Commit f4f06c50 authored by cbruni's avatar cbruni Committed by Commit bot

[keys] Trigger [[getOwnPropertyDescriptor]] trap on proxies for Object.keys

This CL fixes a long-standing bug with Object.keys where the enumerability
check was omitted if the [ownKeys] trap is not present. The only distinction the
KeyAccumulator needs is whether it collects keys for for-in (is_for_in_) or not.
ForInFilter performs a separate step to filter out non-enumerable keys later-on
while in all the other use-cases we have to filter keys.

BUG=v8:1543, v8:5250

Review-Url: https://codereview.chromium.org/2176113009
Cr-Commit-Position: refs/heads/master@{#38199}
parent 5d49286c
......@@ -35,10 +35,9 @@ static bool ContainsOnlyValidKeys(Handle<FixedArray> array) {
// static
MaybeHandle<FixedArray> KeyAccumulator::GetKeys(
Handle<JSReceiver> object, KeyCollectionMode mode, PropertyFilter filter,
GetKeysConversion keys_conversion, bool filter_proxy_keys, bool is_for_in) {
GetKeysConversion keys_conversion, bool is_for_in) {
Isolate* isolate = object->GetIsolate();
FastKeyAccumulator accumulator(isolate, object, mode, filter);
accumulator.set_filter_proxy_keys(filter_proxy_keys);
accumulator.set_is_for_in(is_for_in);
return accumulator.GetKeys(keys_conversion);
}
......@@ -135,16 +134,16 @@ MaybeHandle<FixedArray> FilterProxyKeys(KeyAccumulator* accumulator,
// Returns "nothing" in case of exception, "true" on success.
Maybe<bool> KeyAccumulator::AddKeysFromJSProxy(Handle<JSProxy> proxy,
Handle<FixedArray> keys) {
if (filter_proxy_keys_) {
DCHECK(!is_for_in_);
// Postpone the enumerable check for for-in to the ForInFilter step.
if (!is_for_in_) {
ASSIGN_RETURN_ON_EXCEPTION_VALUE(
isolate_, keys, FilterProxyKeys(this, proxy, keys, filter_),
Nothing<bool>());
}
if (mode_ == KeyCollectionMode::kOwnOnly && !is_for_in_) {
// If we collect only the keys from a JSProxy do not sort or deduplicate it.
keys_ = keys;
return Just(true);
if (mode_ == KeyCollectionMode::kOwnOnly) {
// If we collect only the keys from a JSProxy do not sort or deduplicate.
keys_ = keys;
return Just(true);
}
}
AddKeys(keys, is_for_in_ ? CONVERT_TO_ARRAY_INDEX : DO_NOT_CONVERT);
return Just(true);
......@@ -444,7 +443,6 @@ MaybeHandle<FixedArray> FastKeyAccumulator::GetKeysFast(
MaybeHandle<FixedArray> FastKeyAccumulator::GetKeysSlow(
GetKeysConversion keys_conversion) {
KeyAccumulator accumulator(isolate_, mode_, filter_);
accumulator.set_filter_proxy_keys(filter_proxy_keys_);
accumulator.set_is_for_in(is_for_in_);
accumulator.set_last_non_empty_prototype(last_non_empty_prototype_);
......@@ -860,13 +858,9 @@ Maybe<bool> KeyAccumulator::CollectOwnJSProxyTargetKeys(
ASSIGN_RETURN_ON_EXCEPTION_VALUE(
isolate_, keys,
KeyAccumulator::GetKeys(target, KeyCollectionMode::kOwnOnly, filter_,
GetKeysConversion::kConvertToString,
filter_proxy_keys_, is_for_in_),
GetKeysConversion::kConvertToString, is_for_in_),
Nothing<bool>());
bool prev_filter_proxy_keys_ = filter_proxy_keys_;
filter_proxy_keys_ = false;
Maybe<bool> result = AddKeysFromJSProxy(proxy, keys);
filter_proxy_keys_ = prev_filter_proxy_keys_;
return result;
}
......
......@@ -39,7 +39,7 @@ class KeyAccumulator final BASE_EMBEDDED {
static MaybeHandle<FixedArray> GetKeys(
Handle<JSReceiver> object, KeyCollectionMode mode, PropertyFilter filter,
GetKeysConversion keys_conversion = GetKeysConversion::kKeepNumbers,
bool filter_proxy_keys = true, bool is_for_in = false);
bool is_for_in = false);
Handle<FixedArray> GetKeys(
GetKeysConversion convert = GetKeysConversion::kKeepNumbers);
......@@ -69,7 +69,6 @@ class KeyAccumulator final BASE_EMBEDDED {
// The collection mode defines whether we collect the keys from the prototype
// chain or only look at the receiver.
KeyCollectionMode mode() { return mode_; }
void set_filter_proxy_keys(bool filter) { filter_proxy_keys_ = filter; }
// In case of for-in loops we have to treat JSProxy keys differently and
// deduplicate them. Additionally we convert JSProxy keys back to array
// indices.
......@@ -108,7 +107,6 @@ class KeyAccumulator final BASE_EMBEDDED {
Handle<ObjectHashSet> shadowing_keys_;
KeyCollectionMode mode_;
PropertyFilter filter_;
bool filter_proxy_keys_ = true;
bool is_for_in_ = false;
bool skip_indices_ = false;
// For all the keys on the first receiver adding a shadowing key we can skip
......@@ -132,7 +130,6 @@ class FastKeyAccumulator {
bool is_receiver_simple_enum() { return is_receiver_simple_enum_; }
bool has_empty_prototype() { return has_empty_prototype_; }
void set_filter_proxy_keys(bool filter) { filter_proxy_keys_ = filter; }
void set_is_for_in(bool value) { is_for_in_ = value; }
MaybeHandle<FixedArray> GetKeys(
......@@ -148,7 +145,6 @@ class FastKeyAccumulator {
Handle<JSReceiver> last_non_empty_prototype_;
KeyCollectionMode mode_;
PropertyFilter filter_;
bool filter_proxy_keys_ = true;
bool is_for_in_ = false;
bool is_receiver_simple_enum_ = false;
bool has_empty_prototype_ = false;
......
......@@ -26,7 +26,6 @@ MaybeHandle<HeapObject> Enumerate(Handle<JSReceiver> receiver) {
FastKeyAccumulator accumulator(isolate, receiver,
KeyCollectionMode::kIncludePrototypes,
ENUMERABLE_STRINGS);
accumulator.set_filter_proxy_keys(false);
accumulator.set_is_for_in(true);
// Test if we have an enum cache for {receiver}.
if (!accumulator.is_receiver_simple_enum()) {
......
......@@ -2,45 +2,50 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var target = {
target: 1
};
target.__proto__ = {
target_proto: 2
};
(function testObjectKeys() {
var target = {
target: 1
};
target.__proto__ = {
target_proto: 2
};
var handler = {
ownKeys: function(target) {
return ["foo", "bar", Symbol("baz"), "non-enum", "not-found"];
},
getOwnPropertyDescriptor: function(target, name) {
if (name == "non-enum") return {configurable: true};
if (name == "not-found") return undefined;
return {enumerable: true, configurable: true};
var handler = {
ownKeys: function(target) {
return ["foo", "bar", Symbol("baz"), "non-enum", "not-found"];
},
getOwnPropertyDescriptor: function(target, name) {
if (name == "non-enum") return {configurable: true};
if (name == "not-found") return undefined;
return {enumerable: true, configurable: true};
}
}
}
var proxy = new Proxy(target, handler);
var proxy = new Proxy(target, handler);
// Object.keys() ignores symbols and non-enumerable keys.
assertEquals(["foo", "bar"], Object.keys(proxy));
// Object.keys() ignores symbols and non-enumerable keys.
assertEquals(["foo", "bar"], Object.keys(proxy));
// Edge case: no properties left after filtering.
handler.getOwnPropertyDescriptor = undefined;
assertEquals([], Object.keys(proxy));
// Edge case: no properties left after filtering.
handler.getOwnPropertyDescriptor = undefined;
assertEquals([], Object.keys(proxy));
// Throwing shouldn't crash.
handler.getOwnPropertyDescriptor = function() { throw new Number(1); };
assertThrows("Object.keys(proxy)", Number);
// Throwing shouldn't crash.
handler.getOwnPropertyDescriptor = function() { throw new Number(1); };
assertThrows(() => Object.keys(proxy), Number);
// Fall through to target if there is no trap.
handler.ownKeys = undefined;
assertEquals(["target"], Object.keys(proxy));
assertEquals(["target"], Object.keys(target));
// Fall through to getOwnPropertyDescriptor if there is no trap.
handler.ownKeys = undefined;
assertThrows(() => Object.keys(proxy), Number);
var proxy2 = new Proxy(proxy, {});
assertEquals(["target"], Object.keys(proxy2));
// Fall through to target if there is no trap.
handler.getOwnPropertyDescriptor = undefined;
assertEquals(["target"], Object.keys(proxy));
assertEquals(["target"], Object.keys(target));
var proxy2 = new Proxy(proxy, {});
assertEquals(["target"], Object.keys(proxy2));
})();
(function testForSymbols() {
var symbol = Symbol();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment