Diff
Modified: trunk/LayoutTests/ChangeLog (198775 => 198776)
--- trunk/LayoutTests/ChangeLog 2016-03-29 07:27:16 UTC (rev 198775)
+++ trunk/LayoutTests/ChangeLog 2016-03-29 08:14:39 UTC (rev 198776)
@@ -1,3 +1,15 @@
+2016-03-29 Joseph Pecoraro <pecor...@apple.com>
+
+ Audit WebCore builtins for user overridable code
+ https://bugs.webkit.org/show_bug.cgi?id=155923
+
+ Reviewed by Youenn Fablet.
+
+ * fetch/builtin-overrides-expected.txt: Added.
+ * fetch/builtin-overrides.html: Added.
+ * streams/builtin-overrides-expected.txt: Added.
+ * streams/builtin-overrides.html: Added.
+
2016-03-28 Zalan Bujtas <za...@apple.com>
Pixel turds when bordered div is resized on SMF forum software.
Added: trunk/LayoutTests/fetch/builtin-overrides-expected.txt (0 => 198776)
--- trunk/LayoutTests/fetch/builtin-overrides-expected.txt (rev 0)
+++ trunk/LayoutTests/fetch/builtin-overrides-expected.txt 2016-03-29 08:14:39 UTC (rev 198776)
@@ -0,0 +1,9 @@
+This test should run without throwing an exception.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fetch/builtin-overrides.html (0 => 198776)
--- trunk/LayoutTests/fetch/builtin-overrides.html (rev 0)
+++ trunk/LayoutTests/fetch/builtin-overrides.html 2016-03-29 08:14:39 UTC (rev 198776)
@@ -0,0 +1,18 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+description("This test should run without throwing an exception.");
+
+Array.prototype.forEach = function() {
+ throw "User overriden";
+};
+
+new Headers({a:1});
+</script>
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/streams/builtin-overrides-expected.txt (0 => 198776)
--- trunk/LayoutTests/streams/builtin-overrides-expected.txt (rev 0)
+++ trunk/LayoutTests/streams/builtin-overrides-expected.txt 2016-03-29 08:14:39 UTC (rev 198776)
@@ -0,0 +1,9 @@
+This test should run without throwing an exception.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/streams/builtin-overrides.html (0 => 198776)
--- trunk/LayoutTests/streams/builtin-overrides.html (rev 0)
+++ trunk/LayoutTests/streams/builtin-overrides.html 2016-03-29 08:14:39 UTC (rev 198776)
@@ -0,0 +1,19 @@
+<!DOCTYPE HTML>
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script>
+description("This test should run without throwing an exception.");
+
+Object.defineProperty = function() {
+ throw "User overriden";
+};
+
+new ByteLengthQueuingStrategy({});
+new CountQueuingStrategy({});
+</script>
+<script src=""
+</body>
+</html>
Modified: trunk/Source/_javascript_Core/ChangeLog (198775 => 198776)
--- trunk/Source/_javascript_Core/ChangeLog 2016-03-29 07:27:16 UTC (rev 198775)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-03-29 08:14:39 UTC (rev 198776)
@@ -1,3 +1,15 @@
+2016-03-29 Joseph Pecoraro <pecor...@apple.com>
+
+ Audit WebCore builtins for user overridable code
+ https://bugs.webkit.org/show_bug.cgi?id=155923
+
+ Reviewed by Youenn Fablet.
+
+ * runtime/CommonIdentifiers.h:
+ * runtime/ObjectConstructor.cpp:
+ (JSC::ObjectConstructor::finishCreation):
+ Expose @Object.@defineProperty to built-ins.
+
2016-03-28 Benjamin Poulain <bpoul...@apple.com>
[JSC] ArithSub should not propagate "UsesAsOther"
Modified: trunk/Source/_javascript_Core/runtime/CommonIdentifiers.h (198775 => 198776)
--- trunk/Source/_javascript_Core/runtime/CommonIdentifiers.h 2016-03-29 07:27:16 UTC (rev 198775)
+++ trunk/Source/_javascript_Core/runtime/CommonIdentifiers.h 2016-03-29 08:14:39 UTC (rev 198776)
@@ -318,6 +318,7 @@
macro(isFinite) \
macro(isNaN) \
macro(create) \
+ macro(defineProperty) \
macro(getPrototypeOf) \
macro(getOwnPropertyDescriptor) \
macro(getOwnPropertyNames) \
Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (198775 => 198776)
--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-03-29 07:27:16 UTC (rev 198775)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2016-03-29 08:14:39 UTC (rev 198776)
@@ -100,6 +100,7 @@
putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), ReadOnly | DontEnum | DontDelete);
JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->createPrivateName, objectConstructorCreate, DontEnum, 2);
+ JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->definePropertyPrivateName, objectConstructorDefineProperty, DontEnum, 3);
JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->getPrototypeOfPrivateName, objectConstructorGetPrototypeOf, DontEnum, 1);
JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->getOwnPropertyNamesPrivateName, objectConstructorGetOwnPropertyNames, DontEnum, 1);
}
Modified: trunk/Source/WebCore/ChangeLog (198775 => 198776)
--- trunk/Source/WebCore/ChangeLog 2016-03-29 07:27:16 UTC (rev 198775)
+++ trunk/Source/WebCore/ChangeLog 2016-03-29 08:14:39 UTC (rev 198776)
@@ -1,3 +1,31 @@
+2016-03-29 Joseph Pecoraro <pecor...@apple.com>
+
+ Audit WebCore builtins for user overridable code
+ https://bugs.webkit.org/show_bug.cgi?id=155923
+
+ Reviewed by Youenn Fablet.
+
+ Tests: fetch/builtin-overrides.html
+ streams/builtin-overrides.html
+
+ * Modules/fetch/FetchHeaders.js:
+ (initializeFetchHeaders):
+ Avoid using an Array.prototype.forEach that could be overriden.
+
+ * Modules/streams/ByteLengthQueuingStrategy.js:
+ (initializeByteLengthQueuingStrategy):
+ * Modules/streams/CountQueuingStrategy.js:
+ (initializeCountQueuingStrategy):
+ Use the private Object.defineProperty not one that could be overriden.
+
+ * Modules/streams/ReadableStreamInternals.js:
+ (finishClosingReadableStream):
+ Fix style.
+
+ * Modules/streams/WritableStream.js:
+ (write):
+ Fix error message to use the correct function name.
+
2016-03-28 Zalan Bujtas <za...@apple.com>
Pixel turds when bordered div is resized on SMF forum software.
Modified: trunk/Source/WebCore/Modules/fetch/FetchHeaders.js (198775 => 198776)
--- trunk/Source/WebCore/Modules/fetch/FetchHeaders.js 2016-03-29 07:27:16 UTC (rev 198775)
+++ trunk/Source/WebCore/Modules/fetch/FetchHeaders.js 2016-03-29 08:14:39 UTC (rev 198776)
@@ -51,9 +51,11 @@
return this;
}
- @Object.@getOwnPropertyNames(headersInit).forEach((name) => {
+ let propertyNames = @Object.@getOwnPropertyNames(headersInit);
+ for (let i = 0; i < propertyNames.length; ++i) {
+ let name = propertyNames[i];
this.@appendFromJS(name, headersInit[name]);
- });
+ }
return this;
}
Modified: trunk/Source/WebCore/Modules/streams/ByteLengthQueuingStrategy.js (198775 => 198776)
--- trunk/Source/WebCore/Modules/streams/ByteLengthQueuingStrategy.js 2016-03-29 07:27:16 UTC (rev 198775)
+++ trunk/Source/WebCore/Modules/streams/ByteLengthQueuingStrategy.js 2016-03-29 08:14:39 UTC (rev 198776)
@@ -37,7 +37,7 @@
{
"use strict";
- @Object.defineProperty(this, "highWaterMark", {
+ @Object.@defineProperty(this, "highWaterMark", {
value: parameters.highWaterMark,
configurable: true,
enumerable: true,
Modified: trunk/Source/WebCore/Modules/streams/CountQueuingStrategy.js (198775 => 198776)
--- trunk/Source/WebCore/Modules/streams/CountQueuingStrategy.js 2016-03-29 07:27:16 UTC (rev 198775)
+++ trunk/Source/WebCore/Modules/streams/CountQueuingStrategy.js 2016-03-29 08:14:39 UTC (rev 198776)
@@ -36,7 +36,7 @@
{
"use strict";
- @Object.defineProperty(this, "highWaterMark", {
+ @Object.@defineProperty(this, "highWaterMark", {
value: parameters.highWaterMark,
configurable: true,
enumerable: true,
Modified: trunk/Source/WebCore/Modules/streams/ReadableStreamInternals.js (198775 => 198776)
--- trunk/Source/WebCore/Modules/streams/ReadableStreamInternals.js 2016-03-29 07:27:16 UTC (rev 198775)
+++ trunk/Source/WebCore/Modules/streams/ReadableStreamInternals.js 2016-03-29 08:14:39 UTC (rev 198776)
@@ -279,7 +279,7 @@
{
"use strict";
- @assert(stream.@state === @streamReadable);
+ @assert(stream.@state === @streamReadable);
stream.@state = @streamClosed;
const reader = stream.@reader;
if (!reader)
Modified: trunk/Source/WebCore/Modules/streams/WritableStream.js (198775 => 198776)
--- trunk/Source/WebCore/Modules/streams/WritableStream.js 2016-03-29 07:27:16 UTC (rev 198775)
+++ trunk/Source/WebCore/Modules/streams/WritableStream.js 2016-03-29 08:14:39 UTC (rev 198776)
@@ -111,7 +111,7 @@
"use strict";
if (!@isWritableStream(this))
- return @Promise.@reject(new @TypeError("The WritableStream.close method can only be used on instances of WritableStream"));
+ return @Promise.@reject(new @TypeError("The WritableStream.write method can only be used on instances of WritableStream"));
if (this.@state === @streamClosed || this.@state === @streamClosing)
return @Promise.@reject(new @TypeError("Cannot write on a WritableString that is closed or closing"));
