Don't copy object directly if internal properties are set

Kevin Smith · Kevin Smith · commit 86333c252231 · 2019-06-28T14:51:46.000-07:00
diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
@@ -12279,15 +12279,23 @@ using namespace Js;
         JS_REENTRANCY_LOCK(jsReentLock, scriptContext->GetThreadContext());
         SETOBJECT_FOR_MUTATION(jsReentLock, originalArray);
 
-        if (JavascriptArray::IsNonES5Array(originalArray)
-            && !UnsafeVarTo<DynamicObject>(originalArray)->GetDynamicType()->GetTypeHandler()->GetIsNotPathTypeHandlerOrHasUserDefinedCtor()
-            && UnsafeVarTo<DynamicObject>(originalArray)->GetPrototype() == scriptContext->GetLibrary()->GetArrayPrototype()
-            && !scriptContext->GetLibrary()->GetArrayObjectHasUserDefinedSpecies())
+        auto* library = scriptContext->GetLibrary();
+
+        if (JavascriptArray::IsNonES5Array(originalArray))
         {
-            return nullptr;
+            auto* dynamicObject = UnsafeVarTo<DynamicObject>(originalArray);
+            auto* typeHandler = dynamicObject->GetDynamicType()->GetTypeHandler();
+
+            if (typeHandler->IsPathTypeHandler()
+                && !PathTypeHandlerBase::FromTypeHandler(typeHandler)->HasUserDefinedCtor()
+                && dynamicObject->GetPrototype() == library->GetArrayPrototype()
+                && !library->GetArrayObjectHasUserDefinedSpecies())
+            {
+                return nullptr;
+            }
         }
 
-        Var constructor = scriptContext->GetLibrary()->GetUndefined();
+        Var constructor = library->GetUndefined();
 
         JS_REENTRANT(jsReentLock, BOOL isArray = JavascriptOperators::IsArray(originalArray));
         if (isArray)
@@ -12305,7 +12313,7 @@ using namespace Js;
                 {
                     if (constructorScriptContext->GetLibrary()->GetArrayConstructor() == constructor)
                     {
-                        constructor = scriptContext->GetLibrary()->GetUndefined();
+                        constructor = library->GetUndefined();
                     }
                 }
             }
@@ -12321,14 +12329,14 @@ using namespace Js;
                     }
                     return nullptr;
                 }
-                if (constructor == scriptContext->GetLibrary()->GetNull())
+                if (constructor == library->GetNull())
                 {
-                    constructor = scriptContext->GetLibrary()->GetUndefined();
+                    constructor = library->GetUndefined();
                 }
             }
         }
 
-        if (constructor == scriptContext->GetLibrary()->GetUndefined() || constructor == scriptContext->GetLibrary()->GetArrayConstructor())
+        if (constructor == library->GetUndefined() || constructor == library->GetArrayConstructor())
         {
             if (length > UINT_MAX)
             {
@@ -12337,7 +12345,7 @@ using namespace Js;
 
