Diff
Modified: trunk/LayoutTests/ChangeLog (174995 => 174996)
--- trunk/LayoutTests/ChangeLog 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/ChangeLog 2014-10-21 20:03:28 UTC (rev 174996)
@@ -1,3 +1,33 @@
+2014-10-21 Michael Saboff <msab...@apple.com>
+
+ Change native call frames to use the scope from their Callee instead of their caller's scope
+ https://bugs.webkit.org/show_bug.cgi?id=137907
+
+ Updated tests to reflect that the results of changing where a native call frame
+ and therefore the lexicalGlobalObject came from. Verified that these tests changes
+ are consistent with the HTML standard. These changes are also closer to the behavior
+ of other browsers.
+
+ Reviewed by Mark Lam.
+
+ * fast/frames/sandboxed-iframe-navigation-parent-expected.txt:
+ * fast/frames/sandboxed-iframe-navigation-parent.html:
+ Changed the test and results to show that a sandboxed iframe can navigate its
+ ancesters when it is sandbox with both "allow-scripts" and "allow-same-origin".
+
+ * http/tests/security/calling-versus-current.html:
+ Updated the test to really have a different domain. We do a simple string comparison
+ to check for that we are part of the same domain. The test expected that 0.0.1 was
+ from the same domain as 127.0.0.1. Changed the test to try 0.0.2 and expect a
+ security exception.
+
+ * http/tests/security/frameNavigation/context-for-location-assign-expected.txt:
+ Updated test results.
+
+ * traversal/node-iterator-prototype-expected.txt:
+ * traversal/node-iterator-prototype.html:
+ Fixed as a result of this change.
+
2014-10-21 Joanmarie Diggs <jdi...@igalia.com>
AX: [ATK] CSS-generated text content not exposed to assistive technologies
Modified: trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt (174995 => 174996)
--- trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent-expected.txt 2014-10-21 20:03:28 UTC (rev 174996)
@@ -1,9 +1,5 @@
-CONSOLE MESSAGE: Unsafe _javascript_ attempt to initiate navigation for frame with URL 'sandboxed-iframe-navigation-source.html'. The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.
+This test verifies that a sandboxed IFrame with the keywords allow-scripts and allow-same-origin is allowed to navigate an ancestor in the frame tree by assigning the location attribute.
-This test verifies that a sandboxed IFrame cannot navigate an ancestor in the frame tree by assigning the location attribute.
-
-This is done by loading ten non-sandboxed IFrames, and a single sandboxed one. Expect ten frames to be navigated, but the sandboxed one to not be one of them.
-
This test will print "PASS" on success.
Modified: trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent.html (174995 => 174996)
--- trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent.html 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/fast/frames/sandboxed-iframe-navigation-parent.html 2014-10-21 20:03:28 UTC (rev 174996)
@@ -13,9 +13,9 @@
{
var testStatus = document.getElementById('testStatus');
- if (self.navigated.location.href.indexOf('parent.html') == -1)
- testStatus.innerHTML = 'FAIL: disallowed frame navigated';
- else if (navigatedFrames == 10)
+ if (self.navigated.location.href.indexOf('parent.html') != -1)
+ testStatus.innerHTML = 'FAIL: sandboxed frame couldn\'t navigate';
+ else if (navigatedFrames == 11)
testStatus.innerHTML = 'PASS';
else
testStatus.innerHTML = 'FAIL: frames not navigated properly';
@@ -28,7 +28,7 @@
{
++navigatedFrames;
- if (navigatedFrames == 10)
+ if (navigatedFrames == 11)
checkResults();
}
@@ -37,13 +37,10 @@
<body>
- <p>This test verifies that a sandboxed IFrame cannot navigate an ancestor
+ <p>This test verifies that a sandboxed IFrame with the keywords
+ allow-scripts and allow-same-origin is allowed to navigate an ancestor
in the frame tree by assigning the location attribute.</p>
- <p>This is done by loading ten non-sandboxed IFrames, and a single
- sandboxed one. Expect ten frames to be navigated, but the sandboxed
- one to <b>not</b> be one of them.</p>
-
<p>This test will print "PASS" on success.</p>
<iframe src=""
Modified: trunk/LayoutTests/http/tests/security/calling-versus-current.html (174995 => 174996)
--- trunk/LayoutTests/http/tests/security/calling-versus-current.html 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/http/tests/security/calling-versus-current.html 2014-10-21 20:03:28 UTC (rev 174996)
@@ -6,8 +6,15 @@
window._onload_ = function() {
window.f = frames[0].atob;
- document.domain = "0.0.1";
- if (btoa(window.f("PASS")) == "PASS")
- document.getElementById("console").innerHTML = "PASS"
+ try {
+ document.domain = "0.0.2";
+ } catch (e) {
+ if ("message" in e || (e.message.search("SecurityError:") != -1)) {
+ document.getElementById("console").innerHTML = "PASS"
+ return
+ }
+ }
+ if (btoa(window.f("TEST")) == "TEST")
+ document.getElementById("console").innerHTML = "FAIL"
}
</script>
Modified: trunk/LayoutTests/http/tests/security/frameNavigation/context-for-location-assign-expected.txt (174995 => 174996)
--- trunk/LayoutTests/http/tests/security/frameNavigation/context-for-location-assign-expected.txt 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/http/tests/security/frameNavigation/context-for-location-assign-expected.txt 2014-10-21 20:03:28 UTC (rev 174996)
@@ -1,2 +1,2 @@
-document.referrer = http://127.0.0.1:8000/security/frameNavigation/context-for-location-assign.html
+document.referrer =
Modified: trunk/LayoutTests/traversal/node-iterator-prototype-expected.txt (174995 => 174996)
--- trunk/LayoutTests/traversal/node-iterator-prototype-expected.txt 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/traversal/node-iterator-prototype-expected.txt 2014-10-21 20:03:28 UTC (rev 174996)
@@ -1,11 +1,9 @@
This test checks whether DOM wrappers created by NodeIterator have their prototypes attached to the correct objects. These nodes are from the child frame, so that's where their prototypes should be attached.
