Issue 1955042: Add the Cajita taming API to ES5/3.

Issue 1955042: Add the Cajita taming API to ES5/3. (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
13 years, 8 months ago by metaweta

Modified:
13 years, 8 months ago

Reviewers:
MarkM

CC:
google-caja-discuss_googlegroups.com

Base URL:
http://google-caja.googlecode.com/svn/trunk/

Visibility:
Public.

Description

Removes the unneeded caching of primordials. Fixes lots of taming/caching bugs: - Adds in the cajita taming API as used by domita. - Fixes wrapping of recursive functions. - Tames the call property of function instances. - Whitelists the prototype property of function instances. - Tames RegExp instances. - Begin using get/set for methods that domita depends on - Makes "this" at the global scope refer to IMPORTS___ Makes globals properties of IMPORTS___. Fixes renderer so it puts parens around the constructor: new IMPORTS___.v___('RegExp').new___() treats IMPORTS___.v___ as the constructor, which isn't what we want. Fixes the rendering of new expr when expr contains operations with higher precedence than new.

Patch Set 1 #

Patch Set 2 : Add the Cajita taming API to ES5/3. #

Patch Set 3 : Add the Cajita taming API to ES5/3. #

Patch Set 4 : Add the Cajita taming API to ES5/3. #

Patch Set 5 : Add the Cajita taming API to ES5/3. #

Patch Set 6 : Add the Cajita taming API to ES5/3. #

Patch Set 7 : Add the Cajita taming API to ES5/3. #

Patch Set 8 : Add the Cajita taming API to ES5/3. #

Total comments: 31

Patch Set 9 : Add the Cajita taming API to ES5/3. #

Total comments: 44

Patch Set 10 : Add the Cajita taming API to ES5/3. #

Total comments: 3

Patch Set 11 : Add the Cajita taming API to ES5/3. #

Total comments: 6

Patch Set 12 : Add the Cajita taming API to ES5/3. #

Created: 13 years, 8 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+919 lines, -727 lines)			Patch
M	src/com/google/caja/es53.js	View	1 2 3 4 5 6 7 8 9 10 11	133 chunks	+759 lines, -533 lines	0 comments	Download
M	src/com/google/caja/parser/quasiliteral/ES53Rewriter.java	View	2 3 4 5 6 7 8 9 10 11	18 chunks	+159 lines, -193 lines	0 comments	Download
M	src/com/google/caja/parser/quasiliteral/RewriterMessageType.java	View	2 3 4 5 6 7 8 9 10 11	1 chunk	+1 line, -1 line	0 comments	Download

Messages

Total messages: 10

Expand All Messages | Collapse All Messages

MarkM

Posting what I've got so far. I'm going sequentially and have not yet dived into ...

13 years, 8 months ago (2010-08-14 01:39:18 UTC) #2

Posting what I've got so far. I'm going sequentially and have not yet dived into
the new RegExp taming code.

http://codereview.appspot.com/1955042/diff/13005/6006
File src/com/google/caja/es53.js (left):

http://codereview.appspot.com/1955042/diff/13005/6006#oldcode1743
src/com/google/caja/es53.js:1743: function readImport(module_imports, name,
opt_permitsUsed) {
Don't we still need the static path optimization?

http://codereview.appspot.com/1955042/diff/13005/6006#oldcode2892
src/com/google/caja/es53.js:2892: * end in __ and freezes it.  For internal use
only.
Is this no longer for internal use only? Or is this simply an inappropriate
place to comment on that?

http://codereview.appspot.com/1955042/diff/13005/6006
File src/com/google/caja/es53.js (right):

http://codereview.appspot.com/1955042/diff/13005/6006#newcode870
src/com/google/caja/es53.js:870: // Convert to object form so we can look up the
non-extensibility.
Ok, now that I know what this is about, I see that it's correct but
unnecessarily complex. How about

  function isExtensible(obj) {
    return Type(obj) === 'Object' && obj.ne___ === obj;
  }

?

http://codereview.appspot.com/1955042/diff/13005/6006#newcode1141
src/com/google/caja/es53.js:1141: * Enforces {@code typeof(specimen) ===
typename}, in which case
The primitive typeof doesn't need to parenthesize its argument.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode1670
src/com/google/caja/es53.js:1670: // Looping again over the same untrusted
stamps alleged-array is safe
(I suspect the following may be my oversight from a previous CL. But in any
case, now's a good time to fix this)

The comment here dates from before we were using Array.slice___ to copy the
stamps alleged array into a genuine array. Now that we are, this is safe and the
comment can be removed.

