| Differences between
and this patch
- a/JSTests/ChangeLog +9 lines
Lines 1-3 a/JSTests/ChangeLog_sec1
1
2019-04-09  Robin Morisset  <rmorisset@apple.com>
2
3
        All prototypes should call didBecomePrototype()
4
        https://bugs.webkit.org/show_bug.cgi?id=196315
5
6
        Reviewed by Saam Barati.
7
8
        * stress/function-prototype-indexed-accessor.js: Added.
9
1
2019-04-09  Saam barati  <sbarati@apple.com>
10
2019-04-09  Saam barati  <sbarati@apple.com>
2
11
3
        Clean up Int52 code and some bugs in it
12
        Clean up Int52 code and some bugs in it
- a/JSTests/stress/function-prototype-indexed-accessor.js +3 lines
Line 0 a/JSTests/stress/function-prototype-indexed-accessor.js_sec1
1
Function[0] = 0;
2
Object.defineProperty(Function.__proto__, '42', { set: ()=>{} });
3
Function[1000] = 0;
- a/Source/JavaScriptCore/ChangeLog +77 lines
Lines 1-3 a/Source/JavaScriptCore/ChangeLog_sec1
1
2019-04-09  Robin Morisset  <rmorisset@apple.com>
2
3
        All prototypes should call didBecomePrototype()
4
        https://bugs.webkit.org/show_bug.cgi?id=196315
5
6
        Reviewed by Saam Barati.
7
8
        Otherwise we won't remember to run haveABadTime() when someone adds to them an indexed accessor.
9
10
        I added a check used in both Structure::finishCreation() and Structure::changePrototypeTransition to make sure we don't
11
        create structures with invalid prototypes.
12
        It found a lot of objects that are used as prototypes in JSGlobalObject and yet were missing didBecomePrototype() in their finishCreation().
13
        Somewhat surprisingly, some of them have names like FunctionConstructor and not only FooPrototype.
14
15
        * runtime/BigIntPrototype.cpp:
16
        (JSC::BigIntPrototype::finishCreation):
17
        * runtime/BooleanPrototype.cpp:
18
        (JSC::BooleanPrototype::finishCreation):
19
        * runtime/DatePrototype.cpp:
20
        (JSC::DatePrototype::finishCreation):
21
        * runtime/ErrorConstructor.cpp:
22
        (JSC::ErrorConstructor::finishCreation):
23
        * runtime/ErrorPrototype.cpp:
24
        (JSC::ErrorPrototype::finishCreation):
25
        * runtime/FunctionConstructor.cpp:
26
        (JSC::FunctionConstructor::finishCreation):
27
        * runtime/FunctionPrototype.cpp:
28
        (JSC::FunctionPrototype::finishCreation):
29
        * runtime/IntlCollatorPrototype.cpp:
30
        (JSC::IntlCollatorPrototype::finishCreation):
31
        * runtime/IntlDateTimeFormatPrototype.cpp:
32
        (JSC::IntlDateTimeFormatPrototype::finishCreation):
33
        * runtime/IntlNumberFormatPrototype.cpp:
34
        (JSC::IntlNumberFormatPrototype::finishCreation):
35
        * runtime/IntlPluralRulesPrototype.cpp:
36
        (JSC::IntlPluralRulesPrototype::finishCreation):
37
        * runtime/JSArrayBufferPrototype.cpp:
38
        (JSC::JSArrayBufferPrototype::finishCreation):
39
        * runtime/JSDataViewPrototype.cpp:
40
        (JSC::JSDataViewPrototype::finishCreation):
41
        * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
42
        (JSC::JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation):
43
        * runtime/JSPromisePrototype.cpp:
44
        (JSC::JSPromisePrototype::finishCreation):
45
        * runtime/JSTypedArrayViewConstructor.cpp:
46
        (JSC::JSTypedArrayViewConstructor::finishCreation):
47
        * runtime/JSTypedArrayViewPrototype.cpp:
48
        (JSC::JSTypedArrayViewPrototype::finishCreation):
49
        * runtime/NumberPrototype.cpp:
50
        (JSC::NumberPrototype::finishCreation):
51
        * runtime/RegExpPrototype.cpp:
52
        (JSC::RegExpPrototype::finishCreation):
53
        * runtime/StringPrototype.cpp:
54
        (JSC::StringPrototype::finishCreation):
