[APICHANGE] Make ES5/3 property virtualization conformant by hiding accessors.

The internal virtualize() of ES5/3 used to create an accessor property
which, besides being a visible deviation from ES5 semantics, also did
not protect against defineProperty or object literals creating
overriding properties. Instead, it now causes _any_ property with the
given property name to be represented as an accessor property with a
magic flag (name + '_av___') which causes it to reflect like a data
property.

A small change in existing internals is necessary: the (name + '_gw___')
flag now may be set for these properties, so as to store the writable
attribute of these virtual data properties; isWritable() has changed to
not fastpath such properties.

Impact:
* Fixes issue 1667, using defineProperty or literals to bypass
  virtualization.
* Fixes issue 1668, cajaVM.def not traversing into virtualized methods.
* Virtualized properties now conform to ES5 semantics; in particular:
  * Formerly, they would never appear to be 'own' when assigned; that
    is,
        var o = {}; o.toString = ...; o.hasOwnProperty('toString')
    used to be false, but is now true.
  * Virtualized properties other than toString and valueOf can be given
    non-function values.

Supporting changes:
* Added an end-to-end test that we are not exposing such unfrozen
  primordials as this bug was causing.
* Harness in ES53ConformanceTest assumed the property named 'test'
  was not virtualized; fixed to use v___ access.
* expectFailure now explains that it had an unexpected error rather
  than just throwing it, which helps debugging with less-helpful
  consoles.
* expectFailure now catches bad arguments that would cause it to
  trivially succeed-by-failing.
* Changes to es53-test-taming-tamed-guest.html test
  testTamingFramePrimordialsAreFrozen, which would have caught this
  bug:
  * Remove assumption there exists at least one accessor (now false).
  * Invoke getters and traverse into given values.
  * Fix incorrect invocation of expectFailure which always trivially
    failed.
* Fixed incorrect invocation of expectFailure in
  es53-test-taming-untamed-guest.html which did not even fail as
  expected; to get intended failures, made host-side eval be in strict
  mode.
* Added names for setTimeout and friends in the sampleObjects list
  in es53-test-domado-dom-guest.html.

@r5369

[kpreid2, 2013-03-14 00:15:46]

A note on the status of this change: I think there should be more tests
specifically to ensure that the bizarre implementation of virtualized properties
is not observable or at least not observably broken. I have not yet written any.

[MarkM, 2013-03-14 02:26:12]

What about test262?


On Wed, Mar 13, 2013 at 5:15 PM, <kpreid.switchb.org@gmail.com> wrote:

> A note on the status of this change: I think there should be more tests
> specifically to ensure that the bizarre implementation of virtualized
> properties is not observable or at least not observably broken. I have
> not yet written any.
>
>
>
https://codereview.appspot.**com/7807043/<https://codereview.appspot.com/7807...
>



-- 
Text by me above is hereby placed in the public domain

  Cheers,
  --MarkM

[kpreid2, 2013-03-14 03:12:07]

On 2013/03/14 02:26:12, MarkM wrote:
> What about test262?

A relevant point. Can you tell me what exactly is the relationship of our
third_party/js/es5conform/ to test262? Should we replace it with the latest
test262?

I should go through ES53ConformanceTest.java and see if I can *enable* some
tests that were previously disabled due to virtualization nonconformance.

However, I do not think that simply running those tests would be entirely
adequate for the purpose I envision: I'm looking for tests e.g. of all of
defineProperty's cases, under the condition that the property name is one of the
specific virtualized names, not an arbitrary name for testing.

[MarkM, 2013-03-14 03:25:44]

On Wed, Mar 13, 2013 at 8:12 PM, <kpreid.switchb.org@gmail.com> wrote:

> On 2013/03/14 02:26:12, MarkM wrote:
>
>> What about test262?
>>
>
> A relevant point. Can you tell me what exactly is the relationship of
> our third_party/js/es5conform/ to test262? Should we replace it with the
> latest test262?
>

Historical only. es5conform is way out of date and should be replaced with
test262 as soon as practical.