             if (nullptr == pIsIntArray)
             {
-                return scriptContext->GetLibrary()->CreateArray(static_cast<uint32>(length));
+                return library->CreateArray(static_cast<uint32>(length));
             }
             else
             {
diff --git a/lib/Runtime/Types/DynamicObject.cpp b/lib/Runtime/Types/DynamicObject.cpp
@@ -866,11 +866,11 @@ namespace Js
             }
             return false;
         }
-        if (!from->GetTypeHandler()->IsPathTypeHandler())
+        if (!from->GetTypeHandler()->IsObjectCopyable())
         {
             if (PHASE_TRACE1(ObjectCopyPhase))
             {
-                Output::Print(_u("ObjectCopy: Can't copy: Don't have PathTypeHandler\n"));
+                Output::Print(_u("ObjectCopy: Can't copy: from obj does not have copyable type handler\n"));
             }
             return false;
         }
@@ -890,14 +890,6 @@ namespace Js
             }
             return false;
         }
-        if (PathTypeHandlerBase::FromTypeHandler(from->GetTypeHandler())->HasAccessors())
-        {
-            if (PHASE_TRACE1(ObjectCopyPhase))
-            {
-                Output::Print(_u("ObjectCopy: Can't copy: type handler has accessors\n"));
-            }
-            return false;
-        }
         if (this->GetPrototype() != from->GetPrototype())
         {
             if (PHASE_TRACE1(ObjectCopyPhase))
@@ -906,14 +898,6 @@ namespace Js
             }
             return false;
         }
-        if (!from->GetTypeHandler()->AllPropertiesAreEnumerable())
-        {
-            if (PHASE_TRACE1(ObjectCopyPhase))
-            {
-                Output::Print(_u("ObjectCopy: Can't copy: from obj has non-enumerable properties\n"));
-            }
-            return false;
-        }
         if (from->IsExternal())
         {
             if (PHASE_TRACE1(ObjectCopyPhase))
diff --git a/lib/Runtime/Types/PathTypeHandler.cpp b/lib/Runtime/Types/PathTypeHandler.cpp
@@ -235,12 +235,20 @@ namespace Js
         DynamicTypeHandler(slotCapacity, inlineSlotCapacity, offsetOfInlineSlots, DefaultFlags | (isLocked ? IsLockedFlag : 0) | (isShared ? (MayBecomeSharedFlag | IsSharedFlag) : 0)),
         typePath(typePath),
         predecessorType(predecessorType),
-        successorInfo(nullptr)
+        successorInfo(nullptr),
+        hasUserDefinedCtor(false),
+        hasInternalProperty(false)
     {
         Assert(pathLength <= slotCapacity);
         Assert(inlineSlotCapacity <= slotCapacity);
         SetUnusedBytesValue(pathLength);
-        isNotPathTypeHandlerOrHasUserDefinedCtor = predecessorType == nullptr ? false : predecessorType->GetTypeHandler()->GetIsNotPathTypeHandlerOrHasUserDefinedCtor();
+
+        if (predecessorType != nullptr && predecessorType->GetTypeHandler()->IsPathTypeHandler())
+        {
+            auto* handler = PathTypeHandlerBase::FromTypeHandler(predecessorType->GetTypeHandler());
+            hasUserDefinedCtor = handler->hasUserDefinedCtor;
+            hasInternalProperty = handler->hasInternalProperty;
+        }
     }
 
     int PathTypeHandlerBase::GetPropertyCount()
@@ -2166,7 +2174,12 @@ namespace Js
 
             if (key.GetPropertyId() == PropertyIds::constructor)
             {
-                nextPath->isNotPathTypeHandlerOrHasUserDefinedCtor = true;
+                nextPath->hasUserDefinedCtor = true;
+            }
+
+            if (IsInternalPropertyId(key.GetPropertyId()))
+            {
+                nextPath->hasInternalProperty = true;
             }
 
 #ifdef PROFILE_TYPES
diff --git a/lib/Runtime/Types/PathTypeHandler.h b/lib/Runtime/Types/PathTypeHandler.h
@@ -102,6 +102,8 @@ namespace Js
         Field(DynamicType*) predecessorType; // Strong reference to predecessor type so that predecessor types remain in the cache even though they might not be used
         Field(TypePath*) typePath;
         Field(PathTypeSuccessorInfo*) successorInfo;
+        Field(bool) hasUserDefinedCtor;
+        Field(bool) hasInternalProperty;
 
     public:
         DEFINE_GETCPPNAME();
@@ -119,6 +121,8 @@ namespace Js
             return nullptr;
         }
 
+        bool HasUserDefinedCtor() { return this->hasUserDefinedCtor; }
+
         virtual BOOL IsLockable() const override { return true; }
         virtual BOOL IsSharable() const override { return true; }
 