55
        * runtime/Structure.cpp:
56
        (JSC::Structure::isValidPrototype):
57
        (JSC::Structure::changePrototypeTransition):
58
        * runtime/Structure.h:
59
        * runtime/SymbolPrototype.cpp:
60
        (JSC::SymbolPrototype::finishCreation):
61
        * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
62
        (JSC::WebAssemblyCompileErrorPrototype::finishCreation):
63
        * wasm/js/WebAssemblyInstancePrototype.cpp:
64
        (JSC::WebAssemblyInstancePrototype::finishCreation):
65
        * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
66
        (JSC::WebAssemblyLinkErrorPrototype::finishCreation):
67
        * wasm/js/WebAssemblyMemoryPrototype.cpp:
68
        (JSC::WebAssemblyMemoryPrototype::finishCreation):
69
        * wasm/js/WebAssemblyModulePrototype.cpp:
70
        (JSC::WebAssemblyModulePrototype::finishCreation):
71
        * wasm/js/WebAssemblyPrototype.cpp:
72
        (JSC::WebAssemblyPrototype::finishCreation):
73
        * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
74
        (JSC::WebAssemblyRuntimeErrorPrototype::finishCreation):
75
        * wasm/js/WebAssemblyTablePrototype.cpp:
76
        (JSC::WebAssemblyTablePrototype::finishCreation):
77
1
2019-04-09  Don Olmstead  <don.olmstead@sony.com>
78
2019-04-09  Don Olmstead  <don.olmstead@sony.com>
2
79
3
        [CMake] Apple builds should use ICU_INCLUDE_DIRS
80
        [CMake] Apple builds should use ICU_INCLUDE_DIRS
- a/Source/JavaScriptCore/runtime/BigIntPrototype.cpp +1 lines
Lines 72-77 void BigIntPrototype::finishCreation(VM& vm, JSGlobalObject*) a/Source/JavaScriptCore/runtime/BigIntPrototype.cpp_sec1
72
    Base::finishCreation(vm);
72
    Base::finishCreation(vm);
73
    ASSERT(inherits(vm, info()));
73
    ASSERT(inherits(vm, info()));
74
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "BigInt"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
74
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "BigInt"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
75
    didBecomePrototype();
75
}
76
}
76
77
77
// ------------------------------ Functions ---------------------------
78
// ------------------------------ Functions ---------------------------
- a/Source/JavaScriptCore/runtime/BooleanPrototype.cpp +1 lines
Lines 59-64 void BooleanPrototype::finishCreation(VM& vm, JSGlobalObject*) a/Source/JavaScriptCore/runtime/BooleanPrototype.cpp_sec1
59
{
59
{
60
    Base::finishCreation(vm);
60
    Base::finishCreation(vm);
61
    setInternalValue(vm, jsBoolean(false));
61
    setInternalValue(vm, jsBoolean(false));
62
    didBecomePrototype();
62
63
63
    ASSERT(inherits(vm, info()));
64
    ASSERT(inherits(vm, info()));
64
}
65
}
- a/Source/JavaScriptCore/runtime/DatePrototype.cpp +1 lines
Lines 515-520 void DatePrototype::finishCreation(VM& vm, JSGlobalObject* globalObject) a/Source/JavaScriptCore/runtime/DatePrototype.cpp_sec1
515
515
516
    JSFunction* toPrimitiveFunction = JSFunction::create(vm, globalObject, 1, "[Symbol.toPrimitive]"_s, dateProtoFuncToPrimitiveSymbol, NoIntrinsic);
516
    JSFunction* toPrimitiveFunction = JSFunction::create(vm, globalObject, 1, "[Symbol.toPrimitive]"_s, dateProtoFuncToPrimitiveSymbol, NoIntrinsic);
517
    putDirectWithoutTransition(vm, vm.propertyNames->toPrimitiveSymbol, toPrimitiveFunction, PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
517
    putDirectWithoutTransition(vm, vm.propertyNames->toPrimitiveSymbol, toPrimitiveFunction, PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
518
    didBecomePrototype();
518
519
519
    // The constructor will be added later, after DateConstructor has been built.
520
    // The constructor will be added later, after DateConstructor has been built.
