[MERGE chakra-core#886] Fix 7019631: Check whether a Proxy object is anywhere in the prototype chain before choosing to do the optimized ToPropertyDescriptor for non-Proxy objects.

dilijev · dilijev · commit 655dc14a70fd · 2016-04-29T16:58:00.000-07:00
Merge pull request chakra-core#886 from dilijev:protoproxy See: https://tc39.github.io/ecma262/2016/#sec-topropertydescriptor
diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -8670,6 +8670,7 @@ namespace Js
 
         return true;
     }
+
     BOOL JavascriptOperators::ToPropertyDescriptorForProxyObjects(Var propertySpec, PropertyDescriptor* descriptor, ScriptContext* scriptContext)
     {
         if (!JavascriptOperators::IsObject(propertySpec))
@@ -8822,7 +8823,8 @@ namespace Js
 
     BOOL JavascriptOperators::ToPropertyDescriptor(Var propertySpec, PropertyDescriptor* descriptor, ScriptContext* scriptContext)
     {
-        if (JavascriptProxy::Is(propertySpec))
+        if (JavascriptProxy::Is(propertySpec) ||
+            JavascriptOperators::CheckIfPrototypeChainContainsProxyObject(RecyclableObject::FromVar(propertySpec)->GetPrototype()))
         {
             if (ToPropertyDescriptorForProxyObjects(propertySpec, descriptor, scriptContext) == FALSE)
             {
@@ -9960,16 +9962,13 @@ namespace Js
         return !Equal(aLeft, aRight, scriptContext);
     }
 
-
     // NotStrictEqual() returns whether the two vars have strict equality, as
     // described in (ES3.0: S11.9.5, S11.9.6).
-
     BOOL JavascriptOperators::NotStrictEqual(Var aLeft, Var aRight, ScriptContext* scriptContext)
     {
         return !StrictEqual(aLeft, aRight, scriptContext);
     }
 
-
     bool JavascriptOperators::CheckIfObjectAndPrototypeChainHasOnlyWritableDataProperties(RecyclableObject* object)
     {
         Assert(object);
@@ -10040,6 +10039,25 @@ namespace Js
         return true;
     }
 
+    // Checks to see if the specified object (which should be a prototype object)
+    // contains a proxy anywhere in the prototype chain.
+    bool JavascriptOperators::CheckIfPrototypeChainContainsProxyObject(RecyclableObject* prototype)
+    {
+        Assert(JavascriptOperators::IsObjectOrNull(prototype));
+
+        while (prototype->GetTypeId() != TypeIds_Null)
+        {
+            if (prototype->GetTypeId() == TypeIds_Proxy)
+            {
+                return true;
+            }
+
+            prototype = prototype->GetPrototype();
+        }
+
+        return false;
+    }
+
     BOOL JavascriptOperators::Equal(Var aLeft, Var aRight, ScriptContext* scriptContext)
     {
         if (aLeft == aRight)
diff --git a/lib/Runtime/Language/JavascriptOperators.h b/lib/Runtime/Language/JavascriptOperators.h
@@ -538,6 +538,7 @@ namespace Js
         static bool CheckIfObjectAndPrototypeChainHasOnlyWritableDataProperties(RecyclableObject* object);
         static bool CheckIfPrototypeChainHasOnlyWritableDataProperties(RecyclableObject* prototype);
         static bool DoCheckIfPrototypeChainHasOnlyWritableDataProperties(RecyclableObject* prototype);
+        static bool CheckIfPrototypeChainContainsProxyObject(RecyclableObject* prototype);
         static void OP_SetComputedNameVar(Var method, Var computedNameVar);
         static void OP_SetHomeObj(Var method, Var homeObj);
         static Var OP_LdSuper(Var scriptFunction, ScriptContext * scriptContext);
diff --git a/test/es6/proxyprotobug.baseline b/test/es6/proxyprotobug.baseline
@@ -0,0 +1,21 @@
+has enumerable
+get enumerable
+has configurable
+get configurable
+has value
+get value
+has writable
+get writable
+has get
+has set
+======================
+has enumerable
+get enumerable
+has configurable
+get configurable
+has value
+get value
+has writable
+get writable
+has get
+has set
diff --git a/test/es6/proxyprotobug.js b/test/es6/proxyprotobug.js
@@ -0,0 +1,29 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+var proxyHandler = {
+    has(p, n) {
+        WScript.Echo("has " + n);
+        return !(n === "get" || n === "set");
+    },
+    get(p, n) {
+        WScript.Echo("get " + n);
+        if (n == "get" || n == "set") {
+            return () => 1;
+        } else {
+            return 1;
+        }
+    }
+};
+
+var p = new Proxy({}, proxyHandler);
+var o = {};
+Object.defineProperty(o, "x", p);
+
+WScript.Echo("======================");
+
+var pp = {};
+pp.__proto__ = p;
+Object.defineProperty(o, "y", pp);
diff --git a/test/es6/rlexe.xml b/test/es6/rlexe.xml
@@ -682,6 +682,12 @@
       <files>proxybug3.js</files>
     </default>
   </test>
+  <test>
+    <default>
+      <files>proxyprotobug.js</files>
+      <baseline>proxyprotobug.baseline</baseline>
+    </default>
+  </test>
   <test>
     <default>
       <files>proxyenumbug.js</files>