We should ensure that an attacker-installed access on a numerically-named or
'length' property on Array.prototype can't interfere. For full ES5/3, it's
plausible to me that we might want to initialize Array.prototype.length to a
non-writable, non-configurable 0, even if we don't freeze all of
Array.prototype.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode1740
src/com/google/caja/es53.js:1740: switch (typeof(ex)) {
The primitive typeof doesn't need to parenthesize its argument.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode2553
src/com/google/caja/es53.js:2553: Array.prototype.shift___.call___(result);
Wow, good catch! I think I missed this bug on an earlier CL. And it's a bad one:
mutating the argument, which is usually a genuine ES3 arguments object -- a
dangerous thing to mutate!

http://codereview.appspot.com/1955042/diff/13005/6006#newcode2580
src/com/google/caja/es53.js:2580: * Returns a function object with {@code call,
bind}, and {@code apply}
The comment diagrees with the code -- wrap does not create a
per-function-instance bind method. I suspect it should not and the comment is
simply stale.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode2986
src/com/google/caja/es53.js:2986: // TODO: report the CLASS___ property
I'd guess this TODO is rather urgent.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode2997
src/com/google/caja/es53.js:2997: this.toString = markFunc(function (var_args) {
Don't you need to first check that this is not frozen?

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3017
src/com/google/caja/es53.js:3017: this.valueOf = markFunc(function (var_args) {
Don't you need to first check that this is not frozen?

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3033
src/com/google/caja/es53.js:3033: set: markFunc(function (V) { return hop =
asFirstClass(V); }),
This has two problems:

* I thought we wanted to special case Object.prototype to be
non-monkey-patchable, even in full ES5/3.

* But we still need a setter, since this access property will be inherited by
objects that don't override 'hasOwnProperty'. If (this !== Object.prototype) and
!isFrozen(this), then we want to simulate a simple assignment to
this.hasOwnProperty.

The 2nd point above requires sufficient complexity that I'm not leaning to the
hasOwnProperty___ approach rather than the access property approach for guest
override whenever possible.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3041
src/com/google/caja/es53.js:3041: throw new Error('isPrototypeOf is not
supported.');
I understand why Object.getPrototypeOf is hard. But AFAICT, the built-in
isPrototypeOf should work as is. The guest and host views of the prototype chain
should be identical.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3069
src/com/google/caja/es53.js:3069: // NOT extensible under ES5/3
Aha! Thought so.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3507
src/com/google/caja/es53.js:3507: set: markFunc(function (V) { return replace =
asFirstClass(V); }),
Although practically less urgent, this fails for the same reason the naive
setter on hasOwnProperty fails. Although it's perverse, anyone can make an
object, O, that inherits from String.prototype. If someone then assigns to
O.replace, that will invoke this inherited setter which will do the wrong thing.

Also, again you forgot to check whether String.prototype was frozen before
allowing the mutate.

I'm becoming yet more enthusiastic about the replace___ approach. Sorry. I do
remember that it had its own set of complexities.

MarkM

Comments only on your latest delta. http://codereview.appspot.com/1955042/diff/13005/6006 File src/com/google/caja/es53.js (right): http://codereview.appspot.com/1955042/diff/13005/6006#newcode3745 src/com/google/caja/es53.js:3745: Date.prototype.DefineOwnProperty___('now', { Why ...

13 years, 8 months ago (2010-08-14 02:45:15 UTC) #3

MarkM

Still not done with new/old taming methods. In the meantime... http://codereview.appspot.com/1955042/diff/14001/15001 File src/com/google/caja/es53.js (right): http://codereview.appspot.com/1955042/diff/14001/15001#newcode3785 ...

13 years, 8 months ago (2010-08-14 03:23:29 UTC) #4

MarkM

http://codereview.appspot.com/1955042/diff/14001/15001 File src/com/google/caja/es53.js (right): http://codereview.appspot.com/1955042/diff/14001/15001#newcode4158 src/com/google/caja/es53.js:4158: * In order for this fault handler to get ...

13 years, 8 months ago (2010-08-15 00:28:07 UTC) #5

http://codereview.appspot.com/1955042/diff/14001/15001
File src/com/google/caja/es53.js (right):

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4158
src/com/google/caja/es53.js:4158: * In order for this fault handler to get
control, it's important
This now objectively replaces the method as it should, so the comment is very
stale.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4161
src/com/google/caja/es53.js:4161: * FIXME(ben): also fastpath?
Comment also stale.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4174
src/com/google/caja/es53.js:4174: return original.apply(this,
Array.slice___(arguments, 0));
Should this be apply___ ?

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4185
src/com/google/caja/es53.js:4185: if ('___' in obj) { return USELESS; }
I no longer remember: Is this the right way to treat the global object, or did
we intend to throw an Error on this case?

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4213
src/com/google/caja/es53.js:4213: var feralResult = original.apply(feralThis,
feralArgs);
I'm not sure if this one should be "apply" or "apply___". Thoughts?

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4269
src/com/google/caja/es53.js:4269: configurable: true,
I suspect this should be "configurable: false" so you don't accidentally step on
the host's obj[name].

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4285
src/com/google/caja/es53.js:4285: configurable: true,
Ah, right, I see the issue. If we make useGetHandler & useSetHandler both use
"configurable: false", then we can't install these one at a time. Nevertheless,
I think "configurable: false" is right, and we should refactor the taming code
accordingly. But this can wait for the next round -- if you postpone it, please
leave an issue or TODO.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4397
src/com/google/caja/es53.js:4397: isES53: true,
We should avoid baking the version name into the property name. It would be
better to have some reusable property name such as "version:" or something, and
then put the specific version in the value.

http://codereview.appspot.com/1955042/diff/14001/15002
File src/com/google/caja/parser/quasiliteral/ES53Rewriter.java (right):

http://codereview.appspot.com/1955042/diff/14001/15002#newcode1000
src/com/google/caja/parser/quasiliteral/ES53Rewriter.java:1000:
substitutes="IMPORTS___.w___('@v', void 0)")
This is only a good translation when IMPORTS___[@v] doesn't already exist. When
it does, a non-initializing declaration should have no effect. In particular, it
should not wipe out its previous value.

http://codereview.appspot.com/1955042/diff/14001/15002#newcode1654
src/com/google/caja/parser/quasiliteral/ES53Rewriter.java:1654:
substitutes="@fnameRef = ___.wrap(function @fname(dis___, @ps*) {\n"
This seems wrong. It brings @fname into scope within the body of the expanded
function with @fname bound to the expanded function. Only the wrapped function
is a faithful emulation of the original, so @fname should be bound to it
instead.

http://codereview.appspot.com/1955042/diff/14001/15002#newcode1699
src/com/google/caja/parser/quasiliteral/ES53Rewriter.java:1699:
substitutes="IMPORTS___.w___(@rf, ___.wrap(function @fname(dis___, @ps*) {\n"
Are you treating this as global? From the rest of this rule, it does not seem to
be about global function declarations.

http://codereview.appspot.com/1955042/diff/14001/15002#newcode1719
src/com/google/caja/parser/quasiliteral/ES53Rewriter.java:1719:
"IMPORTS___.w___(@rf, ___.wrap(function @fname(dis___, @ps*) {\n"
That global confusion again.

metaweta

http://codereview.appspot.com/1955042/diff/13005/6006 File src/com/google/caja/es53.js (left): http://codereview.appspot.com/1955042/diff/13005/6006#oldcode1743 src/com/google/caja/es53.js:1743: function readImport(module_imports, name, opt_permitsUsed) { On 2010/08/14 01:39:18, MarkM ...