520
}
521
}
- a/Source/JavaScriptCore/runtime/ErrorConstructor.cpp +1 lines
Lines 48-53 void ErrorConstructor::finishCreation(VM& vm, ErrorPrototype* errorPrototype) a/Source/JavaScriptCore/runtime/ErrorConstructor.cpp_sec1
48
    putDirectWithoutTransition(vm, vm.propertyNames->prototype, errorPrototype, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
48
    putDirectWithoutTransition(vm, vm.propertyNames->prototype, errorPrototype, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
49
    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
49
    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
50
    putDirectWithoutTransition(vm, vm.propertyNames->stackTraceLimit, jsNumber(globalObject(vm)->stackTraceLimit().valueOr(Options::defaultErrorStackTraceLimit())), static_cast<unsigned>(PropertyAttribute::None));
50
    putDirectWithoutTransition(vm, vm.propertyNames->stackTraceLimit, jsNumber(globalObject(vm)->stackTraceLimit().valueOr(Options::defaultErrorStackTraceLimit())), static_cast<unsigned>(PropertyAttribute::None));
51
    didBecomePrototype();
51
}
52
}
52
53
53
// ECMA 15.9.3
54
// ECMA 15.9.3
- a/Source/JavaScriptCore/runtime/ErrorPrototype.cpp +1 lines
Lines 66-71 void ErrorPrototype::finishCreation(VM& vm, const String& name) a/Source/JavaScriptCore/runtime/ErrorPrototype.cpp_sec1
66
    ASSERT(inherits(vm, info()));
66
    ASSERT(inherits(vm, info()));
67
    putDirectWithoutTransition(vm, vm.propertyNames->name, jsString(&vm, name), static_cast<unsigned>(PropertyAttribute::DontEnum));
67
    putDirectWithoutTransition(vm, vm.propertyNames->name, jsString(&vm, name), static_cast<unsigned>(PropertyAttribute::DontEnum));
68
    putDirectWithoutTransition(vm, vm.propertyNames->message, jsEmptyString(&vm), static_cast<unsigned>(PropertyAttribute::DontEnum));
68
    putDirectWithoutTransition(vm, vm.propertyNames->message, jsEmptyString(&vm), static_cast<unsigned>(PropertyAttribute::DontEnum));
69
    didBecomePrototype();
69
}
70
}
70
71
71
// ------------------------------ Functions ---------------------------
72
// ------------------------------ Functions ---------------------------
- a/Source/JavaScriptCore/runtime/FunctionConstructor.cpp +1 lines
Lines 61-66 void FunctionConstructor::finishCreation(VM& vm, FunctionPrototype* functionProt a/Source/JavaScriptCore/runtime/FunctionConstructor.cpp_sec1
61
    Base::finishCreation(vm, vm.propertyNames->Function.string(), NameVisibility::Visible, NameAdditionMode::WithoutStructureTransition);
61
    Base::finishCreation(vm, vm.propertyNames->Function.string(), NameVisibility::Visible, NameAdditionMode::WithoutStructureTransition);
62
    putDirectWithoutTransition(vm, vm.propertyNames->prototype, functionPrototype, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
62
    putDirectWithoutTransition(vm, vm.propertyNames->prototype, functionPrototype, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly);
63
    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum);
63
    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum);
64
    didBecomePrototype();
64
}
65
}
65
66
66
// ECMA 15.3.2 The Function Constructor
67
// ECMA 15.3.2 The Function Constructor
- a/Source/JavaScriptCore/runtime/FunctionPrototype.cpp +1 lines
Lines 54-59 void FunctionPrototype::finishCreation(VM& vm, const String& name) a/Source/JavaScriptCore/runtime/FunctionPrototype.cpp_sec1
54
{
54
{
55
    Base::finishCreation(vm, name, NameVisibility::Visible, NameAdditionMode::WithoutStructureTransition);
55
    Base::finishCreation(vm, name, NameVisibility::Visible, NameAdditionMode::WithoutStructureTransition);
56
    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(0), PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum);
56
    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(0), PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum);
57
    didBecomePrototype();
57
}
58
}
58
59
59
void FunctionPrototype::addFunctionProperties(VM& vm, JSGlobalObject* globalObject, JSFunction** callFunction, JSFunction** applyFunction, JSFunction** hasInstanceSymbolFunction)
60
void FunctionPrototype::addFunctionProperties(VM& vm, JSGlobalObject* globalObject, JSFunction** callFunction, JSFunction** applyFunction, JSFunction** hasInstanceSymbolFunction)
- a/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp +1 lines
Lines 76-81 void IntlCollatorPrototype::finishCreation(VM& vm) a/Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp_sec1
76
    Base::finishCreation(vm);
76
    Base::finishCreation(vm);
77
77
78
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "Object"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
78