@@ -459,6 +463,8 @@ namespace Js
         DEFINE_VTABLE_CTOR_NO_REGISTER(PathTypeHandlerNoAttr, PathTypeHandlerBase);
 
     public:
+        virtual bool IsObjectCopyable() const override { return !this->hasInternalProperty; }
+
         static PathTypeHandlerNoAttr * New(ScriptContext * scriptContext, TypePath* typePath, uint16 pathLength, uint16 inlineSlotCapacity, uint16 offsetOfInlineSlots, bool isLocked = false, bool isShared = false, DynamicType* predecessorType = nullptr);
         static PathTypeHandlerNoAttr * New(ScriptContext * scriptContext, TypePath* typePath, uint16 pathLength, const PropertyIndex slotCapacity, uint16 inlineSlotCapacity, uint16 offsetOfInlineSlots, bool isLocked = false, bool isShared = false, DynamicType* predecessorType = nullptr);
         static PathTypeHandlerNoAttr * New(ScriptContext * scriptContext, PathTypeHandlerNoAttr * typeHandler, bool isLocked, bool isShared);
@@ -534,6 +540,7 @@ namespace Js
             return FindNextPropertyHelper(scriptContext, this->attributes, index, propertyString, propertyId, attributes, type, typeToEnumerate, flags, instance, info);
         }
         virtual BOOL AllPropertiesAreEnumerable() sealed override { return false; }
+        virtual bool IsObjectCopyable() const override { return false; }
 #if ENABLE_NATIVE_CODEGEN
         virtual bool IsObjTypeSpecEquivalent(const Type* type, const TypeEquivalenceRecord& record, uint& failedPropertyIndex) override;
         virtual bool IsObjTypeSpecEquivalent(const Type* type, const EquivalentPropertyEntry* entry) override;
diff --git a/lib/Runtime/Types/TypeHandler.cpp b/lib/Runtime/Types/TypeHandler.cpp
@@ -77,7 +77,6 @@ using namespace Js;
                 ? RoundUpObjectHeaderInlinedInlineSlotCapacity(inlineSlotCapacity)
                 : RoundUpInlineSlotCapacity(inlineSlotCapacity);
         this->slotCapacity = RoundUpSlotCapacity(slotCapacity, inlineSlotCapacity);
-        this->isNotPathTypeHandlerOrHasUserDefinedCtor = true;
 
         Assert(IsObjectHeaderInlinedTypeHandler() == IsObjectHeaderInlined(offsetOfInlineSlots));
     }
@@ -884,6 +883,5 @@ using namespace Js;
         Output::Print(_u("%*sslotCapacity: %d\n"), fieldIndent, padding, this->slotCapacity);
         Output::Print(_u("%*sunusedBytes: %u\n"), fieldIndent, padding, this->unusedBytes);
         Output::Print(_u("%*sinlineSlotCapacty: %u\n"), fieldIndent, padding, this->inlineSlotCapacity);
-        Output::Print(_u("%*sisNotPathTypeHandlerOrHasUserDefinedCtor: %d\n"), fieldIndent, padding, static_cast<int>(this->isNotPathTypeHandlerOrHasUserDefinedCtor));
     }
 #endif
diff --git a/lib/Runtime/Types/TypeHandler.h b/lib/Runtime/Types/TypeHandler.h
@@ -48,7 +48,6 @@ namespace Js
         Field(int) slotCapacity;
         Field(uint16) unusedBytes;             // This always has it's lowest bit set to avoid false references
         Field(uint16) inlineSlotCapacity;
-        Field(bool) isNotPathTypeHandlerOrHasUserDefinedCtor;
         Field(bool) protoCachesWereInvalidated;
 
     public:
@@ -58,7 +57,6 @@ namespace Js
             propertyTypes(typeHandler->propertyTypes),
             slotCapacity(typeHandler->slotCapacity),
             offsetOfInlineSlots(typeHandler->offsetOfInlineSlots),
-            isNotPathTypeHandlerOrHasUserDefinedCtor(typeHandler->isNotPathTypeHandlerOrHasUserDefinedCtor),
             unusedBytes(typeHandler->unusedBytes),
             protoCachesWereInvalidated(false),
             inlineSlotCapacity(typeHandler->inlineSlotCapacity)
@@ -427,7 +425,6 @@ namespace Js
         }
 