13 years, 8 months ago (2010-08-16 23:15:27 UTC) #6

http://codereview.appspot.com/1955042/diff/13005/6006
File src/com/google/caja/es53.js (left):

http://codereview.appspot.com/1955042/diff/13005/6006#oldcode1743
src/com/google/caja/es53.js:1743: function readImport(module_imports, name,
opt_permitsUsed) {
On 2010/08/14 01:39:18, MarkM wrote:
> Don't we still need the static path optimization?

Let's talk about this one; readImports may come back, since I need some way to
trigger a ReferenceError when attempting to read an undefined global.

http://codereview.appspot.com/1955042/diff/13005/6006#oldcode2892
src/com/google/caja/es53.js:2892: * end in __ and freezes it.  For internal use
only.
On 2010/08/14 01:39:18, MarkM wrote:
> Is this no longer for internal use only? Or is this simply an inappropriate
> place to comment on that?

It's no longer for internal use only; I needed to expose it so that the hostpage
could use it.

http://codereview.appspot.com/1955042/diff/13005/6006
File src/com/google/caja/es53.js (right):

http://codereview.appspot.com/1955042/diff/13005/6006#newcode870
src/com/google/caja/es53.js:870: // Convert to object form so we can look up the
non-extensibility.
On 2010/08/14 01:39:18, MarkM wrote:
> Ok, now that I know what this is about, I see that it's correct but
> unnecessarily complex. How about
> 
>   function isExtensible(obj) {
>     return Type(obj) === 'Object' && obj.ne___ === obj;
>   }
> 
> ?

Done.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode1141
src/com/google/caja/es53.js:1141: * Enforces {@code typeof(specimen) ===
typename}, in which case
On 2010/08/14 01:39:18, MarkM wrote:
> The primitive typeof doesn't need to parenthesize its argument.

Fixed here and in tameException.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode1670
src/com/google/caja/es53.js:1670: // Looping again over the same untrusted
stamps alleged-array is safe
On 2010/08/14 01:39:18, MarkM wrote:
> (I suspect the following may be my oversight from a previous CL. But in any
> case, now's a good time to fix this)
> 
> The comment here dates from before we were using Array.slice___ to copy the
> stamps alleged array into a genuine array. Now that we are, this is safe and
the
> comment can be removed.
> 
> We should ensure that an attacker-installed access on a numerically-named or
> 'length' property on Array.prototype can't interfere. For full ES5/3, it's
> plausible to me that we might want to initialize Array.prototype.length to a
> non-writable, non-configurable 0, even if we don't freeze all of
> Array.prototype.
> 

Array instances have an own length property that masks the prorotype's length
property.  The array produced by slice___ is guaranteed to have own indices for
0 up to length-1 and to have a length property, so this loop can't be corrupted
by changing Array.prototype's properties, and the prototype itself is
nonconfigurable, so it can't be replaced.  The length will also be a positive
integer, so the ">>> 0" is also unnecessary.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode1740
src/com/google/caja/es53.js:1740: switch (typeof(ex)) {
On 2010/08/14 01:39:18, MarkM wrote:
> The primitive typeof doesn't need to parenthesize its argument.

Done.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode2553
src/com/google/caja/es53.js:2553: Array.prototype.shift___.call___(result);
On 2010/08/14 01:39:18, MarkM wrote:
> Wow, good catch! I think I missed this bug on an earlier CL. And it's a bad
one:
> mutating the argument, which is usually a genuine ES3 arguments object -- a
> dangerous thing to mutate!

Bugs are easier to catch while they're biting me!

http://codereview.appspot.com/1955042/diff/13005/6006#newcode2580
src/com/google/caja/es53.js:2580: * Returns a function object with {@code call,
bind}, and {@code apply}
On 2010/08/14 01:39:18, MarkM wrote:
> The comment diagrees with the code -- wrap does not create a
> per-function-instance bind method. I suspect it should not and the comment is
> simply stale.

Are we reading different comments?  I don't see any mention of
per-function-instance...

http://codereview.appspot.com/1955042/diff/13005/6006#newcode2997
src/com/google/caja/es53.js:2997: this.toString = markFunc(function (var_args) {
On 2010/08/14 01:39:18, MarkM wrote:
> Don't you need to first check that this is not frozen?

Not when using getters and setters.  I suppose we should choose to do so, but it
doesn't violate ES5 semantics.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3017
src/com/google/caja/es53.js:3017: this.valueOf = markFunc(function (var_args) {
On 2010/08/14 01:39:18, MarkM wrote:
> Don't you need to first check that this is not frozen?

Done.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3033
src/com/google/caja/es53.js:3033: set: markFunc(function (V) { return hop =
asFirstClass(V); }),
On 2010/08/14 01:39:18, MarkM wrote:
> This has two problems:
> 
> * I thought we wanted to special case Object.prototype to be
> non-monkey-patchable, even in full ES5/3.
> 
> * But we still need a setter, since this access property will be inherited by
> objects that don't override 'hasOwnProperty'. If (this !== Object.prototype)
and
> !isFrozen(this), then we want to simulate a simple assignment to
> this.hasOwnProperty.
> 
> The 2nd point above requires sufficient complexity that I'm not leaning to the
> hasOwnProperty___ approach rather than the access property approach for guest
> override whenever possible.

Now checks to see if the object is frozen before setting the property.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3041
src/com/google/caja/es53.js:3041: throw new Error('isPrototypeOf is not
supported.');
On 2010/08/14 01:39:18, MarkM wrote:
> I understand why Object.getPrototypeOf is hard. But AFAICT, the built-in
> isPrototypeOf should work as is. The guest and host views of the prototype
chain
> should be identical.

I didn't realize this was supported in ES3 browsers.  I've whitelisted it.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3069
src/com/google/caja/es53.js:3069: // NOT extensible under ES5/3
On 2010/08/14 01:39:18, MarkM wrote:
> Aha! Thought so.

Yep.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3507
src/com/google/caja/es53.js:3507: set: markFunc(function (V) { return replace =
asFirstClass(V); }),
On 2010/08/14 01:39:18, MarkM wrote:
> Although practically less urgent, this fails for the same reason the naive
> setter on hasOwnProperty fails. Although it's perverse, anyone can make an
> object, O, that inherits from String.prototype. If someone then assigns to
> O.replace, that will invoke this inherited setter which will do the wrong
thing.

Unless they use Object.defineProperties API to set it or declare it in an object
literal.  

> 
> Also, again you forgot to check whether String.prototype was frozen before
> allowing the mutate.

Again, it's not a violation of frozenness, just a design decision.

> I'm becoming yet more enthusiastic about the replace___ approach. Sorry. I do
> remember that it had its own set of complexities.

Let's talk about this: I'm realizing there are major problems with innocent code
unless we use get/set.

http://codereview.appspot.com/1955042/diff/13005/6006#newcode3745
src/com/google/caja/es53.js:3745: Date.prototype.DefineOwnProperty___('now', {
On 2010/08/14 02:45:15, MarkM wrote:
> Why did you pull this? It looked good to me.

Because there is no Date.prototype.now, only Date.now.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode913
src/com/google/caja/es53.js:913: if (m) { result.push(m[1]); }
On 2010/08/14 02:45:15, MarkM wrote:
> This seems too restrictive. It will exclude everything but own data
properties.

Done.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode927
src/com/google/caja/es53.js:927: if (m) { result.push(m[1]); }
On 2010/08/14 02:45:15, MarkM wrote:
> This seems too restrictive. It will exclude everything but own data
properties.

Done.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode3785
src/com/google/caja/es53.js:3785: writable: true,
On 2010/08/14 03:23:29, MarkM wrote:
> Where is "pattern" defined?

Added 

var pattern = as[0], flags = as[1];

http://codereview.appspot.com/1955042/diff/14001/15001#newcode3786
src/com/google/caja/es53.js:3786: enumerable: false,
On 2010/08/14 03:23:29, MarkM wrote:
> Where is "flags" defined?

Done.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode3821
src/com/google/caja/es53.js:3821: }
On 2010/08/14 03:23:29, MarkM wrote:
> Perhaps a bit too clever. Although it's more verbose, I suggest a separate
call
> to DefineOwnProperty___ to define 'lastIndex'.

Done.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode3839
src/com/google/caja/es53.js:3839: 
On 2010/08/14 03:23:29, MarkM wrote:
> You cannot simply whitelist the built-in exec and test because of issue 528.
See
> the taming of these in cajita.js and
> http://code.google.com/p/es-lab/source/browse/trunk/src/ses/initSES.js#117

Done.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4048
src/com/google/caja/es53.js:4048: 
On 2010/08/14 02:45:15, MarkM wrote:
> I'm almost certain that "exception.stack" is not portable.

Oops, debugging cruft.  Removed.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4122
src/com/google/caja/es53.js:4122: return myNewModuleHandler.m___('handle',
[module]);
On 2010/08/14 03:23:29, MarkM wrote:
> Shouldn't this also do a grantRead(obj, name)?

Done.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4137
src/com/google/caja/es53.js:4137: value: obj[name],
On 2010/08/14 03:23:29, MarkM wrote:
> Please choose an actual example instead of peek.

Removed, as this API is used neither in domita nor in shindig.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4158
src/com/google/caja/es53.js:4158: 
On 2010/08/15 00:28:07, MarkM wrote:
> This now objectively replaces the method as it should, so the comment is very
> stale.

Done.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4161
src/com/google/caja/es53.js:4161: * {@code this} inherits from proto.
On 2010/08/15 00:28:07, MarkM wrote:
> Comment also stale.

Done.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4174
src/com/google/caja/es53.js:4174: var original = proto[name];
On 2010/08/15 00:28:07, MarkM wrote:
> Should this be apply___ ?

Done.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4185
src/com/google/caja/es53.js:4185: enumerable: false,
On 2010/08/15 00:28:07, MarkM wrote:
> I no longer remember: Is this the right way to treat the global object, or did
> we intend to throw an Error on this case?

I've replaced this with safeDis, which throws an error.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4213
src/com/google/caja/es53.js:4213: function grantInnocentMethod(proto, name) {
On 2010/08/15 00:28:07, MarkM wrote:
> I'm not sure if this one should be "apply" or "apply___". Thoughts?

The original is always a feral function, so I think we should use apply___.

And slice should definitely be slice___.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4285
src/com/google/caja/es53.js:4285: obj.DefineOwnProperty___(name, desc);
On 2010/08/15 00:28:07, MarkM wrote:
> Ah, right, I see the issue. If we make useGetHandler & useSetHandler both use
> "configurable: false", then we can't install these one at a time.
Nevertheless,
> I think "configurable: false" is right, and we should refactor the taming code
> accordingly. But this can wait for the next round -- if you postpone it,
please
> leave an issue or TODO.

Done.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4299
src/com/google/caja/es53.js:4299: desc.set = setHandler;
On 2010/08/14 03:23:29, MarkM wrote:
> We need to come up with a name for this object that doesn't bake the version
> into the name.  Perhaps we continue to call it "cajita", so old cajita code
can
> continue to work when it should?

There's not enough legacy code to matter, I think.  Anything written in Cajita
ought to migrate to ES5 strict mode.

http://codereview.appspot.com/1955042/diff/14001/15001#newcode4397
src/com/google/caja/es53.js:4397: // which is truthy iff it's a data property
On 2010/08/15 00:28:07, MarkM wrote:
> We should avoid baking the version name into the property name. It would be
> better to have some reusable property name such as "version:" or something,
and
> then put the specific version in the value.