-Unfortunately, our implementation is buggy and we get wrappers from the parent frame here. This test documents the bug so we'll know when we fix it.
-
test: child PASS
-A: parent FAIL
-B: parent FAIL
-C: parent FAIL
-D: parent FAIL
-D: parent FAIL
+A: child PASS
+B: child PASS
+C: child PASS
+D: child PASS
+D: child PASS
Modified: trunk/LayoutTests/traversal/node-iterator-prototype.html (174995 => 174996)
--- trunk/LayoutTests/traversal/node-iterator-prototype.html 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/LayoutTests/traversal/node-iterator-prototype.html 2014-10-21 20:03:28 UTC (rev 174996)
@@ -4,9 +4,6 @@
prototypes attached to the correct objects. These nodes are from the child
frame, so that's where their prototypes should be attached.</p>
-<p>Unfortunately, our implementation is buggy and we get wrappers from the
-parent frame here. This test documents the bug so we'll know when we fix
-it.</p>
<div id="console"></div>
<script>
if (window.testRunner)
Modified: trunk/Source/_javascript_Core/ChangeLog (174995 => 174996)
--- trunk/Source/_javascript_Core/ChangeLog 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-10-21 20:03:28 UTC (rev 174996)
@@ -1,3 +1,18 @@
+2014-10-21 Michael Saboff <msab...@apple.com>
+
+ Change native call frames to use the scope from their Callee instead of their caller's scope
+ https://bugs.webkit.org/show_bug.cgi?id=137907
+
+ Reviewed by Mark Lam.
+
+ Changed setting of scope for native CallFrames to use the scope associated with the
+ Callee instead of the caller's scope.
+
+ * jit/ThunkGenerators.cpp:
+ (JSC::nativeForGenerator):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
2014-10-21 Tibor Meszaros <tmeszaros.u-sze...@partner.samsung.com>
Add missing ENABLE(FTL_NATIVE_CALL_INLINING) guard to BundlePath.cpp after r174940
Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (174995 => 174996)
--- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2014-10-21 20:03:28 UTC (rev 174996)
@@ -276,10 +276,10 @@
jit.storePtr(JSInterfaceJIT::callFrameRegister, &vm->topCallFrame);
#if CPU(X86)
- // Load caller frame's scope chain into this callframe so that whatever we call can
+ // Load callee's scope chain into this callframe so that whatever we call can
// get to its global data.
- jit.emitGetCallerFrameFromCallFrameHeaderPtr(JSInterfaceJIT::regT0);
- jit.emitGetFromCallFrameHeaderPtr(JSStack::ScopeChain, JSInterfaceJIT::regT1, JSInterfaceJIT::regT0);
+ jit.emitGetFromCallFrameHeaderPtr(JSStack::Callee, JSInterfaceJIT::regT1);
+ jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSCallee::offsetOfScopeChain()), JSInterfaceJIT::regT1);
jit.emitPutCellToCallFrameHeader(JSInterfaceJIT::regT1, JSStack::ScopeChain);
// Calling convention: f(ecx, edx, ...);
@@ -296,10 +296,10 @@
jit.addPtr(JSInterfaceJIT::TrustedImm32(8), JSInterfaceJIT::stackPointerRegister);
#elif CPU(X86_64)
- // Load caller frame's scope chain into this callframe so that whatever we call can
+ // Load callee's scope chain into this callframe so that whatever we call can
// get to its global data.