The history is that test262 started by merging two test suites: es5conform,
contributed by Microsoft, and Sputnik, contributed by Google. Since the
merge, test262 has been greatly improved, leaving its two ancestors in the
dust.



>
> I should go through ES53ConformanceTest.java and see if I can *enable*
> some tests that were previously disabled due to virtualization
> nonconformance.
>
> However, I do not think that simply running those tests would be
> entirely adequate for the purpose I envision: I'm looking for tests e.g.
> of all of defineProperty's cases, under the condition that the property
> name is one of the specific virtualized names, not an arbitrary name for
> testing.
>
>
https://codereview.appspot.**com/7807043/<https://codereview.appspot.com/7807...
>

As you find interesting things to test that test262 doesn't test for, you
should consider contributing those tests back to test262. We should also do
this for all tests in repairES5.js that are not already linked to a test262
test.

-- 
Text by me above is hereby placed in the public domain

  Cheers,
  --MarkM

[kpreid2, 2013-03-19 17:00:39]

ping ihab

[kpreid2, 2013-03-19 21:46:35]

The internal virtualize() of ES5/3 used to create an accessor property
which, besides being a visible deviation from ES5 semantics, also did
not protect against defineProperty or object literals creating
overriding properties. Instead, it now causes _any_ property with the
given property name to be represented as an accessor property with a
magic flag (name + '_av___') which causes it to reflect like a data
property.

A small change in existing internals is necessary: the (name + '_gw___')
flag now may be set for these properties, so as to store the writable
attribute of these virtual data properties; isWritable() has changed to
not fastpath such properties.

Impact:
* Fixes issue 1667, using defineProperty or literals to bypass
  virtualization.
* Fixes issue 1668, cajaVM.def not traversing into virtualized methods.
* Virtualized properties now conform to ES5 semantics; in particular:
  * Formerly, they would never appear to be 'own' when assigned; that
    is,
        var o = {}; o.toString = ...; o.hasOwnProperty('toString')
    used to be false, but is now true.
  * Virtualized properties other than toString and valueOf can be given
    non-function values.

Supporting changes:
* Added an end-to-end test that we are not exposing such unfrozen
  primordials as this bug was causing; to support this test despite
  the 'Firefox 15 cross-frame freeze bug', added a mechanism for the
  test suite to be aware of non-repaired problems in SES mode.
* Harness in ES53ConformanceTest assumed the property named 'test'
  was not virtualized; fixed to use v___ access.
* expectFailure now explains that it had an unexpected error rather
  than just throwing it, which helps debugging with less-helpful
  consoles.
* expectFailure now catches bad arguments that would cause it to
  trivially succeed-by-failing.
* Changes to es53-test-taming-tamed-guest.html test
  testTamingFramePrimordialsAreFrozen, which would have caught this
  bug:
  * Remove assumption there exists at least one accessor (now false).
  * Invoke getters and traverse into given values.
  * Fix incorrect invocation of expectFailure which always trivially
    failed.
* Added names for setTimeout and friends in the sampleObjects list
  in es53-test-domado-dom-guest.html.

[kpreid2, 2013-03-19 21:50:03]

New snapshot with additions to ES53RewriterTest checking virtualized property
behavior specifically.

Also note that https://codereview.appspot.com/7905045/ contains a cleaner, but
more radical, solution to exposing SES problem information; if that is approved
and committed, I will throw out the duplicate logger from this change.

[Mark S. Miller, 2013-03-20 08:32:36]

On Tue, Mar 19, 2013 at 2:50 PM, <kpreid.switchb.org@gmail.com> wrote:

> New snapshot with additions to ES53RewriterTest checking virtualized
> property behavior specifically.
>
> Also note that
https://codereview.appspot.**com/7905045/<https://codereview.appspot.com/7905...
a
> cleaner, but more radical, solution to exposing SES problem information;
> if that is approved and committed, I will throw out the duplicate logger
> from this change.


