Commit 275a27d6 authored by erik.corry@gmail.com's avatar erik.corry@gmail.com

Fix Chromium bug 1717 by emulating JSCs somewhat strange hidden

prototypes on some built in types.
Review URL: http://codereview.chromium.org/109004

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@1882 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
parent 1a5c6cfa
......@@ -1005,7 +1005,6 @@ function UpdateFunctionLengths(lengths) {
// -------------------------------------------------------------------
function SetupArray() {
// Setup non-enumerable constructor property on the Array.prototype
// object.
......@@ -1013,7 +1012,7 @@ function SetupArray() {
// Setup non-enumerable functions of the Array.prototype object and
// set their names.
InstallFunctions($Array.prototype, DONT_ENUM, $Array(
InstallFunctionsOnHiddenPrototype($Array.prototype, DONT_ENUM, $Array(
"toString", ArrayToString,
"toLocaleString", ArrayToLocaleString,
"join", ArrayJoin,
......@@ -1034,8 +1033,7 @@ function SetupArray() {
"indexOf", ArrayIndexOf,
"lastIndexOf", ArrayLastIndexOf,
"reduce", ArrayReduce,
"reduceRight", ArrayReduceRight
));
"reduceRight", ArrayReduceRight));
// Manipulate the length of some of the functions to meet
// expectations set by ECMA-262 or Mozilla.
......
......@@ -1481,11 +1481,15 @@ void Genesis::BuildSpecialFunctionTable() {
Handle<JSFunction> function =
Handle<JSFunction>(
JSFunction::cast(global->GetProperty(Heap::Array_symbol())));
Handle<JSObject> prototype =
Handle<JSObject> hidden_prototype =
Handle<JSObject>(JSObject::cast(function->prototype()));
AddSpecialFunction(prototype, "pop",
ASSERT(hidden_prototype->map()->is_hidden_prototype());
// Remember to skip the hidden prototype:
Handle<JSObject> real_prototype =
Handle<JSObject>(JSObject::cast(hidden_prototype->GetPrototype()));
AddSpecialFunction(real_prototype, "pop",
Handle<Code>(Builtins::builtin(Builtins::ArrayPop)));
AddSpecialFunction(prototype, "push",
AddSpecialFunction(real_prototype, "push",
Handle<Code>(Builtins::builtin(Builtins::ArrayPush)));
}
......
......@@ -1019,7 +1019,7 @@ function SetupDate() {
// Setup non-enumerable functions of the Date prototype object and
// set their names.
InstallFunctions($Date.prototype, DONT_ENUM, $Array(
InstallFunctionsOnHiddenPrototype($Date.prototype, DONT_ENUM, $Array(
"toString", DateToString,
"toDateString", DateToDateString,
"toTimeString", DateToTimeString,
......
......@@ -164,7 +164,7 @@ function SetupMath() {
// Setup non-enumerable functions of the Math object and
// set their names.
InstallFunctions($Math, DONT_ENUM, $Array(
InstallFunctionsOnHiddenPrototype($Math, DONT_ENUM, $Array(
"random", MathRandom,
"abs", MathAbs,
"acos", MathAcos,
......
......@@ -474,6 +474,42 @@ static Object* Runtime_IsInPrototypeChain(Arguments args) {
}
// Inserts an object as the hidden prototype of another object.
static Object* Runtime_SetHiddenPrototype(Arguments args) {
NoHandleAllocation ha;
ASSERT(args.length() == 2);
CONVERT_CHECKED(JSObject, jsobject, args[0]);
CONVERT_CHECKED(JSObject, proto, args[1]);
// Sanity checks. The old prototype (that we are replacing) could
// theoretically be null, but if it is not null then check that we
// didn't already install a hidden prototype here.
RUNTIME_ASSERT(!jsobject->GetPrototype()->IsHeapObject() ||
!HeapObject::cast(jsobject->GetPrototype())->map()->is_hidden_prototype());
RUNTIME_ASSERT(!proto->map()->is_hidden_prototype());
// Allocate up front before we start altering state in case we get a GC.
Object* map_or_failure = proto->map()->CopyDropTransitions();
if (map_or_failure->IsFailure()) return map_or_failure;
Map* new_proto_map = Map::cast(map_or_failure);
map_or_failure = jsobject->map()->CopyDropTransitions();
if (map_or_failure->IsFailure()) return map_or_failure;
Map* new_map = Map::cast(map_or_failure);
// Set proto's prototype to be the old prototype of the object.
new_proto_map->set_prototype(jsobject->GetPrototype());
proto->set_map(new_proto_map);
new_proto_map->set_is_hidden_prototype();
// Set the object's prototype to proto.
