Bug 53578

Summary: [V8] Incorrect handling of JavaScript properties in DOMStringMap
Product: WebKit Reporter: Kent Tamura <tkent>
Component: WebCore Misc.Assignee: Kent Tamura <tkent>
Status: RESOLVED FIXED    
Severity: Minor CC: abarth, antonm, arv, dglazkov, japhet, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Other   
OS: All   
Bug Depends on: 53752    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch 2
none
Patch 3
none
Patch 4
none
Patch for landing none

Kent Tamura
Reported 2011-02-01 23:11:24 PST
[V8] Incorrect handling of JavaScript properties in DOMStringMap
Attachments
Patch (5.14 KB, patch)
2011-02-01 23:16 PST, Kent Tamura 		no flags
DetailsFormatted DiffDiff
Patch 2 (4.83 KB, patch)
2011-10-06 22:37 PDT, Kent Tamura 		no flags
DetailsFormatted DiffDiff
Patch 3 (4.84 KB, patch)
2011-10-07 00:26 PDT, Kent Tamura 		no flags
DetailsFormatted DiffDiff
Patch 4 (4.83 KB, patch)
2011-10-10 23:47 PDT, Kent Tamura 		no flags
DetailsFormatted DiffDiff
Patch for landing (4.82 KB, patch)
2011-11-14 23:09 PST, Kent Tamura 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Kent Tamura
Comment 1 2011-02-01 23:16:22 PST
Created attachment 80893 [details] Patch
anton muhin
Comment 2 2011-02-02 03:56:46 PST
Comment on attachment 80893 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=80893&action=review > Source/WebCore/bindings/v8/custom/V8DOMStringMapCustom.cpp:54 > + if (map->contains(nameString)) I am complete ignoramus of WebCore::DOMStringMap internals, but is there a contract what DOMStringMap::item should return if there is no binding for the name? If it returns empty string (WebCore::String::isEmpty()), it might be more efficient to look the result up and check for string emptiness. Feel free to ignore if you think it's premature optimization. > Source/WebCore/bindings/v8/custom/V8DOMStringMapCustom.cpp:88 > INC_STATS("DOM.DOMStringMap.NamedPropertySetter"); Shouldn't NamedPropertyDelete be updated as well? > Source/WebCore/bindings/v8/custom/V8DOMStringMapCustom.cpp:91 > + return notHandledByInterceptor(); I suspect (but not 100% sure) it doesn't do the right thing: I would expect that in your test case you would get real JS property 'foobarbaz' on JS wrapper itself, and this update won't be stored in the instance of WebCore::DOMStringMap. Can we extend layout test to check if it's indeed the case? If I am right, I think you should use v8::Object::HasRealNamedProperty instead of both GetRealNamedPropertyInPrototypeChain and HasRealNamedCallback.
Kent Tamura
Comment 3 2011-02-03 19:31:07 PST
(In reply to comment #2) Thank you for the comments. Now I believe the current JSC behavior is also incorrect. I'll try to correct it, then will update the V8 behavior.
Kent Tamura
Comment 4 2011-10-06 22:37:31 PDT
Created attachment 110090 [details] Patch 2
WebKit Review Bot
Comment 5 2011-10-06 23:02:11 PDT
Comment on attachment 110090 [details] Patch 2 Attachment 110090 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/10012107 New failing tests: fast/dom/dataset.html fast/dom/dataset-xhtml.xhtml
Kent Tamura
Comment 6 2011-10-07 00:26:39 PDT
Created attachment 110100 [details] Patch 3
WebKit Review Bot
Comment 7 2011-10-07 00:55:07 PDT
Comment on attachment 110100 [details] Patch 3 Attachment 110100 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/9995163 New failing tests: fast/dom/dataset.html fast/dom/dataset-xhtml.xhtml
Kent Tamura
Comment 8 2011-10-07 00:59:48 PDT
(In reply to comment #7) > New failing tests: > fast/dom/dataset.html > fast/dom/dataset-xhtml.xhtml Hmm, why they fail? They passed on my Mac.
Kent Tamura
Comment 9 2011-10-10 23:47:54 PDT
Created attachment 110481 [details] Patch 4 Fix namedPropertySetter behavior.
Kent Tamura
Comment 10 2011-11-14 20:22:53 PST
Would anyone review this please?
Adam Barth
Comment 11 2011-11-14 22:55:11 PST
Comment on attachment 110481 [details] Patch 4 Great! I'm glad to see this code go.
Kent Tamura
Comment 12 2011-11-14 22:56:45 PST
Comment on attachment 110481 [details] Patch 4 Thank you for reviewing.
WebKit Review Bot
Comment 13 2011-11-14 22:59:46 PST
Comment on attachment 110481 [details] Patch 4 Rejecting attachment 110481 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '-..." exit_code: 2 Last 500 characters of output: ucceeded at 1 with fuzz 3. patching file LayoutTests/platform/chromium/test_expectations.txt Hunk #1 FAILED at 3762. 1 out of 1 hunk FAILED -- saving rejects to file LayoutTests/platform/chromium/test_expectations.txt.rej patching file Source/WebCore/ChangeLog Hunk #1 succeeded at 1 with fuzz 3. patching file Source/WebCore/bindings/v8/custom/V8DOMStringMapCustom.cpp Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', u'--reviewer', u'Adam Barth', u'--force']" exit_code: 1 Full output: http://queues.webkit.org/results/10485236
Kent Tamura
Comment 14 2011-11-14 23:09:23 PST
Created attachment 115102 [details] Patch for landing
WebKit Review Bot
Comment 15 2011-11-15 00:37:14 PST
Comment on attachment 115102 [details] Patch for landing Clearing flags on attachment: 115102 Committed r100247: <http://trac.webkit.org/changeset/100247>
WebKit Review Bot
Comment 16 2011-11-15 00:37:20 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.