+1


>
>
>
https://codereview.appspot.**com/7807043/<https://codereview.appspot.com/7807...
>
> --
> --
> ---You received this message because you are subscribed to the Google
> Groups "caja-discuss-undisclosed" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to
caja-discuss-undisclosed+**unsubscribe@googlegroups.com<caja-discuss-undisclo...
> .
> For more options, visit
https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/o...
> .
>
>
>


-- 
    Cheers,
    --MarkM

[kpreid2, 2013-03-20 19:42:21]

The internal virtualize() of ES5/3 used to create an accessor property
which, besides being a visible deviation from ES5 semantics, also did
not protect against defineProperty or object literals creating
overriding properties. Instead, it now causes _any_ property with the
given property name to be represented as an accessor property with a
magic flag (name + '_av___') which causes it to reflect like a data
property.

A small change in existing internals is necessary: the (name + '_gw___')
flag now may be set for these properties, so as to store the writable
attribute of these virtual data properties; isWritable() has changed to
not fastpath such properties.

Impact:
* Fixes issue 1667, using defineProperty or literals to bypass
  virtualization.
* Fixes issue 1668, cajaVM.def not traversing into virtualized methods.
* Virtualized properties now conform to ES5 semantics; in particular:
  * Formerly, they would never appear to be 'own' when assigned; that
    is,
        var o = {}; o.toString = ...; o.hasOwnProperty('toString')
    used to be false, but is now true.
  * Virtualized properties other than toString and valueOf can be given
    non-function values.

Supporting changes:
* Added an end-to-end test that we are not exposing such unfrozen
  primordials as this bug was causing.
* Harness in ES53ConformanceTest assumed the property named 'test'
  was not virtualized; fixed to use v___ access.
* expectFailure now explains that it had an unexpected error rather
  than just throwing it, which helps debugging with less-helpful
  consoles.
* expectFailure now catches bad arguments that would cause it to
  trivially succeed-by-failing.
* Changes to es53-test-taming-tamed-guest.html test
  testTamingFramePrimordialsAreFrozen, which would have caught this
  bug:
  * Remove assumption there exists at least one accessor (now false).
  * Invoke getters and traverse into given values.
  * Fix incorrect invocation of expectFailure which always trivially
    failed.
* Added names for setTimeout and friends in the sampleObjects list
  in es53-test-domado-dom-guest.html.
* cajaVM.es5ProblemReports as added in r5327 was not actually
  whitelisted; fixed. Added a comment to help avoid this mistake.
* Deleted cajaVM.inES5Mode (from r5094); it was not whitelisted and so
  could never have worked, and ES5/3 does not define it as false either.

[kpreid2, 2013-03-20 19:44:03]

New snapshot with logger changes deleted as previously noted. Additional
changes:

* cajaVM.es5ProblemReports as added in r5327 was not actually
  whitelisted; fixed. Added a comment to help avoid this mistake.
* Deleted cajaVM.inES5Mode (from r5094); it was not whitelisted and so
  could never have worked, and ES5/3 does not define it as false either.

[MarkM, 2013-03-24 23:37:39]

ses/* LGTM. I leave the rest to others.

[ihab.awad, 2013-03-27 17:06:37]

lgtm++

https://codereview.appspot.com/7807043/diff/28001/src/com/google/caja/es53.js
File src/com/google/caja/es53.js (right):

https://codereview.appspot.com/7807043/diff/28001/src/com/google/caja/es53.js...
src/com/google/caja/es53.js:831: // convert grant writable to fastpath writable,
only if not an accessor
You mean, only if not virtualized? You're not checking _g___ or _s___.

https://codereview.appspot.com/7807043/diff/28001/src/com/google/caja/es53.js...
src/com/google/caja/es53.js:2587: if (!Desc.doNotApplySetterHook___) {
Consider renaming to 'applySetterHook___' to avoid double-negative snafus. Also
maybe consider adding a comment that you are relying on an un-set
doNotApplySetterHook___ to be falsey and fall through this case.

https://codereview.appspot.com/7807043/diff/28001/src/com/google/caja/es53.js...
src/com/google/caja/es53.js:2607: // Generate a new virtualized property on the
assignment target.
The new property is not virtualized, is it?

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/parse...
File tests/com/google/caja/parser/quasiliteral/ES53ConformanceTest.java (right):

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/parse...
tests/com/google/caja/parser/quasiliteral/ES53ConformanceTest.java:875:
.append("  if (!test.v___('test').f___(null,[])) {")
Huh -- whu -- what?

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/parse...
File tests/com/google/caja/parser/quasiliteral/ES53RewriterTest.java (right):

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/parse...
tests/com/google/caja/parser/quasiliteral/ES53RewriterTest.java:1937: "var o2 =
{get toString() { return f; }};" +
Do you intend to use shortcut property descriptor syntax here?

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/plugi...
File tests/com/google/caja/plugin/es53-test-taming-tamed-guest.html (right):

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/plugi...
tests/com/google/caja/plugin/es53-test-taming-tamed-guest.html:202: if
(inES5Mode) {  // ES5/3 does not visibly use any accessors
What do you mean by that?

[kpreid2, 2013-03-27 17:28:51]

The internal virtualize() of ES5/3 used to create an accessor property
which, besides being a visible deviation from ES5 semantics, also did
not protect against defineProperty or object literals creating
overriding properties. Instead, it now causes _any_ property with the
given property name to be represented as an accessor property with a
magic flag (name + '_av___') which causes it to reflect like a data
property.

A small change in existing internals is necessary: the (name + '_gw___')
flag now may be set for these properties, so as to store the writable
attribute of these virtual data properties; isWritable() has changed to
not fastpath such properties.

Impact:
* Fixes issue 1667, using defineProperty or literals to bypass
  virtualization.
* Fixes issue 1668, cajaVM.def not traversing into virtualized methods.
* Virtualized properties now conform to ES5 semantics; in particular:
  * Formerly, they would never appear to be 'own' when assigned; that
    is,
        var o = {}; o.toString = ...; o.hasOwnProperty('toString')
    used to be false, but is now true.
  * Virtualized properties other than toString and valueOf can be given
    non-function values.

Supporting changes:
* Added an end-to-end test that we are not exposing such unfrozen
  primordials as this bug was causing.
* Harness in ES53ConformanceTest assumed the property named 'test'
  was not virtualized; fixed to use v___ access.
* expectFailure now explains that it had an unexpected error rather
  than just throwing it, which helps debugging with less-helpful
  consoles.
* expectFailure now catches bad arguments that would cause it to
  trivially succeed-by-failing.
* Changes to es53-test-taming-tamed-guest.html test
  testTamingFramePrimordialsAreFrozen, which would have caught this
  bug:
  * Remove assumption there exists at least one accessor (now false).
  * Invoke getters and traverse into given values.
  * Fix incorrect invocation of expectFailure which always trivially
    failed.
* Added names for setTimeout and friends in the sampleObjects list
  in es53-test-domado-dom-guest.html.
* cajaVM.es5ProblemReports as added in r5327 was not actually
  whitelisted; fixed. Added a comment to help avoid this mistake.
* Deleted cajaVM.inES5Mode (from r5094); it was not whitelisted and so
  could never have worked, and ES5/3 does not define it as false either.

[kpreid2, 2013-03-27 17:29:30]

New snapshot.

https://codereview.appspot.com/7807043/diff/28001/src/com/google/caja/es53.js
File src/com/google/caja/es53.js (right):

https://codereview.appspot.com/7807043/diff/28001/src/com/google/caja/es53.js...
src/com/google/caja/es53.js:831: // convert grant writable to fastpath writable,
only if not an accessor
On 2013/03/27 17:06:37, ihab.awad wrote:
> You mean, only if not virtualized? You're not checking _g___ or _s___.

Non-virtualized accessors don't have writable flags at all. Rewrote the comment
to explain in more detail.

https://codereview.appspot.com/7807043/diff/28001/src/com/google/caja/es53.js...
src/com/google/caja/es53.js:2587: if (!Desc.doNotApplySetterHook___) {
On 2013/03/27 17:06:37, ihab.awad wrote:
> Consider renaming to 'applySetterHook___' to avoid double-negative snafus.

That would do the wrong thing in the default case and I don't want to add the
extra cost of always defining this flag to the normal path.