new_map->set_prototype(proto);
jsobject->set_map(new_map);
return Heap::undefined_value();
}
static Object* Runtime_IsConstructCall(Arguments args) {
NoHandleAllocation ha;
ASSERT(args.length() == 0);
......@@ -2796,20 +2832,24 @@ static Object* Runtime_DeleteProperty(Arguments args) {
}
static Object* Runtime_HasLocalProperty(Arguments args) {
NoHandleAllocation ha;
ASSERT(args.length() == 2);
CONVERT_CHECKED(String, key, args[1]);
static Object* HasLocalPropertyImplementation(Object* obj, String* key) {
// Only JS objects can have properties.
if (args[0]->IsJSObject()) {
JSObject* object = JSObject::cast(args[0]);
if (obj->IsJSObject()) {
JSObject* object = JSObject::cast(obj);
if (object->HasLocalProperty(key)) return Heap::true_value();
} else if (args[0]->IsString()) {
// Handle hidden prototypes. If there's a hidden prototype above this thing
// then we have to check it for properties, because they are supposed to
// look like they are on this object.
Object* proto = object->GetPrototype();
if (proto->IsJSObject() &&
JSObject::cast(proto)->map()->is_hidden_prototype()) {
return HasLocalPropertyImplementation(object->GetPrototype(), key);
}
} else if (obj->IsString()) {
// Well, there is one exception: Handle [] on strings.
uint32_t index;
if (key->AsArrayIndex(&index)) {
String* string = String::cast(args[0]);
String* string = String::cast(obj);
if (index < static_cast<uint32_t>(string->length()))
return Heap::true_value();
}
......@@ -2818,6 +2858,15 @@ static Object* Runtime_HasLocalProperty(Arguments args) {
}
static Object* Runtime_HasLocalProperty(Arguments args) {
NoHandleAllocation ha;
ASSERT(args.length() == 2);
CONVERT_CHECKED(String, key, args[1]);
return HasLocalPropertyImplementation(args[0], key);
}
static Object* Runtime_HasProperty(Arguments args) {
NoHandleAllocation na;
ASSERT(args.length() == 2);
......
......@@ -53,6 +53,7 @@ namespace v8 { namespace internal {
F(ToSlowProperties, 1) \
\
F(IsInPrototypeChain, 2) \
F(SetHiddenPrototype, 2) \
\
F(IsConstructCall, 0) \
\
......
......@@ -831,7 +831,7 @@ function SetupString() {
// Setup the non-enumerable functions on the String prototype object.
InstallFunctions($String.prototype, DONT_ENUM, $Array(
InstallFunctionsOnHiddenPrototype($String.prototype, DONT_ENUM, $Array(
"valueOf", StringValueOf,
"toString", StringToString,
"charAt", StringCharAt,
......
// Copyright 2009 the V8 project authors. All rights reserved.
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are
// met:
//
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above
// copyright notice, this list of conditions and the following
// disclaimer in the documentation and/or other materials provided
// with the distribution.
// * Neither the name of Google Inc. nor the names of its
// contributors may be used to endorse or promote products derived
// from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
// Test that we match JSC in making some functions undeletable.
// See http://code.google.com/p/chromium/issues/detail?id=1717
// The functions on these prototypes are not just undeletable. It is
// possible to override them with new definitions, then get the old
// version back by deleting the new definition.
var array;
array = [
"toString", "toLocaleString", "join", "pop", "push", "concat", "reverse",
"shift", "unshift", "slice", "splice", "sort", "filter", "forEach", "some",
"every", "map", "indexOf", "lastIndexOf", "reduce", "reduceRight"];
CheckJSCSemantics(Array.prototype, array, "Array prototype");
array = [
"toString", "toDateString", "toTimeString", "toLocaleString",
"toLocaleDateString", "toLocaleTimeString", "valueOf", "getTime",
"getFullYear", "getUTCFullYear", "getMonth", "getUTCMonth", "getDate",
"getUTCDate", "getDay", "getUTCDay", "getHours", "getUTCHours", "getMinutes",
"getUTCMinutes", "getSeconds", "getUTCSeconds", "getMilliseconds",
"getUTCMilliseconds", "getTimezoneOffset", "setTime", "setMilliseconds",
"setUTCMilliseconds", "setSeconds", "setUTCSeconds", "setMinutes",
"setUTCMinutes", "setHours", "setUTCHours", "setDate", "setUTCDate",
"setMonth", "setUTCMonth", "setFullYear", "setUTCFullYear", "toGMTString",
"toUTCString", "getYear", "setYear", "toISOString", "toJSON"];
CheckJSCSemantics(Date.prototype, array, "Date prototype");
array = [