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "Object"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
79
    didBecomePrototype();
79
}
80
}
80
81
81
static EncodedJSValue JSC_HOST_CALL IntlCollatorFuncCompare(ExecState* state)
82
static EncodedJSValue JSC_HOST_CALL IntlCollatorFuncCompare(ExecState* state)
- a/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp +1 lines
Lines 90-95 void IntlDateTimeFormatPrototype::finishCreation(VM& vm, JSGlobalObject* globalO a/Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp_sec1
90
#endif
90
#endif
91
91
92
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "Object"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
92
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "Object"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
93
    didBecomePrototype();
93
}
94
}
94
95
95
static EncodedJSValue JSC_HOST_CALL IntlDateTimeFormatFuncFormatDateTime(ExecState* state)
96
static EncodedJSValue JSC_HOST_CALL IntlDateTimeFormatFuncFormatDateTime(ExecState* state)
- a/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp +1 lines
Lines 88-93 void IntlNumberFormatPrototype::finishCreation(VM& vm, JSGlobalObject* globalObj a/Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp_sec1
88
#endif
88
#endif
89
89
90
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "Object"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
90
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "Object"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
91
    didBecomePrototype();
91
}
92
}
92
93
93
static EncodedJSValue JSC_HOST_CALL IntlNumberFormatFuncFormatNumber(ExecState* state)
94
static EncodedJSValue JSC_HOST_CALL IntlNumberFormatFuncFormatNumber(ExecState* state)
- a/Source/JavaScriptCore/runtime/IntlPluralRulesPrototype.cpp +1 lines
Lines 75-80 void IntlPluralRulesPrototype::finishCreation(VM& vm, Structure*) a/Source/JavaScriptCore/runtime/IntlPluralRulesPrototype.cpp_sec1
75
    Base::finishCreation(vm);
75
    Base::finishCreation(vm);
76
76
77
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "Object"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
77
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "Object"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
78
    didBecomePrototype();
78
}
79
}
79
80
80
EncodedJSValue JSC_HOST_CALL IntlPluralRulesPrototypeFuncSelect(ExecState* state)
81
EncodedJSValue JSC_HOST_CALL IntlPluralRulesPrototypeFuncSelect(ExecState* state)
- a/Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp +1 lines
Lines 121-126 void JSArrayBufferPrototype::finishCreation(VM& vm, JSGlobalObject* globalObject a/Source/JavaScriptCore/runtime/JSArrayBufferPrototype.cpp_sec1
121
        JSC_NATIVE_GETTER_WITHOUT_TRANSITION(vm.propertyNames->byteLength, arrayBufferProtoGetterFuncByteLength, PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
121
        JSC_NATIVE_GETTER_WITHOUT_TRANSITION(vm.propertyNames->byteLength, arrayBufferProtoGetterFuncByteLength, PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
122
    else
122
    else
123
        JSC_NATIVE_GETTER_WITHOUT_TRANSITION(vm.propertyNames->byteLength, sharedArrayBufferProtoGetterFuncByteLength, PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
123
        JSC_NATIVE_GETTER_WITHOUT_TRANSITION(vm.propertyNames->byteLength, sharedArrayBufferProtoGetterFuncByteLength, PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
124
    didBecomePrototype();
124
}
125
}
125
126
126
JSArrayBufferPrototype* JSArrayBufferPrototype::create(VM& vm, JSGlobalObject* globalObject, Structure* structure, ArrayBufferSharingMode sharingMode)
127
JSArrayBufferPrototype* JSArrayBufferPrototype::create(VM& vm, JSGlobalObject* globalObject, Structure* structure, ArrayBufferSharingMode sharingMode)
- a/Source/JavaScriptCore/runtime/JSDataViewPrototype.cpp +1 lines
Lines 110-115 void JSDataViewPrototype::finishCreation(JSC::VM& vm) a/Source/JavaScriptCore/runtime/JSDataViewPrototype.cpp_sec1
110
{
110
{
111
    Base::finishCreation(vm);
111
    Base::finishCreation(vm);
112
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "DataView"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
112
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "DataView"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
113
    didBecomePrototype();
113
}
114
}
114
115
115
Structure* JSDataViewPrototype::createStructure(
116
Structure* JSDataViewPrototype::createStructure(
- a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeInlines.h +1 lines
Lines 45-50 void JSGenericTypedArrayViewPrototype<ViewClass>::finishCreation( a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeInlines.h_sec1
45
45
46
