h: * bindings/js/JSDOMWrapper.h: * bindings/scripts/CodeGeneratorJS.pm: (AddJSBuiltinIncludesIfNeeded): Removes [JSBuiltin] check because it's superseded by HasJSBuiltinConstructor helper. * bindings/scripts/IDLAttributes.json: Removes unused [JSBuiltinConstructor] extended attribute: [JSBuiltin] on constructor() or interface should be used instead. Modified Paths trunk/LayoutTests/imported/w3c/ChangeLog trunk/LayoutTests/imported/w3c/web-platform-tests/streams/queuing-strategies.any-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/streams/queuing-strategies.any.worker-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/streams/readable-streams/general.any-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/streams/readable-streams/general.any.worker-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/streams/transform-streams/general.any-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/streams/transform-streams/general.any.worker-expected.txt trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/bindings/js/JSDOMBuiltinConstructor.h trunk/Source/WebCore/bindings/js/JSDOMBuiltinConstructorBase.cpp trunk/Source/WebCore/bindings/js/JSDOMBuiltinConstructorBase.h trunk/Source/WebCore/bindings/js/JSDOMWrapper.h trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm trunk/Source/WebCore/bindings/scripts/IDLAttributes.json Diff Modified: trunk/LayoutTests/imported/w3c/ChangeLog (284240 => 284241) --- trunk/LayoutTests/imported/w3c/ChangeLog 2021-10-15 09:26:08 UTC (rev 284240) +++ trunk/LayoutTests/imported/w3c/ChangeLog 2021-10-15 10:24:43 UTC (rev 284241) @@ -1,3 +1,17 @@ +2021-10-15 Alexey Shvayka + +[WebIDL] JSDOMBuiltinConstructor instances should support subclassing +https://bugs.webkit.org/show_bug.cgi?id=231689 + +Reviewed by Youenn Fablet. + +* web-platform-tests/streams/queuing-strategies.any-expected.txt: +* web-platform-tests/streams/queuing-strategies.any.worker-expected.txt: +* web-platform-tests/streams/readable-streams/general.any-expected.txt: +* web-platform-tests/streams/readable-streams/general.any.worker-expected.txt: +* web-platform-tests/streams/transform-streams/general.any-expected.txt: +* web-platform-tests/streams/transform-streams/general.any.worker-expected.txt: + 2021-10-14 Antti Koivisto [CSS Cascade Layers] Layer should have higher priority than its descendant layers Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/streams/queuing-strategies.any-expected.txt (284240 => 284241) --- trunk/LayoutTests/imported/w3c/web-platform-tests/streams/queuing-strategies.any-expected.txt 2021-10-15 0
[webkit-changes] [284173] trunk
Title: [284173] trunk Revision 284173 Author shvaikal...@gmail.com Date 2021-10-14 10:49:57 -0700 (Thu, 14 Oct 2021) Log Message AudioContext::getOutputTimestamp() uses incorrect global object as a high-res timestamp origin https://bugs.webkit.org/show_bug.cgi?id=230138 Reviewed by Chris Dumez. LayoutTests/imported/w3c: * web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm-expected.txt: Added. * web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm.html: Added. Source/WebCore: Although the spec [1] does not explicitly mention which global object to use, there is a recommendation for web spec authors to use _relevant_ [2], unlike ECMA standards. This patch fixes getOutputTimestamp() to use AudioContext's global object to compute `performanceTime`. Aligns WebKit with Blink and Gecko in case of cross-realm method call. [1] https://webaudio.github.io/web-audio-api/#dom-audiocontext-getoutputtimestamp [2] https://html.spec.whatwg.org/multipage/webappapis.html#concept-current-everything Test: imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm.html * Modules/webaudio/AudioContext.cpp: (WebCore::AudioContext::getOutputTimestamp): * Modules/webaudio/AudioContext.h: * Modules/webaudio/AudioContext.idl: Modified Paths trunk/LayoutTests/imported/w3c/ChangeLog trunk/Source/WebCore/ChangeLog trunk/Source/WebCore/Modules/webaudio/AudioContext.cpp trunk/Source/WebCore/Modules/webaudio/AudioContext.h trunk/Source/WebCore/Modules/webaudio/AudioContext.idl Added Paths trunk/LayoutTests/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm-expected.txt trunk/LayoutTests/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm.html Diff Modified: trunk/LayoutTests/imported/w3c/ChangeLog (284172 => 284173) --- trunk/LayoutTests/imported/w3c/ChangeLog 2021-10-14 17:32:02 UTC (rev 284172) +++ trunk/LayoutTests/imported/w3c/ChangeLog 2021-10-14 17:49:57 UTC (rev 284173) @@ -1,3 +1,13 @@ +2021-10-14 Alexey Shvayka + +AudioContext::getOutputTimestamp() uses incorrect global object as a high-res timestamp origin +https://bugs.webkit.org/show_bug.cgi?id=230138 + +Reviewed by Chris Dumez. + +* web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm-expected.txt: Added. +* web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm.html: Added. + 2021-10-14 Tim Nguyen Import new focus-related WPT Added: trunk/LayoutTests/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm-expected.txt (0 => 284173) --- trunk/LayoutTests/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm-expected.txt (rev 0) +++ trunk/LayoutTests/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm-expected.txt 2021-10-14 17:49:57 UTC (rev 284173) @@ -0,0 +1,11 @@ + + +PASS # AUDIT TASK RUNNER STARTED. +PASS Executing "getoutputtimestamp-cross-realm" +PASS Audit report +PASS > [getoutputtimestamp-cross-realm] +PASS mainContext's performanceTime is greater than iframeContext's performanceTime. +PASS mainContext's performanceTime (via iframeContext's method) is mainContext's performanceTime within an error of 0.01. +PASS < [getoutputtimestamp-cross-realm] All assertions passed. (total 2 assertions) +PASS # AUDIT TASK RUNNER FINISHED: 1 tasks ran successfully. + Added: trunk/LayoutTests/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm.html (0 => 284173) --- trunk/LayoutTests/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm.html (rev 0) +++ trunk/LayoutTests/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiocontext-interface/audiocontext-getoutputtimestamp-cross-realm.html 2021-10-14 17:49:57 UTC (rev 284173) @@ -0,0 +1,32 @@ + + + + + Testing AudioContext.getOutputTimestamp() method (cross-realm) + + + +