[[HasProperty]] result of Proxy in prototype chain is ignored

https://bugs.webkit.org/show_bug.cgi?id=203560

Patch by Alexey Shvayka <shvaikalesh@gmail.com> on 2019-11-01
Reviewed by Ross Kirsling.

JSTests:

* stress/proxy-get-prototype-of.js: Correct Proxy "has" trap test.
* test262/expectations.yaml: Mark 6 test cases as passing.

Source/JavaScriptCore:

Before this change, when [[HasProperty]] was called on ordinary object with Proxy in prototype chain,
falsy result of Proxy's "has" trap was ignored and prototype chain was inspected further.

According to spec, OrdinaryHasProperty unconditionally returns result of parent's [[HasProperty]] call.
(step 5.a of https://tc39.es/ecma262/#sec-ordinaryhasproperty)

* runtime/JSObjectInlines.h:
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getNonIndexPropertySlot):

Canonical link: https://commits.webkit.org/217113@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@251940 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog

@@ -1,3 +1,13 @@
+2019-11-01  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        [[HasProperty]] result of Proxy in prototype chain is ignored
+        https://bugs.webkit.org/show_bug.cgi?id=203560
+
+        Reviewed by Ross Kirsling.
+
+        * stress/proxy-get-prototype-of.js: Correct Proxy "has" trap test.
+        * test262/expectations.yaml: Mark 6 test cases as passing.
+
 2019-11-01  Caio Lima  <ticaiolima@gmail.com>
 
         [JSC][MIPS] Skip tests failing in RELEASE_ASSERT_NOT_REACHED() at CallFrame.cpp:81

JSTests/stress/proxy-get-prototype-of.js

@@ -389,7 +389,6 @@ function assert(b) {
     let called = false;
     let handler = {
         getPrototypeOf: function(theTarget) {
-            assert(theTarget === target);
             called = true;
             return proto;
         },
@@ -400,9 +399,8 @@ function assert(b) {
 
     let proxy = new Proxy(target, handler);
     for (let i = 0; i < 500; i++) {
-        let result = "x" in proxy;
-        assert(called);
-        called = false;
+        let result = 1 in proxy;
+        assert(!called);
     }
 }
 

JSTests/test262/expectations.yaml

@@ -633,12 +633,6 @@ test/built-ins/Array/proto-from-ctor-realm-zero.js:
 test/built-ins/Array/prototype/filter/target-array-with-non-writable-property.js:
   default: 'TypeError: Attempted to assign to readonly property.'
   strict mode: 'TypeError: Attempted to assign to readonly property.'
-test/built-ins/Array/prototype/indexOf/calls-only-has-on-prototype-after-length-zeroed.js:
-  default: 'Test262Error: [[GetPrototypeOf]] trap called'
-  strict mode: 'Test262Error: [[GetPrototypeOf]] trap called'
-test/built-ins/Array/prototype/lastIndexOf/calls-only-has-on-prototype-after-length-zeroed.js:
-  default: 'Test262Error: [[GetPrototypeOf]] trap called'
-  strict mode: 'Test262Error: [[GetPrototypeOf]] trap called'
 test/built-ins/Array/prototype/map/target-array-with-non-writable-property.js:
   default: 'TypeError: Attempted to assign to readonly property.'
   strict mode: 'TypeError: Attempted to assign to readonly property.'
@@ -1153,9 +1147,6 @@ test/built-ins/Proxy/construct/return-not-object-throws-undefined-realm.js:
 test/built-ins/Proxy/construct/trap-is-not-callable-realm.js:
   default: 'Test262Error: Expected a TypeError but got a TypeError'
   strict mode: 'Test262Error: Expected a TypeError but got a TypeError'
-test/built-ins/Proxy/has/call-in-prototype.js:
-  default: 'Test262Error: [[GetPrototypeOf]] trap called'
-  strict mode: 'Test262Error: [[GetPrototypeOf]] trap called'
 test/built-ins/Proxy/revocable/revocation-function-name.js:
   default: 'Test262Error: obj should have an own property name'
   strict mode: 'Test262Error: obj should have an own property name'

Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,20 @@
+2019-11-01  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        [[HasProperty]] result of Proxy in prototype chain is ignored
+        https://bugs.webkit.org/show_bug.cgi?id=203560
+
+        Reviewed by Ross Kirsling.
+
+        Before this change, when [[HasProperty]] was called on ordinary object with Proxy in prototype chain,
+        falsy result of Proxy's "has" trap was ignored and prototype chain was inspected further.
+
+        According to spec, OrdinaryHasProperty unconditionally returns result of parent's [[HasProperty]] call.
+        (step 5.a of https://tc39.es/ecma262/#sec-ordinaryhasproperty)
+
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::getPropertySlot):
+        (JSC::JSObject::getNonIndexPropertySlot):
+
 2019-10-31  Yusuke Suzuki  <ysuzuki@apple.com>
 
         Unreviewed, speculative GTK build fix r251886

Source/JavaScriptCore/runtime/JSObjectInlines.h

@@ -126,6 +126,8 @@ ALWAYS_INLINE bool JSObject::getPropertySlot(JSGlobalObject* globalObject, unsig
         RETURN_IF_EXCEPTION(scope, false);
         if (hasSlot)
             return true;
+        if (object->type() == ProxyObjectType && slot.internalMethodType() == PropertySlot::InternalMethodType::HasProperty)
+            return false;
         JSValue prototype;
         if (LIKELY(structure->classInfo()->methodTable.getPrototype == defaultGetPrototype || slot.internalMethodType() == PropertySlot::InternalMethodType::VMInquiry))
             prototype = object->getPrototypeDirect(vm);
@@ -159,6 +161,8 @@ ALWAYS_INLINE bool JSObject::getNonIndexPropertySlot(JSGlobalObject* globalObjec
             RETURN_IF_EXCEPTION(scope, false);
             if (hasSlot)
                 return true;
+            if (object->type() == ProxyObjectType && slot.internalMethodType() == PropertySlot::InternalMethodType::HasProperty)
+                return false;
         }
         JSValue prototype;
         if (LIKELY(structure->classInfo()->methodTable.getPrototype == defaultGetPrototype || slot.internalMethodType() == PropertySlot::InternalMethodType::VMInquiry))