Scan with "plain" function calls and check for window leaks.

This exercises the cause of, and detects the symptom of,
<https://code.google.com/p/google-caja/issues/detail?id=1789>, and so
should catch future occurrences of similar bugs in unrelated objects.

* Define a new type of invocation, PLAIN_CALL, which means exactly f()
  as opposed to Function.prototype.apply.call(f, undefined, []), which
  does not trigger the bug. In order to do varargs calls without using
  apply, we create and evaluate code containing a call with the needed
  number of arguments.
* Perform at least one PLAIN_CALL on all functions whose toString is
  "[native code]".
* Consider encountering the taming or guest frame's feral "window"
  object to be a problem.
* Explicitly mark Function as expected to throw in ES5/3 (needed because
  the new plain-call support invokes it despite being G.none in
  functionArgs).

@r5574

[felix8a, 2013-08-22 19:54:46]

https://codereview.appspot.com/13178043/diff/1/tests/com/google/caja/plugin/t...
File tests/com/google/caja/plugin/test-scan-guest.js (right):

https://codereview.appspot.com/13178043/diff/1/tests/com/google/caja/plugin/t...
tests/com/google/caja/plugin/test-scan-guest.js:55: // ALso, Function.prototype
a native function in the sense we care about
typo "ALso", and missing an "is"

https://codereview.appspot.com/13178043/diff/1/tests/com/google/caja/plugin/t...
tests/com/google/caja/plugin/test-scan-guest.js:102: args = args ? ',' + name :
name;
this should be appending to args

[kpreid_google, 2013-08-22 20:23:24]

This exercises the cause of, and detects the symptom of,
<https://code.google.com/p/google-caja/issues/detail?id=1789>, and so
should catch future occurrences of similar bugs in unrelated objects.

* Define a new type of invocation, PLAIN_CALL, which means exactly f()
  as opposed to Function.prototype.apply.call(f, undefined, []), which
  does not trigger the bug. In order to do varargs calls without using
  apply, we create and evaluate code containing a call with the needed
  number of arguments.
* Perform at least one PLAIN_CALL on all functions whose toString is
  "[native code]".
* Consider encountering the taming or guest frame's feral "window"
  object to be a problem.
* Explicitly mark Function as expected to throw in ES5/3 (needed because
  the new plain-call support invokes it despite being G.none in
  functionArgs).

[kpreid_google, 2013-08-22 20:23:36]

New snapshot.

https://codereview.appspot.com/13178043/diff/1/tests/com/google/caja/plugin/t...
File tests/com/google/caja/plugin/test-scan-guest.js (right):

https://codereview.appspot.com/13178043/diff/1/tests/com/google/caja/plugin/t...
tests/com/google/caja/plugin/test-scan-guest.js:55: // ALso, Function.prototype
a native function in the sense we care about
On 2013/08/22 19:54:46, felix8a wrote:
> typo "ALso", and missing an "is"

Done.

https://codereview.appspot.com/13178043/diff/1/tests/com/google/caja/plugin/t...
tests/com/google/caja/plugin/test-scan-guest.js:102: args = args ? ',' + name :
name;
On 2013/08/22 19:54:46, felix8a wrote:
> this should be appending to args

Done.

[felix8a, 2013-08-22 20:29:42]

lgtm with the bugfix below

https://codereview.appspot.com/13178043/diff/4001/tests/com/google/caja/plugi...
File tests/com/google/caja/plugin/test-scan-guest.js (right):

https://codereview.appspot.com/13178043/diff/4001/tests/com/google/caja/plugi...
tests/com/google/caja/plugin/test-scan-guest.js:101: var args = null;
this now needs to be '' instead of null.

[kpreid_google, 2013-08-22 20:39:33]

This exercises the cause of, and detects the symptom of,
<https://code.google.com/p/google-caja/issues/detail?id=1789>, and so
should catch future occurrences of similar bugs in unrelated objects.

* Define a new type of invocation, PLAIN_CALL, which means exactly f()
  as opposed to Function.prototype.apply.call(f, undefined, []), which
  does not trigger the bug. In order to do varargs calls without using
  apply, we create and evaluate code containing a call with the needed
  number of arguments.
* Perform at least one PLAIN_CALL on all functions whose toString is
  "[native code]".
* Consider encountering the taming or guest frame's feral "window"
  object to be a problem.
* Explicitly mark Function as expected to throw in ES5/3 (needed because
  the new plain-call support invokes it despite being G.none in
  functionArgs).

[kpreid_google, 2013-08-22 20:41:04]

https://codereview.appspot.com/13178043/diff/4001/tests/com/google/caja/plugi...
File tests/com/google/caja/plugin/test-scan-guest.js (right):

https://codereview.appspot.com/13178043/diff/4001/tests/com/google/caja/plugi...
tests/com/google/caja/plugin/test-scan-guest.js:101: var args = null;
On 2013/08/22 20:29:42, felix8a wrote:
> this now needs to be '' instead of null.

Gaaaah, I fail. I've added a _test_ for trueApply, how's that?

[felix8a, 2013-08-22 20:54:52]

lgtm

[kpreid_google, 2013-08-22 21:24:04]

This exercises the cause of, and detects the symptom of,
<https://code.google.com/p/google-caja/issues/detail?id=1789>, and so
should catch future occurrences of similar bugs in unrelated objects.

* Define a new type of invocation, PLAIN_CALL, which means exactly f()
  as opposed to Function.prototype.apply.call(f, undefined, []), which
  does not trigger the bug. In order to do varargs calls without using
  apply, we create and evaluate code containing a call with the needed
  number of arguments.
* Perform at least one PLAIN_CALL on all functions whose toString is
  "[native code]".
* Consider encountering the taming or guest frame's feral "window"
  object to be a problem.
* Explicitly mark Function as expected to throw in ES5/3 (needed because
  the new plain-call support invokes it despite being G.none in
  functionArgs).

[kpreid_google, 2013-08-22 21:26:12]

https://codereview.appspot.com/13178043/diff/4001/tests/com/google/caja/plugi...
File tests/com/google/caja/plugin/test-scan-guest.js (right):

https://codereview.appspot.com/13178043/diff/4001/tests/com/google/caja/plugi...
tests/com/google/caja/plugin/test-scan-guest.js:101: var args = null;
On 2013/08/22 20:41:05, kpreid_google wrote:
> Gaaaah, I fail. I've added a _test_ for trueApply, how's that?

Annnnnd I forgot to run said test in es53 mode, and when I did I found that I
forgot to mark the eval'd function as safe with ___.f(…).  New snapshot, going
to submit with this.

[felix8a, 2013-08-22 21:41:46]

lgtm still