Google Git
Sign in
webkit / WebKit / e17d3f7b50f036258ce13dc778c72e4dadd304bb^! / .
commite17d3f7b50f036258ce13dc778c72e4dadd304bb[log] [tgz]
authorshvaikalesh@gmail.com <shvaikalesh@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Jan 17 20:21:57 2020 +0000
committershvaikalesh@gmail.com <shvaikalesh@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Jan 17 20:21:57 2020 +0000
tree32651167fe85ac4b1b4379f92ca4011246e39b43
parentde4e07d107e6e98dd0d9fb8fbd46cb1fc52f5082 [diff]
JSON.parse should lookup prototype chains during revival
https://bugs.webkit.org/show_bug.cgi?id=205769

Reviewed by Saam Barati.

JSTests:

* test262/expectations.yaml: Mark 4 test cases as passing.

Source/JavaScriptCore:

This patch makes JSON.parse use [[Get]] instead of [[GetOwnProperty]] during revival,
aligning JSC with the spec (step 1 of https://tc39.es/ecma262/#sec-internalizejsonproperty),
SpiderMonkey, and V8.

User-provided `reviver` can delete properties that are not yet inspected by itself,
making usage [[GetOwnProperty]] non-compliant to the spec.

* runtime/JSONObject.cpp:
(JSC::Walker::walk):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@254757 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index 8080fb7..22b7115 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog

@@ -1,3 +1,12 @@
+2020-01-17  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        JSON.parse should lookup prototype chains during revival
+        https://bugs.webkit.org/show_bug.cgi?id=205769
+
+        Reviewed by Saam Barati.
+
+        * test262/expectations.yaml: Mark 4 test cases as passing.
+
 2020-01-16  Robin Morisset  <rmorisset@apple.com>
 
         [ESNext] Enables a way to throw an error on ByteCodeGenerator step

diff --git a/JSTests/test262/expectations.yaml b/JSTests/test262/expectations.yaml
index 3c1fc65..3587e1e 100644
--- a/JSTests/test262/expectations.yaml
+++ b/JSTests/test262/expectations.yaml

@@ -1119,15 +1119,9 @@
 test/built-ins/GeneratorFunction/proto-from-ctor-realm.js:
   default: 'Test262Error: Expected SameValue(«[object GeneratorFunction]», «[object GeneratorFunction]») to be true'
   strict mode: 'Test262Error: Expected SameValue(«[object GeneratorFunction]», «[object GeneratorFunction]») to be true'
-test/built-ins/JSON/parse/reviver-array-get-prop-from-prototype.js:
-  default: 'Test262Error: Expected true but got false'
-  strict mode: 'Test262Error: Expected true but got false'
 test/built-ins/JSON/parse/reviver-array-non-configurable-prop-create.js:
   default: 'Test262Error: Expected SameValue(«22», «2») to be true'
   strict mode: 'Test262Error: Expected SameValue(«22», «2») to be true'
-test/built-ins/JSON/parse/reviver-object-get-prop-from-prototype.js:
-  default: 'Test262Error: Expected true but got false'
-  strict mode: 'Test262Error: Expected true but got false'
 test/built-ins/JSON/parse/reviver-object-non-configurable-prop-create.js:
   default: 'Test262Error: Expected SameValue(«22», «2») to be true'
   strict mode: 'Test262Error: Expected SameValue(«22», «2») to be true'

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 3620c19b..c7548b4 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,20 @@
+2020-01-17  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        JSON.parse should lookup prototype chains during revival
+        https://bugs.webkit.org/show_bug.cgi?id=205769
+
+        Reviewed by Saam Barati.
+
+        This patch makes JSON.parse use [[Get]] instead of [[GetOwnProperty]] during revival,
+        aligning JSC with the spec (step 1 of https://tc39.es/ecma262/#sec-internalizejsonproperty),
+        SpiderMonkey, and V8.
+
+        User-provided `reviver` can delete properties that are not yet inspected by itself,
+        making usage [[GetOwnProperty]] non-compliant to the spec.
+
+        * runtime/JSONObject.cpp:
+        (JSC::Walker::walk):
+
 2020-01-17  Caio Lima  <ticaiolima@gmail.com>
 
         Bytecode checkpoints break 32bit tests

diff --git a/Source/JavaScriptCore/runtime/JSONObject.cpp b/Source/JavaScriptCore/runtime/JSONObject.cpp
index 2a96d78..d0d1721 100644
--- a/Source/JavaScriptCore/runtime/JSONObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSONObject.cpp

@@ -692,14 +692,10 @@
                 if (isJSArray(array) && array->canGetIndexQuickly(index))
                     inValue = array->getIndexQuickly(index);
                 else {
-                    PropertySlot slot(array, PropertySlot::InternalMethodType::Get);
-                    if (array->methodTable(vm)->getOwnPropertySlotByIndex(array, m_globalObject, index, slot))
-                        inValue = slot.getValue(m_globalObject, index);
-                    else
-                        inValue = jsUndefined();
+                    inValue = array->get(m_globalObject, index);
                     RETURN_IF_EXCEPTION(scope, { });
                 }
-                    
+
                 if (inValue.isObject()) {
                     stateStack.append(ArrayEndVisitMember);
                     goto stateUnknown;
@@ -746,12 +742,7 @@
                     propertyStack.removeLast();
                     break;
                 }
-                PropertySlot slot(object, PropertySlot::InternalMethodType::Get);
-                if (object->methodTable(vm)->getOwnPropertySlot(object, m_globalObject, properties[index], slot))
-                    inValue = slot.getValue(m_globalObject, properties[index]);
-                else
-                    inValue = jsUndefined();
-
+                inValue = object->get(m_globalObject, properties[index]);
                 // The holder may be modified by the reviver function so any lookup may throw
                 RETURN_IF_EXCEPTION(scope, { });