RESOLVED FIXED 132922
Move subframe name getter lookup later in JSDOMWindow::getOwnPropertySlot 
https://bugs.webkit.org/show_bug.cgi?id=132922
Summary Move subframe name getter lookup later in JSDOMWindow::getOwnPropertySlot
Mark Hahnenberg
Reported 2014-05-14 14:34:03 PDT
In JSDOMWindow::getOwnPropertySlot, we currently look for the property on the JSDOMWindow, then we search the window's subframes for name getters, then we look in the window's prototype chain. Apparently we were doing the lookup in this order to be compatible with Mozilla, but Mozilla does not implement this behavior. Instead, they do the lookup on the prototype before looking for subframe name getters. We should change this to match Mozilla. This has the convenient side effect of allowing us to cache lookups in the window's prototype chain.
Attachments
Patch (15.65 KB, patch)
2014-05-14 18:07 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2014-05-14 18:07:38 PDT
Created attachment 231476 [details] Patch
Geoffrey Garen
Comment 2 2014-05-14 21:18:01 PDT
Comment on attachment 231476 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=231476&action=review r=me > Source/WebCore/ChangeLog:15 > + Mozilla no longer implements this behavior. Instead, they do the lookup on the prototype before > + looking for subframe name getters. We should change this to match Mozilla. This has the convenient > + side effect of allowing us to cache lookups in the window's prototype chain. FWIW, I think Mozilla and WebIDL technically specify that name getters should exist in the prototype chain between the window prototype and the object prototype. So, eventually, we'll want to do that, and verify that a frame named "toString" takes precedence over Object.prototype.toString. Still, this patch is a step in the right direction. I don't think I'll let <iframe name="toString"> stand in our way.
WebKit Commit Bot
Comment 3 2014-05-15 11:29:20 PDT
Comment on attachment 231476 [details] Patch Clearing flags on attachment: 231476 Committed r168902: <http://trac.webkit.org/changeset/168902>
WebKit Commit Bot
Comment 4 2014-05-15 11:29:22 PDT
All reviewed patches have been landed. Closing bug.
Darin Adler
Comment 5 2014-05-18 20:59:04 PDT
(In reply to comment #2) > FWIW, I think Mozilla and WebIDL technically specify that name getters should exist in the prototype chain between the window prototype and the object prototype. So, eventually, we'll want to do that, and verify that a frame named "toString" takes precedence over Object.prototype.toString. > > Still, this patch is a step in the right direction. I don't think I'll let <iframe name="toString"> stand in our way. Sure would be nice having a test demonstrating this problem that remains.
Note You need to log in before you can comment on or make changes to this bug.