Removed, since nothing's using it now that we have the keeper API again.

http://codereview.appspot.com/1955042/diff/14001/15002
File src/com/google/caja/parser/quasiliteral/ES53Rewriter.java (right):

http://codereview.appspot.com/1955042/diff/14001/15002#newcode1000
src/com/google/caja/parser/quasiliteral/ES53Rewriter.java:1000:
substitutes="IMPORTS___.w___('@v', void 0)")
On 2010/08/15 00:28:07, MarkM wrote:
> This is only a good translation when IMPORTS___[@v] doesn't already exist.
When
> it does, a non-initializing declaration should have no effect. In particular,
it
> should not wipe out its previous value.

Hmm, true.  And I'll need a different translation anyway because reading a
nonexistent variable doesn't currently throw a ReferenceError.

http://codereview.appspot.com/1955042/diff/14001/15002#newcode1654
src/com/google/caja/parser/quasiliteral/ES53Rewriter.java:1654:
substitutes="@fnameRef = ___.wrap(function @fname(dis___, @ps*) {\n"
On 2010/08/15 00:28:07, MarkM wrote:
> This seems wrong. It brings @fname into scope within the body of the expanded
> function with @fname bound to the expanded function. Only the wrapped function
> is a faithful emulation of the original, so @fname should be bound to it
> instead.

Yeah; what do you think of the new translation?

http://codereview.appspot.com/1955042/diff/14001/15002#newcode1699
src/com/google/caja/parser/quasiliteral/ES53Rewriter.java:1699:
substitutes="IMPORTS___.w___(@rf, ___.wrap(function @fname(dis___, @ps*) {\n"
On 2010/08/15 00:28:07, MarkM wrote:
> Are you treating this as global? From the rest of this rule, it does not seem
to
> be about global function declarations.

Yes, this only fires in the global scope due to the way the bindings are
constructed.

MarkM

http://codereview.appspot.com/1955042/diff/22001/23001 File src/com/google/caja/es53.js (right): http://codereview.appspot.com/1955042/diff/22001/23001#newcode3882 src/com/google/caja/es53.js:3882: set: markFunc(function (V) { exec = asFirstClass(V); }), Another ...

13 years, 8 months ago (2010-08-17 07:04:20 UTC) #7

MarkM

LGTM modulo comments (including verbal) http://codereview.appspot.com/1955042/diff/26001/27001 File src/com/google/caja/es53.js (right): http://codereview.appspot.com/1955042/diff/26001/27001#newcode2698 src/com/google/caja/es53.js:2698: Object.defineProperties(obj, opt_Properties); Just call ...

13 years, 8 months ago (2010-08-18 19:13:29 UTC) #8

MarkM

The remaining (verbal) issue is that virtualize should use configurable: false, and the configurability check ...

13 years, 8 months ago (2010-08-18 19:15:00 UTC) #9

metaweta

13 years, 8 months ago (2010-08-20 22:37:02 UTC) #10

> The remaining (verbal) issue is that virtualize should
> use configurable: false, and the configurability check
> in DefineOwnProperty should be restored.

Done.

http://codereview.appspot.com/1955042/diff/26001/27001
File src/com/google/caja/es53.js (right):

http://codereview.appspot.com/1955042/diff/26001/27001#newcode2698
src/com/google/caja/es53.js:2698: Object.defineProperties(obj, opt_Properties);
On 2010/08/18 19:13:29, MarkM wrote:
> Just call a local named function so we don't need to virtualize

Done.

http://codereview.appspot.com/1955042/diff/26001/27001#newcode3153
src/com/google/caja/es53.js:3153: function guardedVirtualize(obj, name,
opt_attrs) {
On 2010/08/18 19:13:29, MarkM wrote:
> opt_attrs?

Done.

http://codereview.appspot.com/1955042/diff/26001/27001#newcode4280
src/com/google/caja/es53.js:4280: if (guestHasOwnProperty(imports, name)) {
On 2010/08/18 19:13:29, MarkM wrote:
> strike "Own" perhaps. Please check ES5 spec.

I think the relevant clause is 10.2.1.2.1; done.

Expand All Messages | Collapse All Messages