"random", "abs", "acos", "asin", "atan", "ceil", "cos", "exp", "floor", "log",
"round", "sin", "sqrt", "tan", "atan2", "pow", "max", "min"];
CheckJSCSemantics(Math, array, "Math1");
CheckEcmaSemantics(Date, ["UTC", "parse", "now"], "Date");
array = [
"E", "LN10", "LN2", "LOG2E", "LOG10E", "PI", "SQRT1_2", "SQRT2"];
CheckDontDelete(Math, array, "Math2");
array = [
"escape", "unescape", "decodeURI", "decodeURIComponent", "encodeURI",
"encodeURIComponent", "isNaN", "isFinite", "parseInt", "parseFloat", "eval",
"execScript"];
CheckEcmaSemantics(this, array, "Global");
CheckReadOnlyAttr(this, "Infinity");
array = ["exec", "test", "toString", "compile"];
CheckEcmaSemantics(RegExp.prototype, array, "RegExp prototype");
array = [
"toString", "toLocaleString", "valueOf", "hasOwnProperty",
"isPrototypeOf", "propertyIsEnumerable", "__defineGetter__",
"__lookupGetter__", "__defineSetter__", "__lookupSetter__"];
CheckEcmaSemantics(Object.prototype, array, "Object prototype");
array = [
"toString", "valueOf", "toJSON"];
CheckEcmaSemantics(Boolean.prototype, array, "Boolean prototype");
array = [
"toString", "toLocaleString", "valueOf", "toFixed", "toExponential",
"toPrecision", "toJSON"];
CheckEcmaSemantics(Number.prototype, array, "Number prototype");
CheckEcmaSemantics(Function.prototype, ["toString"], "Function prototype");
CheckEcmaSemantics(Date.prototype, ["constructor"], "Date prototype constructor");
array = [
"charAt", "charCodeAt", "concat", "indexOf",
"lastIndexOf", "localeCompare", "match", "replace", "search", "slice",
"split", "substring", "substr", "toLowerCase", "toLocaleLowerCase",
"toUpperCase", "toLocaleUpperCase", "link", "anchor", "fontcolor", "fontsize",
"big", "blink", "bold", "fixed", "italics", "small", "strike", "sub", "sup",
"toJSON", "toString", "valueOf"];
CheckJSCSemantics(String.prototype, array, "String prototype");
CheckEcmaSemantics(String, ["fromCharCode"], "String");
function CheckEcmaSemantics(type, props, name) {
print(name);
for (var i = 0; i < props.length; i++) {
CheckDeletable(type, props[i]);
}
}
function CheckJSCSemantics(type, props, name) {
print(name);
for (var i = 0; i < props.length; i++) {
CheckNotDeletable(type, props[i]);
}
}
function CheckDontDelete(type, props, name) {
print(name);
for (var i = 0; i < props.length; i++) {
CheckDontDeleteAttr(type, props[i]);
}
}
function CheckDeletable(type, prop) {
var old = type[prop];
var hasOwnProperty = Object.prototype.hasOwnProperty;
if (!type[prop]) return;
assertTrue(type.hasOwnProperty(prop), "inherited: " + prop);
var deleted = delete type[prop];
assertTrue(deleted, "delete operator returned false: " + prop);
assertFalse(hasOwnProperty.call(type, prop), "still there after delete: " + prop);
type[prop] = "foo";
assertEquals("foo", type[prop], "not overwritable: " + prop);
type[prop] = old;
}
function CheckNotDeletable(type, prop) {
var old = type[prop];
if (!type[prop]) return;
assertTrue(type.hasOwnProperty(prop), "inherited: " + prop);
var deleted = delete type[prop];
assertTrue(deleted, "delete operator returned false: " + prop);
assertTrue(type.hasOwnProperty(prop), "not there after delete: " + prop);
type[prop] = "foo";
assertEquals("foo", type[prop], "not overwritable: " + prop);
deleted = delete type[prop];
assertTrue(deleted, "delete operator returned false 2nd time: " + prop);
assertEquals(old.toString(), type[prop].toString(), "delete didn't restore the old value: " + prop);
}
function CheckDontDeleteAttr(type, prop) {
var old = type[prop];
if (!type[prop]) return;
assertTrue(type.hasOwnProperty(prop), "inherited: " + prop);
var deleted = delete type[prop];
assertFalse(deleted, "delete operator returned true: " + prop);
assertTrue(type.hasOwnProperty(prop), "not there after delete: " + prop);
type[prop] = "foo";
assertFalse("foo" == type[prop], "overwritable: " + prop);
}
function CheckReadOnlyAttr(type, prop) {
var old = type[prop];
if (!type[prop]) return;
assertTrue(type.hasOwnProperty(prop), "inherited: " + prop);
var deleted = delete type[prop];
assertFalse(deleted, "delete operator returned true: " + prop);
assertTrue(type.hasOwnProperty(prop), "not there after delete: " + prop);
type[prop] = "foo";
assertEquals("foo", type[prop], "overwritable: " + prop);
}
print("OK");
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment