Remove no-arguments constructor to PropertySlot
authorbarraclough@apple.com <barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 2 Aug 2013 23:40:48 +0000 (23:40 +0000)
committerbarraclough@apple.com <barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 2 Aug 2013 23:40:48 +0000 (23:40 +0000)
https://bugs.webkit.org/show_bug.cgi?id=119460

Reviewed by Geoff Garen.

This constructor was unsafe if getValue is subsequently called,
and the property is a getter. Simplest to just remove it.

Source/WebCore:

* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::getOwnPropertyDescriptor):
(WebCore::DialogHandler::returnValue):
* bindings/js/JSHistoryCustom.cpp:
(WebCore::JSHistory::getOwnPropertyDescriptorDelegate):
* bindings/js/JSLocationCustom.cpp:
(WebCore::JSLocation::getOwnPropertyDescriptorDelegate):
* bindings/js/JSPluginElementFunctions.cpp:
(WebCore::runtimeObjectCustomGetOwnPropertyDescriptor):
* bindings/js/JSStorageCustom.cpp:
(WebCore::JSStorage::deleteProperty):
(WebCore::JSStorage::putDelegate):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateGetOwnPropertyDescriptorBody):
* bridge/runtime_array.cpp:
(JSC::RuntimeArray::getOwnPropertyDescriptor):
* bridge/runtime_method.cpp:
(JSC::RuntimeMethod::getOwnPropertyDescriptor):
* bridge/runtime_object.cpp:
(JSC::Bindings::RuntimeObject::getOwnPropertyDescriptor):

Source/WebKit2:

* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::JSNPObject::getOwnPropertyDescriptor):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153677 268f45cc-cd09-0410-ab3c-d52691b4dbfc

12 files changed:
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSDOMWindowCustom.cpp
Source/WebCore/bindings/js/JSHistoryCustom.cpp
Source/WebCore/bindings/js/JSLocationCustom.cpp
Source/WebCore/bindings/js/JSPluginElementFunctions.cpp
Source/WebCore/bindings/js/JSStorageCustom.cpp
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Source/WebCore/bridge/runtime_array.cpp
Source/WebCore/bridge/runtime_method.cpp
Source/WebCore/bridge/runtime_object.cpp
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp

index fb99e54..703599d 100644 (file)
@@ -1,3 +1,34 @@
+2013-08-02  Gavin Barraclough  <barraclough@apple.com>
+
+        Remove no-arguments constructor to PropertySlot
+        https://bugs.webkit.org/show_bug.cgi?id=119460
+
+        Reviewed by Geoff Garen.
+
+        This constructor was unsafe if getValue is subsequently called,
+        and the property is a getter. Simplest to just remove it.
+
+        * bindings/js/JSDOMWindowCustom.cpp:
+        (WebCore::JSDOMWindow::getOwnPropertyDescriptor):
+        (WebCore::DialogHandler::returnValue):
+        * bindings/js/JSHistoryCustom.cpp:
+        (WebCore::JSHistory::getOwnPropertyDescriptorDelegate):
+        * bindings/js/JSLocationCustom.cpp:
+        (WebCore::JSLocation::getOwnPropertyDescriptorDelegate):
+        * bindings/js/JSPluginElementFunctions.cpp:
+        (WebCore::runtimeObjectCustomGetOwnPropertyDescriptor):
+        * bindings/js/JSStorageCustom.cpp:
+        (WebCore::JSStorage::deleteProperty):
+        (WebCore::JSStorage::putDelegate):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateGetOwnPropertyDescriptorBody):
+        * bridge/runtime_array.cpp:
+        (JSC::RuntimeArray::getOwnPropertyDescriptor):
+        * bridge/runtime_method.cpp:
+        (JSC::RuntimeMethod::getOwnPropertyDescriptor):
+        * bridge/runtime_object.cpp:
+        (JSC::Bindings::RuntimeObject::getOwnPropertyDescriptor):
+
 2013-08-02  Andreas Kling  <akling@apple.com>
 
         Removing a <link> element with an empty stylesheet shouldn't trigger style recalc.
index ac03fef..b712e11 100644 (file)
@@ -352,7 +352,7 @@ bool JSDOMWindow::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, Pr
         }
         entry = JSDOMWindowPrototype::s_info.propHashTable(exec)->entry(exec, propertyName);
         if (entry && (entry->attributes() & JSC::Function) && entry->function() == jsDOMWindowPrototypeFunctionClose) {
-            PropertySlot slot;
+            PropertySlot slot(thisObject);
             slot.setCustom(thisObject, nonCachingStaticFunctionGetter<jsDOMWindowPrototypeFunctionClose, 0>);
             descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
             return true;
@@ -363,7 +363,7 @@ bool JSDOMWindow::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, Pr
 
     entry = JSDOMWindow::s_info.propHashTable(exec)->entry(exec, propertyName);
     if (entry) {
-        PropertySlot slot;
+        PropertySlot slot(thisObject);
         slot.setCustom(thisObject, entry->propertyGetter());
         descriptor.setDescriptor(slot.getValue(exec, propertyName), entry->attributes());
         return true;
@@ -375,7 +375,7 @@ bool JSDOMWindow::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, Pr
     // are in Moz but not IE. Since we have some of these, we have to do
     // it the Moz way.
     if (thisObject->impl()->frame()->tree()->scopedChild(propertyNameToAtomicString(propertyName))) {
-        PropertySlot slot;
+        PropertySlot slot(thisObject);
         slot.setCustom(thisObject, childFrameGetter);
         descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
         return true;
@@ -384,7 +384,7 @@ bool JSDOMWindow::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, Pr
     unsigned i = propertyName.asIndex();
     if (i < thisObject->impl()->frame()->tree()->scopedChildCount()) {
         ASSERT(i != PropertyName::NotAnIndex);
-        PropertySlot slot;
+        PropertySlot slot(thisObject);
         slot.setCustomIndex(thisObject, i, indexGetter);
         descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
         return true;
@@ -395,7 +395,7 @@ bool JSDOMWindow::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, Pr
     if (document->isHTMLDocument()) {
         AtomicStringImpl* atomicPropertyName = findAtomicString(propertyName);
         if (atomicPropertyName && toHTMLDocument(document)->windowNamedItemMap().contains(atomicPropertyName)) {
-            PropertySlot slot;
+            PropertySlot slot(thisObject);
             slot.setCustom(thisObject, namedItemGetter);
             descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
             return true;
@@ -584,7 +584,7 @@ inline JSValue DialogHandler::returnValue() const
     if (!globalObject)
         return jsUndefined();
     Identifier identifier(m_exec, "returnValue");
-    PropertySlot slot;
+    PropertySlot slot(globalObject);
     if (!JSGlobalObject::getOwnPropertySlot(globalObject, m_exec, identifier, slot))
         return jsUndefined();
     return slot.getValue(m_exec, identifier);
index 4b6df9f..5ceab7b 100644 (file)
@@ -107,7 +107,7 @@ bool JSHistory::getOwnPropertyDescriptorDelegate(ExecState* exec, PropertyName p
     // Check for the few functions that we allow, even when called cross-domain.
     const HashEntry* entry = JSHistoryPrototype::s_info.propHashTable(exec)->entry(exec, propertyName);
     if (entry) {
-        PropertySlot slot;
+        PropertySlot slot(this);
         // Allow access to back(), forward() and go() from any frame.
         if (entry->attributes() & JSC::Function) {
             if (entry->function() == jsHistoryPrototypeFunctionBack) {
@@ -127,7 +127,7 @@ bool JSHistory::getOwnPropertyDescriptorDelegate(ExecState* exec, PropertyName p
     } else {
         // Allow access to toString() cross-domain, but always Object.toString.
         if (propertyName == exec->propertyNames().toString) {
-            PropertySlot slot;
+            PropertySlot slot(this);
             slot.setCustom(this, objectToStringFunctionGetter);
             descriptor.setDescriptor(slot.getValue(exec, propertyName), entry->attributes());
             return true;
index eabbb15..2f35800 100644 (file)
@@ -100,7 +100,7 @@ bool JSLocation::getOwnPropertyDescriptorDelegate(ExecState* exec, PropertyName
     
     // Check for the few functions that we allow, even when called cross-domain.
     const HashEntry* entry = JSLocationPrototype::s_info.propHashTable(exec)->entry(exec, propertyName);
-    PropertySlot slot;
+    PropertySlot slot(this);
     if (entry && (entry->attributes() & JSC::Function)) {
         if (entry->function() == jsLocationPrototypeFunctionReplace) {
             slot.setCustom(this, nonCachingStaticReplaceFunctionGetter);
index 69d3309..00b19b8 100644 (file)
@@ -129,7 +129,7 @@ bool runtimeObjectCustomGetOwnPropertyDescriptor(ExecState* exec, PropertyName p
         return false;
     if (!scriptObject->hasProperty(exec, propertyName))
         return false;
-    PropertySlot slot;
+    PropertySlot slot(element);
     slot.setCustom(element, runtimeObjectPropertyGetter);
     // While we don't know what the plugin allows, we do know that we prevent
     // enumeration or deletion of properties, so we mark plugin properties
index d8509c8..19a39c8 100644 (file)
@@ -62,7 +62,7 @@ bool JSStorage::deleteProperty(JSCell* cell, ExecState* exec, PropertyName prope
     // Only perform the custom delete if the object doesn't have a native property by this name.
     // Since hasProperty() would end up calling canGetItemsForName() and be fooled, we need to check
     // the native property slots manually.
-    PropertySlot slot;
+    PropertySlot slot(thisObject);
     if (getStaticValueSlot<JSStorage, Base>(exec, s_info.propHashTable(exec), thisObject, propertyName, slot))
         return false;
         
@@ -104,7 +104,7 @@ bool JSStorage::putDelegate(ExecState* exec, PropertyName propertyName, JSValue
     // Only perform the custom put if the object doesn't have a native property by this name.
     // Since hasProperty() would end up calling canGetItemsForName() and be fooled, we need to check
     // the native property slots manually.
-    PropertySlot slot;
+    PropertySlot slot(this);
     if (getStaticValueSlot<JSStorage, Base>(exec, s_info.propHashTable(exec), this, propertyName, slot))
         return false;
         
index 2f3218c..0f28f6e 100644 (file)
@@ -384,7 +384,7 @@ sub GenerateGetOwnPropertySlotBody
             push(@getOwnPropertySlotImpl, "    if (index != PropertyName::NotAnIndex && index < static_cast<$interfaceName*>(thisObject->impl())->length()) {\n");
         }
         if ($hasNumericIndexedGetter) {
-            push(@getOwnPropertySlotImpl, "        slot.setValue(thisObject->getByIndex(exec, index));\n");
+            push(@getOwnPropertySlotImpl, "        slot.setValue(thisObject, thisObject->getByIndex(exec, index));\n");
         } else {
             push(@getOwnPropertySlotImpl, "        slot.setCustomIndex(thisObject, index, indexGetter);\n");
         }
@@ -459,7 +459,7 @@ sub GenerateGetOwnPropertyDescriptorBody
         if ($requiresManualLookup) {
             push(@getOwnPropertyDescriptorImpl, "    const ${namespaceMaybe}HashEntry* entry = ${className}Table.entry(exec, propertyName);\n");
             push(@getOwnPropertyDescriptorImpl, "    if (entry) {\n");
-            push(@getOwnPropertyDescriptorImpl, "        PropertySlot slot;\n");
+            push(@getOwnPropertyDescriptorImpl, "        PropertySlot slot(thisObject);\n");
             push(@getOwnPropertyDescriptorImpl, "        slot.setCustom(thisObject, entry->propertyGetter());\n");
             push(@getOwnPropertyDescriptorImpl, "        descriptor.setDescriptor(slot.getValue(exec, propertyName), entry->attributes());\n");
             push(@getOwnPropertyDescriptorImpl, "        return true;\n");
@@ -482,7 +482,7 @@ sub GenerateGetOwnPropertyDescriptorBody
                 push(@getOwnPropertyDescriptorImpl, "        descriptor.setDescriptor(thisObject->getByIndex(exec, index), ${namespaceMaybe}DontDelete | ${namespaceMaybe}ReadOnly);\n");
             }
         } else {
-            push(@getOwnPropertyDescriptorImpl, "        ${namespaceMaybe}PropertySlot slot;\n");
+            push(@getOwnPropertyDescriptorImpl, "        ${namespaceMaybe}PropertySlot slot(thisObject);\n");
             push(@getOwnPropertyDescriptorImpl, "        slot.setCustomIndex(thisObject, index, indexGetter);\n");
             # Assume that if there's a setter, the index will be writable
             if ($interface->extendedAttributes->{"CustomIndexedSetter"}) {
@@ -497,7 +497,7 @@ sub GenerateGetOwnPropertyDescriptorBody
 
     if ($namedGetterFunction || $interface->extendedAttributes->{"CustomNamedGetter"}) {
         push(@getOwnPropertyDescriptorImpl, "    if (canGetItemsForName(exec, static_cast<$interfaceName*>(thisObject->impl()), propertyName)) {\n");
-        push(@getOwnPropertyDescriptorImpl, "        ${namespaceMaybe}PropertySlot slot;\n");
+        push(@getOwnPropertyDescriptorImpl, "        ${namespaceMaybe}PropertySlot slot(thisObject);\n");
         push(@getOwnPropertyDescriptorImpl, "        slot.setCustom(thisObject, nameGetter);\n");
         push(@getOwnPropertyDescriptorImpl, "        descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);\n");
         push(@getOwnPropertyDescriptorImpl, "        return true;\n");
@@ -1960,7 +1960,7 @@ sub GenerateImplementation
                     push(@implContent, "    if (index < static_cast<$interfaceName*>(thisObject->impl())->length()) {\n");
                 }
                 if ($hasNumericIndexedGetter) {
-                    push(@implContent, "        slot.setValue(thisObject->getByIndex(exec, index));\n");
+                    push(@implContent, "        slot.setValue(thisObject, thisObject->getByIndex(exec, index));\n");
                 } else {
                     push(@implContent, "        slot.setCustomIndex(thisObject, index, thisObject->indexGetter);\n");
                 }
index d0ff3f4..0194ab3 100644 (file)
@@ -107,7 +107,7 @@ bool RuntimeArray::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, P
 {
     RuntimeArray* thisObject = jsCast<RuntimeArray*>(object);
     if (propertyName == exec->propertyNames().length) {
-        PropertySlot slot;
+        PropertySlot slot(thisObject);
         slot.setCustom(thisObject, lengthGetter);
         descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
         return true;
@@ -116,7 +116,7 @@ bool RuntimeArray::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, P
     unsigned index = propertyName.asIndex();
     if (index < thisObject->getLength()) {
         ASSERT(index != PropertyName::NotAnIndex);
-        PropertySlot slot;
+        PropertySlot slot(thisObject);
         slot.setCustomIndex(thisObject, index, indexGetter);
         descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete | DontEnum);
         return true;
index da84f83..11ce6ac 100644 (file)
@@ -76,7 +76,7 @@ bool RuntimeMethod::getOwnPropertyDescriptor(JSObject* object, ExecState* exec,
 {
     RuntimeMethod* thisObject = jsCast<RuntimeMethod*>(object);
     if (propertyName == exec->propertyNames().length) {
-        PropertySlot slot;
+        PropertySlot slot(thisObject);
         slot.setCustom(thisObject, lengthGetter);
         descriptor.setDescriptor(slot.getValue(exec, propertyName), ReadOnly | DontDelete | DontEnum);
         return true;
index 855a302..c05fc56 100644 (file)
@@ -178,7 +178,7 @@ bool RuntimeObject::getOwnPropertyDescriptor(JSObject* object, ExecState *exec,
         // See if the instance has a field with the specified name.
         Field *aField = aClass->fieldNamed(propertyName, instance.get());
         if (aField) {
-            PropertySlot slot;
+            PropertySlot slot(thisObject);
             slot.setCustom(thisObject, fieldGetter);
             instance->end();
             descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete);
@@ -187,7 +187,7 @@ bool RuntimeObject::getOwnPropertyDescriptor(JSObject* object, ExecState *exec,
             // Now check if a method with specified name exists, if so return a function object for
             // that method.
             if (aClass->methodNamed(propertyName, instance.get())) {
-                PropertySlot slot;
+                PropertySlot slot(thisObject);
                 slot.setCustom(thisObject, methodGetter);
                 instance->end();
                 descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete | ReadOnly);
@@ -197,7 +197,7 @@ bool RuntimeObject::getOwnPropertyDescriptor(JSObject* object, ExecState *exec,
         
         // Try a fallback object.
         if (!aClass->fallbackObject(exec, instance.get(), propertyName).isUndefined()) {
-            PropertySlot slot;
+            PropertySlot slot(thisObject);
             slot.setCustom(thisObject, fallbackObjectGetter);
             instance->end();
             descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete | ReadOnly | DontEnum);
index 455c132..dc21e86 100644 (file)
@@ -1,3 +1,16 @@
+2013-08-02  Gavin Barraclough  <barraclough@apple.com>
+
+        Remove no-arguments constructor to PropertySlot
+        https://bugs.webkit.org/show_bug.cgi?id=119460
+
+        Reviewed by Geoff Garen.
+
+        This constructor was unsafe if getValue is subsequently called,
+        and the property is a getter. Simplest to just remove it.
+
+        * WebProcess/Plugins/Netscape/JSNPObject.cpp:
+        (WebKit::JSNPObject::getOwnPropertyDescriptor):
+
 2013-08-02  Ruth Fong  <ruth_fong@apple.com>
 
         [Forms: color] WebColorPickerMac deconstructor shouldn't assert a variable
index bf26c4b..235e870 100644 (file)
@@ -307,7 +307,7 @@ bool JSNPObject::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, Pro
 
     // First, check if the NPObject has a property with this name.
     if (thisObject->m_npObject->_class->hasProperty && thisObject->m_npObject->_class->hasProperty(thisObject->m_npObject, npIdentifier)) {
-        PropertySlot slot;
+        PropertySlot slot(thisObject);
         slot.setCustom(thisObject, propertyGetter);
         descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete);
         return true;
@@ -315,7 +315,7 @@ bool JSNPObject::getOwnPropertyDescriptor(JSObject* object, ExecState* exec, Pro
 
     // Second, check if the NPObject has a method with this name.
     if (thisObject->m_npObject->_class->hasMethod && thisObject->m_npObject->_class->hasMethod(thisObject->m_npObject, npIdentifier)) {
-        PropertySlot slot;
+        PropertySlot slot(thisObject);
         slot.setCustom(thisObject, methodGetter);
         descriptor.setDescriptor(slot.getValue(exec, propertyName), DontDelete | ReadOnly);
         return true;