> Also
> maybe consider adding a comment that you are relying on an un-set
> doNotApplySetterHook___ to be falsey and fall through this case.

Done.

https://codereview.appspot.com/7807043/diff/28001/src/com/google/caja/es53.js...
src/com/google/caja/es53.js:2607: // Generate a new virtualized property on the
assignment target.
On 2013/03/27 17:06:37, ihab.awad wrote:
> The new property is not virtualized, is it?

For any P which this setter exists for, lookupVirtualizedProperty(P) is truthy,
so any attempt to DefineOwnProperty___ a data property creates a virtualized
property instead.

https://codereview.appspot.com/7807043/diff/28001/src/com/google/caja/es53.js...
src/com/google/caja/es53.js:2609: // "fixing the override mistake" by not
failing if the property
Unrequested change: I clarified that this is talking about the nonwritability of
the property _on O_, not on this.

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/parse...
File tests/com/google/caja/parser/quasiliteral/ES53ConformanceTest.java (right):

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/parse...
tests/com/google/caja/parser/quasiliteral/ES53ConformanceTest.java:875:
.append("  if (!test.v___('test').f___(null,[])) {")
On 2013/03/27 17:06:37, ihab.awad wrote:
> Huh -- whu -- what?

The existing code was taking a now-invalid shortcut (which it could only do
because it is not cajoled).

'test' is a virtualized property name because RegExp.prototype.test exists.
Therefore, no ES5/3 object has it as a true data property, so it must be
accessed via v___ (which invokes the hidden getter).

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/parse...
File tests/com/google/caja/parser/quasiliteral/ES53RewriterTest.java (right):

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/parse...
tests/com/google/caja/parser/quasiliteral/ES53RewriterTest.java:1937: "var o2 =
{get toString() { return f; }};" +
On 2013/03/27 17:06:37, ihab.awad wrote:
> Do you intend to use shortcut property descriptor syntax here?

Yes; there's no reason not to since this code is only ever seen by the cajoler.
This is a test that defining an accessor property with a virtualized name
*doesn't* create a virtualized property.

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/plugi...
File tests/com/google/caja/plugin/es53-test-taming-tamed-guest.html (right):

https://codereview.appspot.com/7807043/diff/28001/tests/com/google/caja/plugi...
tests/com/google/caja/plugin/es53-test-taming-tamed-guest.html:202: if
(inES5Mode) {  // ES5/3 does not visibly use any accessors
On 2013/03/27 17:06:37, ihab.awad wrote:
> What do you mean by that?

ES5 standard primordials do not contain any accessor properties, and ES5/3 now
provides such an environment, so it should not be considered an error to not
find any accessors.

(SES cannot avoid having accessors because it needs them to 'fix the override
mistake'.)

[felix8a, 2013-03-27 21:22:06]

this patch causes a test failure:

es5=true&test-driver=es53-test-taming-untamed.js
FAIL: testRecordNumerics: TypeError: Non-function given as shouldFail to
expectFailure: 99

[kpreid2, 2013-03-27 22:11:27]

The internal virtualize() of ES5/3 used to create an accessor property
which, besides being a visible deviation from ES5 semantics, also did
not protect against defineProperty or object literals creating
overriding properties. Instead, it now causes _any_ property with the
given property name to be represented as an accessor property with a
magic flag (name + '_av___') which causes it to reflect like a data
property.

A small change in existing internals is necessary: the (name + '_gw___')
flag now may be set for these properties, so as to store the writable
attribute of these virtual data properties; isWritable() has changed to
not fastpath such properties.

Impact:
* Fixes issue 1667, using defineProperty or literals to bypass
  virtualization.
* Fixes issue 1668, cajaVM.def not traversing into virtualized methods.
* Virtualized properties now conform to ES5 semantics; in particular:
  * Formerly, they would never appear to be 'own' when assigned; that
    is,
        var o = {}; o.toString = ...; o.hasOwnProperty('toString')
    used to be false, but is now true.
  * Virtualized properties other than toString and valueOf can be given
    non-function values.

