There is no functionality difference between V8 and JSC here.
* V8 uses CheckDomainSecurity on the interface. (JSC does this in CustomGetOwnPropertySlot)
* V8 assigns some methods on the instance to prevent cross site access.
* V8 generates valueOf, which needs to be protected similarly to toString().
Created attachment 28362 [details]
The reason to declare valueOf() is so that this code works:
var foo = cross_site_protected_frame.location + "boo";
The implicit conversion of location here will go through valueOf, and it should be protected just as toString is. JSC deals with this in its own CustomPropertySlot.
Comment on attachment 28362 [details]
Do these V8OnInstance flags override "custom"? or does "Custom" really mean "JSCCustom" these days? Either way looks fine. CCing Sam so he sees it go by as well.
"Custom" (or "JSCCustom" or "V8Custom") tells the IDL Code Generator "don't generate binding for this, there is one hand-crafted". The "V8OnInstance" tells the V8 code generator that this property should be installed on the object instance, rather than the prototype. It is V8 specific (I've made all V8-specific attributes start with "V8"), and the V8 code generator knows how to generate the binding.
Does this introduce difference between the JSC and V8 bindings? That is something we should try very hard to avoid.
After a little discussion, it seems that this patch did infact implement a different behavior than JSC, for one, putting the functions on the instance instead of the prototype. The intent of my question was to try and stop any divergence at the bindings layer for the two js engines as that only hurts webkit.
Mike, perhaps I misunderstood your answer?