         BOOL Freeze(DynamicObject *instance, bool isConvertedType = false)  { return FreezeImpl(instance, isConvertedType); }
-        bool GetIsNotPathTypeHandlerOrHasUserDefinedCtor() const { return this->isNotPathTypeHandlerOrHasUserDefinedCtor; }
 
         virtual BOOL IsStringTypeHandler() const { return false; }
 
@@ -560,6 +557,8 @@ namespace Js
         virtual BOOL IsSimpleDictionaryTypeHandler() const {return FALSE; }
         virtual BOOL IsDictionaryTypeHandler() const {return FALSE;}
 
+        virtual bool IsObjectCopyable() const { return false; }
+
         static bool IsolatePrototypes() { return CONFIG_FLAG(IsolatePrototypes); }
         static bool ChangeTypeOnProto() { return CONFIG_FLAG(ChangeTypeOnProto); }
         static bool ShouldFixMethodProperties() { return !PHASE_OFF1(FixMethodPropsPhase); }
diff --git a/test/Object/assign.baseline b/test/Object/assign.baseline
@@ -1,11 +1,11 @@
 ObjectCopy succeeded
-ObjectCopy: Can't copy: Don't have PathTypeHandler
-ObjectCopy: Can't copy: type handler has accessors
-ObjectCopy: Can't copy: type handler has accessors
+ObjectCopy: Can't copy: from obj does not have copyable type handler
+ObjectCopy: Can't copy: from obj does not have copyable type handler
+ObjectCopy: Can't copy: from obj does not have copyable type handler
 ObjectCopy: Can't copy: Prototypes don't match
-ObjectCopy: Can't copy: from obj has non-enumerable properties
+ObjectCopy: Can't copy: from obj does not have copyable type handler
 ObjectCopy succeeded
 ObjectCopy succeeded
 ObjectCopy: Can't copy: to obj has object array
-ObjectCopy: Can't copy: Don't have PathTypeHandler
+ObjectCopy: Can't copy: from obj does not have copyable type handler
 pass
diff --git a/test/es6/weakmap_functionality.js b/test/es6/weakmap_functionality.js
@@ -501,6 +501,28 @@ var tests = [
         }
     },
 
+    {
+        name: "WeakMap internal property data is not copied by Object.assign",
+        body: function () {
+            var key1 = {};
+            var key2 = {};
+            var map = new WeakMap(); 
+
+            map.set(key1, 1);
+            map.delete(Object.assign(key2, key1));
+            assert.isFalse(map.has(key2));
+
+            key1 = {};
+            key2 = {};
+            map = new WeakMap(); 
+
+            map.set(key1, 1);
+            key1.a = 1;
+            map.delete(Object.assign(key2, key1));
+            assert.isFalse(map.has(key2));
+        }
+    }
+
 ];
 
 testRunner.runTests(tests, { verbose: WScript.Arguments[0] != "summary" });