Supporting changes:
* Added an end-to-end test that we are not exposing such unfrozen
  primordials as this bug was causing.
* Harness in ES53ConformanceTest assumed the property named 'test'
  was not virtualized; fixed to use v___ access.
* expectFailure now explains that it had an unexpected error rather
  than just throwing it, which helps debugging with less-helpful
  consoles.
* expectFailure now catches bad arguments that would cause it to
  trivially succeed-by-failing.
* Changes to es53-test-taming-tamed-guest.html test
  testTamingFramePrimordialsAreFrozen, which would have caught this
  bug:
  * Remove assumption there exists at least one accessor (now false).
  * Invoke getters and traverse into given values.
  * Fix incorrect invocation of expectFailure which always trivially
    failed.
* Added names for setTimeout and friends in the sampleObjects list
  in es53-test-domado-dom-guest.html.
* cajaVM.es5ProblemReports as added in r5327 was not actually
  whitelisted; fixed. Added a comment to help avoid this mistake.
* Deleted cajaVM.inES5Mode (from r5094); it was not whitelisted and so
  could never have worked, and ES5/3 does not define it as false either.

[kpreid2, 2013-03-27 22:14:46]

Patch Set 5 fixes expectFailure problems in es53-test-taming-untamed-guest.html

[kpreid2, 2013-03-28 23:33:24]

The internal virtualize() of ES5/3 used to create an accessor property
which, besides being a visible deviation from ES5 semantics, also did
not protect against defineProperty or object literals creating
overriding properties. Instead, it now causes _any_ property with the
given property name to be represented as an accessor property with a
magic flag (name + '_av___') which causes it to reflect like a data
property.

A small change in existing internals is necessary: the (name + '_gw___')
flag now may be set for these properties, so as to store the writable
attribute of these virtual data properties; isWritable() has changed to
not fastpath such properties.

Impact:
* Fixes issue 1667, using defineProperty or literals to bypass
  virtualization.
* Fixes issue 1668, cajaVM.def not traversing into virtualized methods.
* Virtualized properties now conform to ES5 semantics; in particular:
  * Formerly, they would never appear to be 'own' when assigned; that
    is,
        var o = {}; o.toString = ...; o.hasOwnProperty('toString')
    used to be false, but is now true.
  * Virtualized properties other than toString and valueOf can be given
    non-function values.

Supporting changes:
* Added an end-to-end test that we are not exposing such unfrozen
  primordials as this bug was causing.
* Harness in ES53ConformanceTest assumed the property named 'test'
  was not virtualized; fixed to use v___ access.
* expectFailure now explains that it had an unexpected error rather
  than just throwing it, which helps debugging with less-helpful
  consoles.
* expectFailure now catches bad arguments that would cause it to
  trivially succeed-by-failing.
* Changes to es53-test-taming-tamed-guest.html test
  testTamingFramePrimordialsAreFrozen, which would have caught this
  bug:
  * Remove assumption there exists at least one accessor (now false).
  * Invoke getters and traverse into given values.
  * Fix incorrect invocation of expectFailure which always trivially
    failed.
* Fixed incorrect invocation of expectFailure in
  es53-test-taming-untamed-guest.html which did not even fail as
  expected; to get intended failures, made host-side eval be in strict
  mode.
* Added names for setTimeout and friends in the sampleObjects list
  in es53-test-domado-dom-guest.html.

[kpreid2, 2013-03-28 23:34:33]

New snapshot; now contains no SES changes as they were committed in r5331,
r5332. Tested against r5332.

[kpreid2, 2013-04-09 19:32:17]

The internal virtualize() of ES5/3 used to create an accessor property
which, besides being a visible deviation from ES5 semantics, also did
not protect against defineProperty or object literals creating
overriding properties. Instead, it now causes _any_ property with the
given property name to be represented as an accessor property with a
magic flag (name + '_av___') which causes it to reflect like a data
property.

A small change in existing internals is necessary: the (name + '_gw___')
flag now may be set for these properties, so as to store the writable
attribute of these virtual data properties; isWritable() has changed to
not fastpath such properties.

