Changeset 274882 in webkit

Timestamp:

Mar 23, 2021 11:04:34 AM (16 months ago)

Author:

rmorisset@apple.com

Message:

Object.freeze(this) at the global scope can lose a reference to a WatchpointSet
​https://bugs.webkit.org/show_bug.cgi?id=223608

Reviewed by Yusuke Suzuki.

JSTests:

• stress/freeze-global-object.js: Added.

(foo):

Source/JavaScriptCore:

When freezing the global object, we should make a proper copy of symbol table entries, to keep any outstanding reference to the WatchpointSet.
We cannot use pack(), because it does not support FatEntries.

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::defineOwnProperty):

• runtime/JSSymbolTableObject.h:

(JSC::symbolTableGet):

• runtime/SymbolTable.h:

(JSC::SymbolTableEntry::setReadOnly):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/freeze-global-object.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSSymbolTableObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/SymbolTable.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2021-03-23  Robin Morisset  <rmorisset@apple.com>
+
+        Object.freeze(this) at the global scope can lose a reference to a WatchpointSet
+        https://bugs.webkit.org/show_bug.cgi?id=223608
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/freeze-global-object.js: Added.
+        (foo):
+
 2021-03-22  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-03-23  Robin Morisset  <rmorisset@apple.com>
+
+        Object.freeze(this) at the global scope can lose a reference to a WatchpointSet
+        https://bugs.webkit.org/show_bug.cgi?id=223608
+
+        Reviewed by Yusuke Suzuki.
+
+        When freezing the global object, we should make a proper copy of symbol table entries, to keep any outstanding reference to the WatchpointSet.
+        We cannot use pack(), because it does not support FatEntries.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::defineOwnProperty):
+        * runtime/JSSymbolTableObject.h:
+        (JSC::symbolTableGet):
+        * runtime/SymbolTable.h:
+        (JSC::SymbolTableEntry::setReadOnly):
+
 2021-03-22  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -1485 +1485 @@
     JSGlobalObject* thisObject = jsCast<JSGlobalObject*>(object);
 
-    SymbolTableEntry::Fast entry;
+    SymbolTableEntry entry;
     PropertyDescriptor currentDescriptor;
     if (symbolTableGet(thisObject, propertyName, entry, currentDescriptor)) {
@@ -1503 +1503 @@
         }
         if (descriptor.writablePresent() && !descriptor.writable() && !entry.isReadOnly()) {
-            thisObject->symbolTable()->set(propertyName.uid(), SymbolTableEntry(entry.varOffset(), entry.getAttributes() | PropertyAttribute::ReadOnly));
+            entry.setReadOnly();
+            thisObject->symbolTable()->set(propertyName.uid(), entry);
             thisObject->varReadOnlyWatchpoint()->fireAll(vm, "GlobalVar was redefined as ReadOnly");
         }

trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.h

@@ -100 +100 @@
 template<typename SymbolTableObjectType>
 inline bool symbolTableGet(
-    SymbolTableObjectType* object, PropertyName propertyName, SymbolTableEntry::Fast& entry, PropertyDescriptor& descriptor)
+    SymbolTableObjectType* object, PropertyName propertyName, SymbolTableEntry& entry, PropertyDescriptor& descriptor)
 {
     SymbolTable& symbolTable = *object->symbolTable();

trunk/Source/JavaScriptCore/runtime/SymbolTable.h

@@ -265 +265 @@
     }
 
+    void setReadOnly()
+    {
+        bits() |= ReadOnlyFlag;
+    }
+
     bool isReadOnly() const
     {