RESOLVED FIXED 160553
[ES6] Module namespace object should not allow unset IC 
https://bugs.webkit.org/show_bug.cgi?id=160553
Summary [ES6] Module namespace object should not allow unset IC
Yusuke Suzuki
Reported 2016-08-04 09:41:19 PDT
[ES6] Namespace object should not allow IC
Attachments
Patch (22.45 KB, patch)
2016-08-04 10:05 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (22.62 KB, patch)
2016-08-04 23:06 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2016-08-04 10:05:20 PDT
Created attachment 285334 [details] Patch
Yusuke Suzuki
Comment 2 2016-08-04 10:17:13 PDT
Comment on attachment 285334 [details] Patch I'll do a slight change.
Yusuke Suzuki
Comment 3 2016-08-04 23:06:19 PDT
Created attachment 285402 [details] Patch
Saam Barati
Comment 4 2016-08-05 16:25:19 PDT
Comment on attachment 285402 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=285402&action=review > Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp:132 > + JSModuleRecord::Resolution resolution = moduleRecord->resolveExport(exec, Identifier::fromUid(exec, propertyName.uid())); > + ASSERT(resolution.type != JSModuleRecord::Resolution::Type::NotFound && resolution.type != JSModuleRecord::Resolution::Type::Ambiguous); > + > + JSModuleRecord* targetModule = resolution.moduleRecord; > + JSModuleEnvironment* targetEnvironment = targetModule->moduleEnvironment(); > + > + PropertySlot trampolineSlot(targetEnvironment, PropertySlot::InternalMethodType::Get); > + bool found = targetEnvironment->methodTable(exec->vm())->getOwnPropertySlot(targetEnvironment, exec, resolution.localName, trampolineSlot); > + ASSERT_UNUSED(found, found); Why do these assertions have to hold? I haven't thought too hard, but can't you just call GetOwnProperty on a namespace object and have this not actually be resolved? like: ` import * as ns from ...; Reflect.getOwnPropertyDescriptor(ns, someIdentNotInNS) `
Yusuke Suzuki
Comment 5 2016-08-05 23:33:58 PDT
Comment on attachment 285402 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=285402&action=review >> Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp:132 >> + ASSERT_UNUSED(found, found); > > Why do these assertions have to hold? > I haven't thought too hard, but can't you just call GetOwnProperty on a namespace object and have this not actually be resolved? > like: > ` > import * as ns from ...; > Reflect.getOwnPropertyDescriptor(ns, someIdentNotInNS) > ` The above example does not reach here because we filter them by ` if (!thisObject->m_exports.contains(propertyName.uid())) return false; ` in L116.
Yusuke Suzuki
Comment 6 2016-08-06 11:50:02 PDT
Comment on attachment 285402 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=285402&action=review >>> Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp:132 >>> + ASSERT_UNUSED(found, found); >> >> Why do these assertions have to hold? >> I haven't thought too hard, but can't you just call GetOwnProperty on a namespace object and have this not actually be resolved? >> like: >> ` >> import * as ns from ...; >> Reflect.getOwnPropertyDescriptor(ns, someIdentNotInNS) >> ` > > The above example does not reach here because we filter them by > > ` > if (!thisObject->m_exports.contains(propertyName.uid())) > return false; > ` > in L116. And this m_exports is collected by JSModuleRecord.cpp's getExportedNames, and already validated by JSModuleRecord::getModuleNamespace. As a result, this m_exports only contains the names that can be resolved. And when the name is resolved, the resolution always has the target module and the local name. So looking up the local binding from the target module always succeed.
Saam Barati
Comment 7 2016-08-07 14:06:36 PDT
Comment on attachment 285402 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=285402&action=review r=me >>>> Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp:132 >>>> + ASSERT_UNUSED(found, found); >>> >>> Why do these assertions have to hold? >>> I haven't thought too hard, but can't you just call GetOwnProperty on a namespace object and have this not actually be resolved? >>> like: >>> ` >>> import * as ns from ...; >>> Reflect.getOwnPropertyDescriptor(ns, someIdentNotInNS) >>> ` >> >> The above example does not reach here because we filter them by >> >> ` >> if (!thisObject->m_exports.contains(propertyName.uid())) >> return false; >> ` >> in L116. > > And this m_exports is collected by JSModuleRecord.cpp's getExportedNames, and already validated by JSModuleRecord::getModuleNamespace. > As a result, this m_exports only contains the names that can be resolved. And when the name is resolved, the resolution always has the target module and the local name. > So looking up the local binding from the target module always succeed. Makes sense.
Yusuke Suzuki
Comment 8 2016-08-07 19:29:39 PDT
Comment on attachment 285402 [details] Patch Thanks!
WebKit Commit Bot
Comment 9 2016-08-07 19:50:23 PDT
Comment on attachment 285402 [details] Patch Clearing flags on attachment: 285402 Committed r204248: <http://trac.webkit.org/changeset/204248>
WebKit Commit Bot
Comment 10 2016-08-07 19:50:26 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.