    putDirect(vm, vm.propertyNames->BYTES_PER_ELEMENT, jsNumber(ViewClass::elementSize), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly | PropertyAttribute::DontDelete);
46
    putDirect(vm, vm.propertyNames->BYTES_PER_ELEMENT, jsNumber(ViewClass::elementSize), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly | PropertyAttribute::DontDelete);
47
47
48
    didBecomePrototype();
48
}
49
}
49
50
50
template<typename ViewClass>
51
template<typename ViewClass>
- a/Source/JavaScriptCore/runtime/JSPromisePrototype.cpp +1 lines
Lines 77-82 void JSPromisePrototype::finishCreation(VM& vm, Structure*) a/Source/JavaScriptCore/runtime/JSPromisePrototype.cpp_sec1
77
{
77
{
78
    Base::finishCreation(vm);
78
    Base::finishCreation(vm);
79
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "Promise"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
79
    putDirectWithoutTransition(vm, vm.propertyNames->toStringTagSymbol, jsString(&vm, "Promise"), PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
80
    didBecomePrototype();
80
}
81
}
81
82
82
void JSPromisePrototype::addOwnInternalSlots(VM& vm, JSGlobalObject* globalObject)
83
void JSPromisePrototype::addOwnInternalSlots(VM& vm, JSGlobalObject* globalObject)
- a/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp +2 lines
Lines 55-60 void JSTypedArrayViewConstructor::finishCreation(VM& vm, JSGlobalObject* globalO a/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp_sec1
55
55
56
    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->of, typedArrayConstructorOfCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
56
    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->of, typedArrayConstructorOfCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
57
    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->from, typedArrayConstructorFromCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
57
    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->from, typedArrayConstructorFromCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
58
59
    didBecomePrototype();
58
}
60
}
59
61
60
Structure* JSTypedArrayViewConstructor::createStructure(
62
Structure* JSTypedArrayViewConstructor::createStructure(
- a/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp +1 lines
Lines 334-339 void JSTypedArrayViewPrototype::finishCreation(VM& vm, JSGlobalObject* globalObj a/Source/JavaScriptCore/runtime/JSTypedArrayViewPrototype.cpp_sec1
334
    putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().valuesPublicName(), valuesFunction, static_cast<unsigned>(PropertyAttribute::DontEnum));
334
    putDirectWithoutTransition(vm, vm.propertyNames->builtinNames().valuesPublicName(), valuesFunction, static_cast<unsigned>(PropertyAttribute::DontEnum));
335
    putDirectWithoutTransition(vm, vm.propertyNames->iteratorSymbol, valuesFunction, static_cast<unsigned>(PropertyAttribute::DontEnum));
335
    putDirectWithoutTransition(vm, vm.propertyNames->iteratorSymbol, valuesFunction, static_cast<unsigned>(PropertyAttribute::DontEnum));
336
336
337
    didBecomePrototype();
337
}
338
}
338
339
339
JSTypedArrayViewPrototype* JSTypedArrayViewPrototype::create(
340
JSTypedArrayViewPrototype* JSTypedArrayViewPrototype::create(
- a/Source/JavaScriptCore/runtime/NumberPrototype.cpp +1 lines
Lines 82-87 void NumberPrototype::finishCreation(VM& vm, JSGlobalObject* globalObject) a/Source/JavaScriptCore/runtime/NumberPrototype.cpp_sec1
82
82
83
    JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toString, numberProtoFuncToString, static_cast<unsigned>(PropertyAttribute::DontEnum), 1, NumberPrototypeToStringIntrinsic);
83
    JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toString, numberProtoFuncToString, static_cast<unsigned>(PropertyAttribute::DontEnum), 1, NumberPrototypeToStringIntrinsic);
84
    ASSERT(inherits(vm, info()));
84
    ASSERT(inherits(vm, info()));
85
    didBecomePrototype();
85
}
86
}
86
87
87
// ------------------------------ Functions ---------------------------
88
// ------------------------------ Functions ---------------------------
- a/Source/JavaScriptCore/runtime/RegExpPrototype.cpp +2 lines
Lines 81-86 void RegExpPrototype::finishCreation(VM& vm, JSGlobalObject* globalObject) a/Source/JavaScriptCore/runtime/RegExpPrototype.cpp_sec1
81
    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->searchSymbol, regExpPrototypeSearchCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
81
    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->searchSymbol, regExpPrototypeSearchCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
82
    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->splitSymbol, regExpPrototypeSplitCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
82