Impact:
* Fixes issue 1667, using defineProperty or literals to bypass
  virtualization.
* Fixes issue 1668, cajaVM.def not traversing into virtualized methods.
* Virtualized properties now conform to ES5 semantics; in particular:
  * Formerly, they would never appear to be 'own' when assigned; that
    is,
        var o = {}; o.toString = ...; o.hasOwnProperty('toString')
    used to be false, but is now true.
  * Virtualized properties other than toString and valueOf can be given
    non-function values.

Supporting changes:
* Added an end-to-end test that we are not exposing such unfrozen
  primordials as this bug was causing.
* Harness in ES53ConformanceTest assumed the property named 'test'
  was not virtualized; fixed to use v___ access.
* expectFailure now explains that it had an unexpected error rather
  than just throwing it, which helps debugging with less-helpful
  consoles.
* expectFailure now catches bad arguments that would cause it to
  trivially succeed-by-failing.
* Changes to es53-test-taming-tamed-guest.html test
  testTamingFramePrimordialsAreFrozen, which would have caught this
  bug:
  * Remove assumption there exists at least one accessor (now false).
  * Invoke getters and traverse into given values.
  * Fix incorrect invocation of expectFailure which always trivially
    failed.
* Fixed incorrect invocation of expectFailure in
  es53-test-taming-untamed-guest.html which did not even fail as
  expected; to get intended failures, made host-side eval be in strict
  mode.
* Added names for setTimeout and friends in the sampleObjects list
  in es53-test-domado-dom-guest.html.

[kpreid2, 2013-04-09 19:39:15]

New snapshot Patch Set 7 additionally makes use of the accessor-virtualization
flag to hide the accessor for functions' .name property, which is more correct
and will be useful later. "name" is not made a virtualized property name, but it
doesn't need to be.

Ihab, please re-review if appropriate. This could be a separate patch but I felt
it would be less hassle to fold it into the same patch that introduces accessor
virtualization.

[ihab.awad, 2013-04-10 15:46:25]

lgtm

[felix8a, 2013-04-10 23:14:05]

btw, this needs a trivial change when combined with the
markFuncFreeze->markConstFunc patch

[kpreid2, 2013-04-17 00:16:59]

The internal virtualize() of ES5/3 used to create an accessor property
which, besides being a visible deviation from ES5 semantics, also did
not protect against defineProperty or object literals creating
overriding properties. Instead, it now causes _any_ property with the
given property name to be represented as an accessor property with a
magic flag (name + '_av___') which causes it to reflect like a data
property.

A small change in existing internals is necessary: the (name + '_gw___')
flag now may be set for these properties, so as to store the writable
attribute of these virtual data properties; isWritable() has changed to
not fastpath such properties.

Impact:
* Fixes issue 1667, using defineProperty or literals to bypass
  virtualization.
* Fixes issue 1668, cajaVM.def not traversing into virtualized methods.
* Virtualized properties now conform to ES5 semantics; in particular:
  * Formerly, they would never appear to be 'own' when assigned; that
    is,
        var o = {}; o.toString = ...; o.hasOwnProperty('toString')
    used to be false, but is now true.
  * Virtualized properties other than toString and valueOf can be given
    non-function values.

Supporting changes:
* Added an end-to-end test that we are not exposing such unfrozen
  primordials as this bug was causing.
* Harness in ES53ConformanceTest assumed the property named 'test'
  was not virtualized; fixed to use v___ access.
* expectFailure now explains that it had an unexpected error rather
  than just throwing it, which helps debugging with less-helpful
  consoles.
* expectFailure now catches bad arguments that would cause it to
  trivially succeed-by-failing.
* Changes to es53-test-taming-tamed-guest.html test
  testTamingFramePrimordialsAreFrozen, which would have caught this
  bug:
  * Remove assumption there exists at least one accessor (now false).
  * Invoke getters and traverse into given values.
  * Fix incorrect invocation of expectFailure which always trivially
    failed.
* Fixed incorrect invocation of expectFailure in
  es53-test-taming-untamed-guest.html which did not even fail as
  expected; to get intended failures, made host-side eval be in strict
  mode.
* Added names for setTimeout and friends in the sampleObjects list
  in es53-test-domado-dom-guest.html.