- jit.emitGetCallerFrameFromCallFrameHeaderPtr(JSInterfaceJIT::regT0);
- jit.emitGetFromCallFrameHeaderPtr(JSStack::ScopeChain, JSInterfaceJIT::regT1, JSInterfaceJIT::regT0);
+ jit.emitGetFromCallFrameHeaderPtr(JSStack::Callee, JSInterfaceJIT::regT1);
+ jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSCallee::offsetOfScopeChain()), JSInterfaceJIT::regT1);
jit.emitPutCellToCallFrameHeader(JSInterfaceJIT::regT1, JSStack::ScopeChain);
#if !OS(WINDOWS)
// Calling convention: f(edi, esi, edx, ecx, ...);
@@ -333,10 +333,10 @@
COMPILE_ASSERT(ARM64Registers::x1 != JSInterfaceJIT::regT3, T3_not_trampled_by_arg_1);
COMPILE_ASSERT(ARM64Registers::x2 != JSInterfaceJIT::regT3, T3_not_trampled_by_arg_2);
- // Load caller frame's scope chain into this callframe so that whatever we call can
+ // Load callee's scope chain into this callframe so that whatever we call can
// get to its global data.
- jit.emitGetCallerFrameFromCallFrameHeaderPtr(ARM64Registers::x3);
- jit.emitGetFromCallFrameHeaderPtr(JSStack::ScopeChain, JSInterfaceJIT::regT1, ARM64Registers::x3);
+ jit.emitGetFromCallFrameHeaderPtr(JSStack::Callee, JSInterfaceJIT::regT1);
+ jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSCallee::offsetOfScopeChain()), JSInterfaceJIT::regT1);
jit.emitPutCellToCallFrameHeader(JSInterfaceJIT::regT1, JSStack::ScopeChain);
// Host function signature: f(ExecState*);
@@ -346,9 +346,10 @@
jit.loadPtr(JSInterfaceJIT::Address(ARM64Registers::x1, JSFunction::offsetOfExecutable()), ARM64Registers::x2);
jit.call(JSInterfaceJIT::Address(ARM64Registers::x2, executableOffsetToFunction));
#elif CPU(ARM) || CPU(SH4) || CPU(MIPS)
- // Load caller frame's scope chain into this callframe so that whatever we call can get to its global data.
- jit.emitGetCallerFrameFromCallFrameHeaderPtr(JSInterfaceJIT::regT2);
- jit.emitGetFromCallFrameHeaderPtr(JSStack::ScopeChain, JSInterfaceJIT::regT1, JSInterfaceJIT::regT2);
+ // Load callee's scope chain into this callframe so that whatever we call can
+ // get to its global data.
+ jit.emitGetFromCallFrameHeaderPtr(JSStack::Callee, JSInterfaceJIT::regT1);
+ jit.loadPtr(JSInterfaceJIT::Address(JSInterfaceJIT::regT1, JSCallee::offsetOfScopeChain()), JSInterfaceJIT::regT1);
jit.emitPutCellToCallFrameHeader(JSInterfaceJIT::regT1, JSStack::ScopeChain);
#if CPU(MIPS)
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (174995 => 174996)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2014-10-21 20:03:28 UTC (rev 174996)
@@ -2084,11 +2084,11 @@
functionPrologue()
storep 0, CodeBlock[cfr]
- loadp CallerFrame[cfr], t0
- loadi ScopeChain + PayloadOffset[t0], t1
+ loadi Callee + PayloadOffset[cfr], t1
+ loadi JSCallee::m_scope[t1], t0
storei CellTag, ScopeChain + TagOffset[cfr]
- storei t1, ScopeChain + PayloadOffset[cfr]
- loadi Callee + PayloadOffset[t0], t1
+ storei t0, ScopeChain + PayloadOffset[cfr]
+ // Callee is still in t1 for code below
if X86 or X86_WIN
subp 8, sp # align stack pointer
andp MarkedBlockMask, t1
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (174995 => 174996)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2014-10-21 19:53:35 UTC (rev 174995)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2014-10-21 20:03:28 UTC (rev 174996)
@@ -1918,11 +1918,11 @@
const temp = t0
end
loadp Callee[cfr], t0
- andp MarkedBlockMask, t0
- loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t0], t0
- storep cfr, VM::topCallFrame[t0]
- loadp CallerFrame[cfr], t0
- loadq ScopeChain[t0], t1
+ andp MarkedBlockMask, t0, t1
+ loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t1], t1
+ storep cfr, VM::topCallFrame[t1]
+ // Callee still in t0
+ loadp JSCallee::m_scope[t0], t1
storeq t1, ScopeChain[cfr]
move cfr, arg1
loadp Callee[cfr], arg2
@@ -1940,11 +1940,11 @@
loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t3], t3
elsif ARM64 or C_LOOP
loadp Callee[cfr], t0
- andp MarkedBlockMask, t0
- loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t0], t0
- storep cfr, VM::topCallFrame[t0]
- loadp CallerFrame[cfr], t2
- loadp ScopeChain[t2], t1
+ andp MarkedBlockMask, t0, t1
+ loadp MarkedBlock::m_weakSet + WeakSet::m_vm[t1], t1
+ storep cfr, VM::topCallFrame[t1]
+ // Callee still in t0
+ loadp JSCallee::m_scope[t0], t1
storep t1, ScopeChain[cfr]
preserveReturnAddressAfterCall(t3)
storep t3, ReturnPC[cfr]