    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->splitSymbol, regExpPrototypeSplitCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
83
    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->test, regExpPrototypeTestCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
83
    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->test, regExpPrototypeTestCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
84
85
    didBecomePrototype();
84
}
86
}
85
87
86
// ------------------------------ Functions ---------------------------
88
// ------------------------------ Functions ---------------------------
- a/Source/JavaScriptCore/runtime/StringPrototype.cpp +2 lines
Lines 172-177 void StringPrototype::finishCreation(VM& vm, JSGlobalObject* globalObject, JSStr a/Source/JavaScriptCore/runtime/StringPrototype.cpp_sec1
172
172
173
    // The constructor will be added later, after StringConstructor has been built
173
    // The constructor will be added later, after StringConstructor has been built
174
    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(0), PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum);
174
    putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(0), PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum);
175
176
    didBecomePrototype();
175
}
177
}
176
178
177
StringPrototype* StringPrototype::create(VM& vm, JSGlobalObject* globalObject, Structure* structure)
179
StringPrototype* StringPrototype::create(VM& vm, JSGlobalObject* globalObject, Structure* structure)
- a/Source/JavaScriptCore/runtime/Structure.cpp -1 / +6 lines
Lines 321-326 Structure* Structure::create(PolyProtoTag, VM& vm, JSGlobalObject* globalObject, a/Source/JavaScriptCore/runtime/Structure.cpp_sec1
321
    return result;
321
    return result;
322
}
322
}
323
323
324
bool Structure::isValidPrototype(JSValue prototype)
325
{
326
    return prototype.isNull() || (prototype.isObject() && prototype.getObject()->mayBePrototype());
327
}
328
324
void Structure::findStructuresAndMapForMaterialization(Vector<Structure*, 8>& structures, Structure*& structure, PropertyTable*& table)
329
void Structure::findStructuresAndMapForMaterialization(Vector<Structure*, 8>& structures, Structure*& structure, PropertyTable*& table)
325
{
330
{
326
    ASSERT(structures.isEmpty());
331
    ASSERT(structures.isEmpty());
Lines 544-550 Structure* Structure::removePropertyTransition(VM& vm, Structure* structure, Pro a/Source/JavaScriptCore/runtime/Structure.cpp_sec2
544
549
545
Structure* Structure::changePrototypeTransition(VM& vm, Structure* structure, JSValue prototype, DeferredStructureTransitionWatchpointFire& deferred)
550
Structure* Structure::changePrototypeTransition(VM& vm, Structure* structure, JSValue prototype, DeferredStructureTransitionWatchpointFire& deferred)
546
{
551
{
547
    ASSERT(prototype.isObject() || prototype.isNull());
552
    ASSERT(isValidPrototype(prototype));
548
553
549
    DeferGC deferGC(vm.heap);
554
    DeferGC deferGC(vm.heap);
550
    Structure* transition = create(vm, structure, &deferred);
555
    Structure* transition = create(vm, structure, &deferred);
- a/Source/JavaScriptCore/runtime/Structure.h -1 / +3 lines
Lines 142-148 protected: a/Source/JavaScriptCore/runtime/Structure.h_sec1
142
    void finishCreation(VM& vm)
142
    void finishCreation(VM& vm)
143
    {
143
    {
144
        Base::finishCreation(vm);
144
        Base::finishCreation(vm);
145
        ASSERT(m_prototype.get().isEmpty() || m_prototype.isObject() || m_prototype.isNull());
145
        ASSERT(m_prototype.get().isEmpty() || isValidPrototype(m_prototype.get()));
146
    }
146
    }
147
147
148
    void finishCreation(VM& vm, const Structure* previous)
148
    void finishCreation(VM& vm, const Structure* previous)
Lines 680-685 private: a/Source/JavaScriptCore/runtime/Structure.h_sec2
680
680
681
    void checkConsistency();
681
    void checkConsistency();
682
682
683
    JS_EXPORT_PRIVATE static bool isValidPrototype(JSValue);
684
683
    // This may grab the lock, or not. Do not call when holding the Structure's lock.
685
    // This may grab the lock, or not. Do not call when holding the Structure's lock.
684
    PropertyTable* ensurePropertyTableIfNotEmpty(VM& vm)
686
    PropertyTable* ensurePropertyTableIfNotEmpty(VM& vm)
685
    {
687
    {
- a/Source/JavaScriptCore/runtime/SymbolPrototype.cpp +2 lines
Lines 67-72 void SymbolPrototype::finishCreation(VM& vm, JSGlobalObject* globalObject) a/Source/JavaScriptCore/runtime/SymbolPrototype.cpp_sec1
67
67
68
    JSFunction* toPrimitiveFunction = JSFunction::create(vm, globalObject, 1, "[Symbol.toPrimitive]"_s, symbolProtoFuncValueOf, NoIntrinsic);
68
