[JSC] Private symbols should not be trapped by proxy handler
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 Mar 2016 03:48:36 +0000 (03:48 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 Mar 2016 03:48:36 +0000 (03:48 +0000)
commit40576517eb837098e931db79c755111d02893fc0
tree6a2753f6a0eac1031c06f0817bd9ce335a909d75
parent9f0a364908ba568aaa7b52f714a2303988f128ac
[JSC] Private symbols should not be trapped by proxy handler
https://bugs.webkit.org/show_bug.cgi?id=154817

Reviewed by Mark Lam.

Since the runtime has some assumptions on the properties associated with the private symbols, ES6 Proxy should not trap these property operations.
For example, in ArrayIteratorPrototype.js

    var itemKind = this.@arrayIterationKind;
    if (itemKind === @undefined)
        throw new @TypeError("%ArrayIteratorPrototype%.next requires that |this| be an Array Iterator instance");

Here, we assume that only the array iterator has the @arrayIterationKind property that value is non-undefined.
But If we implement Proxy with the get handler, that returns a non-undefined value for every operations, we accidentally assumes that the given value is an array iterator.

To avoid these situation, we perform the default operations onto property operations with private symbols.

* runtime/ProxyObject.cpp:
(JSC::performProxyGet):
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
(JSC::ProxyObject::performHasProperty):
(JSC::ProxyObject::performPut):
(JSC::ProxyObject::performDelete):
(JSC::ProxyObject::deleteProperty):
(JSC::ProxyObject::deletePropertyByIndex):
* tests/stress/proxy-basic.js:
* tests/stress/proxy-with-private-symbols.js: Added.
(assert):
(let.handler.getOwnPropertyDescriptor):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@197383 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ProxyObject.cpp
Source/JavaScriptCore/tests/stress/proxy-basic.js
Source/JavaScriptCore/tests/stress/proxy-with-private-symbols.js [new file with mode: 0644]