Original file line number	Diff line number	Diff line change
`@@ -8670,6 +8670,7 @@ namespace Js`
`8670`	`8670`
`8671`	`8671`	`return true;`
`8672`	`8672`	`}`
	`8673`	`+`
`8673`	`8674`	`BOOL JavascriptOperators::ToPropertyDescriptorForProxyObjects(Var propertySpec, PropertyDescriptor* descriptor, ScriptContext* scriptContext)`
`8674`	`8675`	`{`
`8675`	`8676`	`if (!JavascriptOperators::IsObject(propertySpec))`
`@@ -8822,7 +8823,8 @@ namespace Js`
`8822`	`8823`
`8823`	`8824`	`BOOL JavascriptOperators::ToPropertyDescriptor(Var propertySpec, PropertyDescriptor* descriptor, ScriptContext* scriptContext)`
`8824`	`8825`	`{`
`8825`		`- if (JavascriptProxy::Is(propertySpec))`
	`8826`	`+ if (JavascriptProxy::Is(propertySpec) \|\|`
	`8827`	`+ JavascriptOperators::CheckIfPrototypeChainContainsProxyObject(RecyclableObject::FromVar(propertySpec)->GetPrototype()))`
`8826`	`8828`	`{`
`8827`	`8829`	`if (ToPropertyDescriptorForProxyObjects(propertySpec, descriptor, scriptContext) == FALSE)`
`8828`	`8830`	`{`
`@@ -9960,16 +9962,13 @@ namespace Js`
`9960`	`9962`	`return !Equal(aLeft, aRight, scriptContext);`
`9961`	`9963`	`}`
`9962`	`9964`
`9963`		`-`
`9964`	`9965`	`// NotStrictEqual() returns whether the two vars have strict equality, as`
`9965`	`9966`	`// described in (ES3.0: S11.9.5, S11.9.6).`
`9966`		`-`
`9967`	`9967`	`BOOL JavascriptOperators::NotStrictEqual(Var aLeft, Var aRight, ScriptContext* scriptContext)`
`9968`	`9968`	`{`
`9969`	`9969`	`return !StrictEqual(aLeft, aRight, scriptContext);`
`9970`	`9970`	`}`
`9971`	`9971`
`9972`		`-`
`9973`	`9972`	`bool JavascriptOperators::CheckIfObjectAndPrototypeChainHasOnlyWritableDataProperties(RecyclableObject* object)`
`9974`	`9973`	`{`
`9975`	`9974`	`Assert(object);`
`@@ -10040,6 +10039,25 @@ namespace Js`
`10040`	`10039`	`return true;`
`10041`	`10040`	`}`
`10042`	`10041`
	`10042`	`+ // Checks to see if the specified object (which should be a prototype object)`
	`10043`	`+ // contains a proxy anywhere in the prototype chain.`
	`10044`	`+ bool JavascriptOperators::CheckIfPrototypeChainContainsProxyObject(RecyclableObject* prototype)`
	`10045`	`+ {`
	`10046`	`+ Assert(JavascriptOperators::IsObjectOrNull(prototype));`
	`10047`	`+`
	`10048`	`+ while (prototype->GetTypeId() != TypeIds_Null)`
	`10049`	`+ {`
	`10050`	`+ if (prototype->GetTypeId() == TypeIds_Proxy)`
	`10051`	`+ {`
	`10052`	`+ return true;`
	`10053`	`+ }`
	`10054`	`+`
	`10055`	`+ prototype = prototype->GetPrototype();`
	`10056`	`+ }`
	`10057`	`+`
	`10058`	`+ return false;`
	`10059`	`+ }`
	`10060`	`+`
`10043`	`10061`	`BOOL JavascriptOperators::Equal(Var aLeft, Var aRight, ScriptContext* scriptContext)`
`10044`	`10062`	`{`
`10045`	`10063`	`if (aLeft == aRight)`