    JSFunction* toPrimitiveFunction = JSFunction::create(vm, globalObject, 1, "[Symbol.toPrimitive]"_s, symbolProtoFuncValueOf, NoIntrinsic);
69
    putDirectWithoutTransition(vm, vm.propertyNames->toPrimitiveSymbol, toPrimitiveFunction, PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
69
    putDirectWithoutTransition(vm, vm.propertyNames->toPrimitiveSymbol, toPrimitiveFunction, PropertyAttribute::DontEnum | PropertyAttribute::ReadOnly);
70
71
    didBecomePrototype();
70
}
72
}
71
73
72
// ------------------------------ Functions ---------------------------
74
// ------------------------------ Functions ---------------------------
- a/Source/JavaScriptCore/wasm/js/WebAssemblyCompileErrorPrototype.cpp +1 lines
Lines 57-62 Structure* WebAssemblyCompileErrorPrototype::createStructure(VM& vm, JSGlobalObj a/Source/JavaScriptCore/wasm/js/WebAssemblyCompileErrorPrototype.cpp_sec1
57
void WebAssemblyCompileErrorPrototype::finishCreation(VM& vm)
57
void WebAssemblyCompileErrorPrototype::finishCreation(VM& vm)
58
{
58
{
59
    Base::finishCreation(vm);
59
    Base::finishCreation(vm);
60
    didBecomePrototype();
60
}
61
}
61
62
62
WebAssemblyCompileErrorPrototype::WebAssemblyCompileErrorPrototype(VM& vm, Structure* structure)
63
WebAssemblyCompileErrorPrototype::WebAssemblyCompileErrorPrototype(VM& vm, Structure* structure)
- a/Source/JavaScriptCore/wasm/js/WebAssemblyInstancePrototype.cpp +1 lines
Lines 86-91 Structure* WebAssemblyInstancePrototype::createStructure(VM& vm, JSGlobalObject* a/Source/JavaScriptCore/wasm/js/WebAssemblyInstancePrototype.cpp_sec1
86
void WebAssemblyInstancePrototype::finishCreation(VM& vm)
86
void WebAssemblyInstancePrototype::finishCreation(VM& vm)
87
{
87
{
88
    Base::finishCreation(vm);
88
    Base::finishCreation(vm);
89
    didBecomePrototype();
89
}
90
}
90
91
91
WebAssemblyInstancePrototype::WebAssemblyInstancePrototype(VM& vm, Structure* structure)
92
WebAssemblyInstancePrototype::WebAssemblyInstancePrototype(VM& vm, Structure* structure)
- a/Source/JavaScriptCore/wasm/js/WebAssemblyLinkErrorPrototype.cpp +1 lines
Lines 57-62 Structure* WebAssemblyLinkErrorPrototype::createStructure(VM& vm, JSGlobalObject a/Source/JavaScriptCore/wasm/js/WebAssemblyLinkErrorPrototype.cpp_sec1
57
void WebAssemblyLinkErrorPrototype::finishCreation(VM& vm)
57
void WebAssemblyLinkErrorPrototype::finishCreation(VM& vm)
58
{
58
{
59
    Base::finishCreation(vm);
59
    Base::finishCreation(vm);
60
    didBecomePrototype();
60
}
61
}
61
62
62
WebAssemblyLinkErrorPrototype::WebAssemblyLinkErrorPrototype(VM& vm, Structure* structure)
63
WebAssemblyLinkErrorPrototype::WebAssemblyLinkErrorPrototype(VM& vm, Structure* structure)
- a/Source/JavaScriptCore/wasm/js/WebAssemblyMemoryPrototype.cpp +1 lines
Lines 109-114 void WebAssemblyMemoryPrototype::finishCreation(VM& vm) a/Source/JavaScriptCore/wasm/js/WebAssemblyMemoryPrototype.cpp_sec1
109
{
109
{
110
    Base::finishCreation(vm);
110
    Base::finishCreation(vm);
111
    ASSERT(inherits(vm, info()));
111
    ASSERT(inherits(vm, info()));
112
    didBecomePrototype();
112
}
113
}
113
114
114
WebAssemblyMemoryPrototype::WebAssemblyMemoryPrototype(VM& vm, Structure* structure)
115
WebAssemblyMemoryPrototype::WebAssemblyMemoryPrototype(VM& vm, Structure* structure)
- a/Source/JavaScriptCore/wasm/js/WebAssemblyModulePrototype.cpp +1 lines
Lines 56-61 Structure* WebAssemblyModulePrototype::createStructure(VM& vm, JSGlobalObject* g a/Source/JavaScriptCore/wasm/js/WebAssemblyModulePrototype.cpp_sec1
56
void WebAssemblyModulePrototype::finishCreation(VM& vm)
56
void WebAssemblyModulePrototype::finishCreation(VM& vm)
57
{
57
{
58
    Base::finishCreation(vm);
58
    Base::finishCreation(vm);
59
    didBecomePrototype();
59
}
60
}
60
61
61
WebAssemblyModulePrototype::WebAssemblyModulePrototype(VM& vm, Structure* structure)
62
WebAssemblyModulePrototype::WebAssemblyModulePrototype(VM& vm, Structure* structure)
- a/Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp +2 lines
Lines 381-386 void WebAssemblyPrototype::finishCreation(VM& vm, JSGlobalObject* globalObject) a/Source/JavaScriptCore/wasm/js/WebAssemblyPrototype.cpp_sec1
381
        JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("compileStreaming", webAssemblyPrototypeCompileStreamingCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
381
        JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("compileStreaming", webAssemblyPrototypeCompileStreamingCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
382
        JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("instantiateStreaming", webAssemblyPrototypeInstantiateStreamingCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
382
        JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("instantiateStreaming", webAssemblyPrototypeInstantiateStreamingCodeGenerator, static_cast<unsigned>(PropertyAttribute::DontEnum));
383
    }
383
    }
384
385
    didBecomePrototype();
384
}
386
}
385
387
386
WebAssemblyPrototype::WebAssemblyPrototype(VM& vm, Structure* structure)
388
WebAssemblyPrototype::WebAssemblyPrototype(VM& vm, Structure* structure)
- a/Source/JavaScriptCore/wasm/js/WebAssemblyRuntimeErrorPrototype.cpp +1 lines
Lines 57-62 Structure* WebAssemblyRuntimeErrorPrototype::createStructure(VM& vm, JSGlobalObj a/Source/JavaScriptCore/wasm/js/WebAssemblyRuntimeErrorPrototype.cpp_sec1
57
void WebAssemblyRuntimeErrorPrototype::finishCreation(VM& vm)
57
void WebAssemblyRuntimeErrorPrototype::finishCreation(VM& vm)
58
{
58
{
59
    Base::finishCreation(vm);
59
    Base::finishCreation(vm);
60
    didBecomePrototype();
60
}
61
}
61
62
62
WebAssemblyRuntimeErrorPrototype::WebAssemblyRuntimeErrorPrototype(VM& vm, Structure* structure)
63
WebAssemblyRuntimeErrorPrototype::WebAssemblyRuntimeErrorPrototype(VM& vm, Structure* structure)
- a/Source/JavaScriptCore/wasm/js/WebAssemblyTablePrototype.cpp +1 lines
Lines 164-169 void WebAssemblyTablePrototype::finishCreation(VM& vm) a/Source/JavaScriptCore/wasm/js/WebAssemblyTablePrototype.cpp_sec1
164
{
164
{
165
    Base::finishCreation(vm);
165
    Base::finishCreation(vm);
166
    ASSERT(inherits(vm, info()));
166
    ASSERT(inherits(vm, info()));
167
    didBecomePrototype();
167
}
168
}
168
169
169
WebAssemblyTablePrototype::WebAssemblyTablePrototype(VM& vm, Structure* structure)
170
WebAssemblyTablePrototype::WebAssemblyTablePrototype(VM& vm, Structure* structure)
- a/Source/WebCore/ChangeLog +14 lines
Lines 1-3 a/Source/WebCore/ChangeLog_sec1
1
2019-04-09  Robin Morisset  <rmorisset@apple.com>
2
3
        All prototypes should call didBecomePrototype()
4
        https://bugs.webkit.org/show_bug.cgi?id=196315
5
6
        Reviewed by Saam Barati.
7
8
        It was found by existing tests, with the new assert in JSC::Structure
9
10
        * bindings/js/JSWindowProxy.cpp:
11
        (WebCore::JSWindowProxy::setWindow):
12
        * bindings/scripts/CodeGeneratorJS.pm:
13
        (GeneratePrototypeDeclaration):
14
1
2019-04-09  Don Olmstead  <don.olmstead@sony.com>
15
2019-04-09  Don Olmstead  <don.olmstead@sony.com>
2
16
3
        [CMake] Apple builds should use ICU_INCLUDE_DIRS
17
        [CMake] Apple builds should use ICU_INCLUDE_DIRS
- a/Source/WebCore/bindings/js/JSWindowProxy.cpp +1 lines
Lines 97-102 void JSWindowProxy::setWindow(AbstractDOMWindow& domWindow) a/Source/WebCore/bindings/js/JSWindowProxy.cpp_sec1
97
    // FIXME: Why do we need to protect this when there's a pointer to it on the stack?
97
    // FIXME: Why do we need to protect this when there's a pointer to it on the stack?
98
    // Perhaps the issue is that structure objects aren't seen when scanning the stack?
98
    // Perhaps the issue is that structure objects aren't seen when scanning the stack?
99
    Strong<JSNonFinalObject> prototype(vm, isRemoteDOMWindow ? static_cast<JSNonFinalObject*>(JSRemoteDOMWindowPrototype::create(vm, nullptr, &prototypeStructure)) : static_cast<JSNonFinalObject*>(JSDOMWindowPrototype::create(vm, nullptr, &prototypeStructure)));
99
    Strong<JSNonFinalObject> prototype(vm, isRemoteDOMWindow ? static_cast<JSNonFinalObject*>(JSRemoteDOMWindowPrototype::create(vm, nullptr, &prototypeStructure)) : static_cast<JSNonFinalObject*>(JSDOMWindowPrototype::create(vm, nullptr, &prototypeStructure)));
100
    prototype->didBecomePrototype();
100
101
101
    JSDOMGlobalObject* window = nullptr;
102
    JSDOMGlobalObject* window = nullptr;
102
    if (isRemoteDOMWindow) {
103
    if (isRemoteDOMWindow) {
- a/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm +1 lines
Lines 7070-7075 sub GeneratePrototypeDeclaration a/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm_sec1
7070
    push(@$outputArray, "    ${prototypeClassName}(JSC::VM& vm, JSC::JSGlobalObject*, JSC::Structure* structure)\n");
7070
    push(@$outputArray, "    ${prototypeClassName}(JSC::VM& vm, JSC::JSGlobalObject*, JSC::Structure* structure)\n");
7071
    push(@$outputArray, "        : JSC::JSNonFinalObject(vm, structure)\n");
7071
    push(@$outputArray, "        : JSC::JSNonFinalObject(vm, structure)\n");
7072
    push(@$outputArray, "    {\n");
7072
    push(@$outputArray, "    {\n");
7073
    push(@$outputArray, "    didBecomePrototype();\n");
7073
    push(@$outputArray, "    }\n");
7074
    push(@$outputArray, "    }\n");
7074
7075
7075
    if (PrototypeHasStaticPropertyTable($interface)) {
7076
    if (PrototypeHasStaticPropertyTable($interface)) {

Return to Bug 196315