Web Inspector: Crash generating object preview for ArrayIterator
authorjoepeck@webkit.org <joepeck@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Jun 2017 17:43:03 +0000 (17:43 +0000)
committerjoepeck@webkit.org <joepeck@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 27 Jun 2017 17:43:03 +0000 (17:43 +0000)
commit86c8ab296885f3202296ab7933e212de7821e2b5
treedabfee62b05e90a7011c764faf5dd161cc4d24e4
parent6047dc96754e68dd148997f5f56c46a33b84a969
Web Inspector: Crash generating object preview for ArrayIterator
https://bugs.webkit.org/show_bug.cgi?id=173754
<rdar://problem/32859012>

Reviewed by Saam Barati.

Source/JavaScriptCore:

When Inspector generates an object preview for an ArrayIterator instance it made
a "clone" of the original ArrayIterator instance by constructing a new object with
the instance's structure. However, user code could have modified that instance's
structure, such as adding / removing properties. The `return` property had special
meaning, and our clone did not fill that slot. This approach is brittle in that
we weren't satisfying the expectations of an object with a particular Structure,
and the original goal of having Web Inspector peek values of built-in Iterators
was to avoid observable behavior.

This tightens Web Inspector's Iterator preview to only peek values if the
Iterators would actually be non-observable. It also builds an ArrayIterator
clone like a regular object construction.

* inspector/JSInjectedScriptHost.cpp:
(Inspector::cloneArrayIteratorObject):
Build up the Object from scratch with a new ArrayIterator prototype.

(Inspector::JSInjectedScriptHost::iteratorEntries):
Only clone and peek iterators if it would not be observable.
Also update iteration to be more in line with IterationOperations, such as when
we call iteratorClose.

* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
* runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.

* runtime/JSMap.cpp:
(JSC::JSMap::isIteratorProtocolFastAndNonObservable):
(JSC::JSMap::canCloneFastAndNonObservable):
* runtime/JSMap.h:
* runtime/JSSet.cpp:
(JSC::JSSet::isIteratorProtocolFastAndNonObservable):
(JSC::JSSet::canCloneFastAndNonObservable):
* runtime/JSSet.h:
Promote isIteratorProtocolFastAndNonObservable to a method.

* runtime/JSObject.cpp:
(JSC::canDoFastPutDirectIndex):
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::isArgumentsType):
Helper to detect if an Object is an Arguments type.

LayoutTests:

* platform/mac/inspector/model/remote-object-expected.txt:
* inspector/model/remote-object-expected.txt:
* inspector/model/remote-object.html:
Test generating a preview for an ArrayIterator that has had a `return` property added to it.

* inspector/model/remote-object-mutated-iterators-expected.txt: Added.
* inspector/model/remote-object-mutated-iterators.html: Added.
Test generating a preview for different iterators after the IteratorPrototypes have been mutated.

* inspector/model/resources/remote-object-utilities.js: Added.
(runInBrowserTest):
(TestPage.registerInitializer):
(TestPage.registerInitializer.checkComplete):
(TestPage.registerInitializer.window.runSteps):
Share code for remote-object dump tests.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@218836 268f45cc-cd09-0410-ab3c-d52691b4dbfc
18 files changed:
LayoutTests/ChangeLog
LayoutTests/inspector/model/remote-object-expected.txt
LayoutTests/inspector/model/remote-object-mutated-iterators-expected.txt [new file with mode: 0644]
LayoutTests/inspector/model/remote-object-mutated-iterators.html [new file with mode: 0644]
LayoutTests/inspector/model/remote-object.html
LayoutTests/inspector/model/resources/remote-object-utilities.js [new file with mode: 0644]
LayoutTests/platform/mac/inspector/model/remote-object-expected.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp
Source/JavaScriptCore/runtime/JSGlobalObject.cpp
Source/JavaScriptCore/runtime/JSGlobalObject.h
Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h
Source/JavaScriptCore/runtime/JSMap.cpp
Source/JavaScriptCore/runtime/JSMap.h
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSSet.cpp
Source/JavaScriptCore/runtime/JSSet.h
Source/JavaScriptCore/runtime/JSTypeInfo.h