Original file line number	Diff line number	Diff line change
`@@ -12279,15 +12279,23 @@ using namespace Js;`
`12279`	`12279`	`JS_REENTRANCY_LOCK(jsReentLock, scriptContext->GetThreadContext());`
`12280`	`12280`	`SETOBJECT_FOR_MUTATION(jsReentLock, originalArray);`
`12281`	`12281`
`12282`		`- if (JavascriptArray::IsNonES5Array(originalArray)`
`12283`		`- && !UnsafeVarTo<DynamicObject>(originalArray)->GetDynamicType()->GetTypeHandler()->GetIsNotPathTypeHandlerOrHasUserDefinedCtor()`
`12284`		`- && UnsafeVarTo<DynamicObject>(originalArray)->GetPrototype() == scriptContext->GetLibrary()->GetArrayPrototype()`
`12285`		`- && !scriptContext->GetLibrary()->GetArrayObjectHasUserDefinedSpecies())`
	`12282`	`+ auto* library = scriptContext->GetLibrary();`
	`12283`	`+`
	`12284`	`+ if (JavascriptArray::IsNonES5Array(originalArray))`
`12286`	`12285`	`{`
`12287`		`- return nullptr;`
	`12286`	`+ auto* dynamicObject = UnsafeVarTo<DynamicObject>(originalArray);`
	`12287`	`+ auto* typeHandler = dynamicObject->GetDynamicType()->GetTypeHandler();`
	`12288`	`+`
	`12289`	`+ if (typeHandler->IsPathTypeHandler()`
	`12290`	`+ && !PathTypeHandlerBase::FromTypeHandler(typeHandler)->HasUserDefinedCtor()`
	`12291`	`+ && dynamicObject->GetPrototype() == library->GetArrayPrototype()`
	`12292`	`+ && !library->GetArrayObjectHasUserDefinedSpecies())`
	`12293`	`+ {`
	`12294`	`+ return nullptr;`
	`12295`	`+ }`
`12288`	`12296`	`}`
`12289`	`12297`
`12290`		`- Var constructor = scriptContext->GetLibrary()->GetUndefined();`
	`12298`	`+ Var constructor = library->GetUndefined();`
`12291`	`12299`
`12292`	`12300`	`JS_REENTRANT(jsReentLock, BOOL isArray = JavascriptOperators::IsArray(originalArray));`
`12293`	`12301`	`if (isArray)`
`@@ -12305,7 +12313,7 @@ using namespace Js;`
`12305`	`12313`	`{`
`12306`	`12314`	`if (constructorScriptContext->GetLibrary()->GetArrayConstructor() == constructor)`
`12307`	`12315`	`{`
`12308`		`- constructor = scriptContext->GetLibrary()->GetUndefined();`
	`12316`	`+ constructor = library->GetUndefined();`
`12309`	`12317`	`}`
`12310`	`12318`	`}`
`12311`	`12319`	`}`
`@@ -12321,14 +12329,14 @@ using namespace Js;`
`12321`	`12329`	`}`
`12322`	`12330`	`return nullptr;`
`12323`	`12331`	`}`
`12324`		`- if (constructor == scriptContext->GetLibrary()->GetNull())`
	`12332`	`+ if (constructor == library->GetNull())`
`12325`	`12333`	`{`
`12326`		`- constructor = scriptContext->GetLibrary()->GetUndefined();`
	`12334`	`+ constructor = library->GetUndefined();`
`12327`	`12335`	`}`
`12328`	`12336`	`}`
`12329`	`12337`	`}`
`12330`	`12338`
`12331`		`- if (constructor == scriptContext->GetLibrary()->GetUndefined() \|\| constructor == scriptContext->GetLibrary()->GetArrayConstructor())`
	`12339`	`+ if (constructor == library->GetUndefined() \|\| constructor == library->GetArrayConstructor())`
`12332`	`12340`	`{`
`12333`	`12341`	`if (length > UINT_MAX)`
`12334`	`12342`	`{`
`@@ -12337,7 +12345,7 @@ using namespace Js;`
`12337`	`12345`
`12338`	`12346`	`if (nullptr == pIsIntArray)`
`12339`	`12347`	`{`
`12340`		`- return scriptContext->GetLibrary()->CreateArray(static_cast<uint32>(length));`
	`12348`	`+ return library->CreateArray(static_cast<uint32>(length));`
`12341`	`12349`	`}`
`12342`	`12350`	`else`
`12343`	`12351`	`{`
Original file line number	Diff line number	Diff line change
`@@ -866,11 +866,11 @@ namespace Js`
`866`	`866`	`}`
`867`	`867`	`return false;`
`868`	`868`	`}`
`869`		`- if (!from->GetTypeHandler()->IsPathTypeHandler())`
	`869`	`+ if (!from->GetTypeHandler()->IsObjectCopyable())`
`870`	`870`	`{`
`871`	`871`	`if (PHASE_TRACE1(ObjectCopyPhase))`
`872`	`872`	`{`
`873`		`- Output::Print(_u("ObjectCopy: Can't copy: Don't have PathTypeHandler\n"));`
	`873`	`+ Output::Print(_u("ObjectCopy: Can't copy: from obj does not have copyable type handler\n"));`
`874`	`874`	`}`
`875`	`875`	`return false;`
`876`	`876`	`}`
`@@ -890,14 +890,6 @@ namespace Js`
`890`	`890`	`}`
`891`	`891`	`return false;`
`892`	`892`	`}`
`893`		`- if (PathTypeHandlerBase::FromTypeHandler(from->GetTypeHandler())->HasAccessors())`
`894`		`- {`
`895`		`- if (PHASE_TRACE1(ObjectCopyPhase))`
`896`		`- {`
`897`		`- Output::Print(_u("ObjectCopy: Can't copy: type handler has accessors\n"));`
`898`		`- }`
`899`		`- return false;`
`900`		`- }`
`901`	`893`	`if (this->GetPrototype() != from->GetPrototype())`
`902`	`894`	`{`
`903`	`895`	`if (PHASE_TRACE1(ObjectCopyPhase))`
`@@ -906,14 +898,6 @@ namespace Js`
`906`	`898`	`}`
`907`	`899`	`return false;`
`908`	`900`	`}`
`909`		`- if (!from->GetTypeHandler()->AllPropertiesAreEnumerable())`
`910`		`- {`
`911`		`- if (PHASE_TRACE1(ObjectCopyPhase))`
`912`		`- {`
`913`		`- Output::Print(_u("ObjectCopy: Can't copy: from obj has non-enumerable properties\n"));`
`914`		`- }`
`915`		`- return false;`
`916`		`- }`
`917`	`901`	`if (from->IsExternal())`
`918`	`902`	`{`
`919`	`903`	`if (PHASE_TRACE1(ObjectCopyPhase))`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,6 @@ using namespace Js;`
`77`	`77`	`? RoundUpObjectHeaderInlinedInlineSlotCapacity(inlineSlotCapacity)`
`78`	`78`	`: RoundUpInlineSlotCapacity(inlineSlotCapacity);`
`79`	`79`	`this->slotCapacity = RoundUpSlotCapacity(slotCapacity, inlineSlotCapacity);`
`80`		`- this->isNotPathTypeHandlerOrHasUserDefinedCtor = true;`
`81`	`80`
`82`	`81`	`Assert(IsObjectHeaderInlinedTypeHandler() == IsObjectHeaderInlined(offsetOfInlineSlots));`
`83`	`82`	`}`
`@@ -884,6 +883,5 @@ using namespace Js;`
`884`	`883`	`Output::Print(_u("%*sslotCapacity: %d\n"), fieldIndent, padding, this->slotCapacity);`
`885`	`884`	`Output::Print(_u("%*sunusedBytes: %u\n"), fieldIndent, padding, this->unusedBytes);`
`886`	`885`	`Output::Print(_u("%*sinlineSlotCapacty: %u\n"), fieldIndent, padding, this->inlineSlotCapacity);`
`887`		`- Output::Print(_u("%*sisNotPathTypeHandlerOrHasUserDefinedCtor: %d\n"), fieldIndent, padding, static_cast<int>(this->isNotPathTypeHandlerOrHasUserDefinedCtor));`
`888`	`886`	`}`
`889`	`887`	`#endif`