Changeset 147570 in webkit

Timestamp:

Apr 3, 2013 11:38:33 AM (11 years ago)

Author:

mhahnenberg@apple.com

Message:

get_by_pname can become confused when iterating over objects with static properties
​https://bugs.webkit.org/show_bug.cgi?id=113831

Reviewed by Geoffrey Garen.

get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly
access an object's backing store. One way to fix this is to not cache any properties when iterating over
objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch.

Source/JavaScriptCore:

• runtime/JSObject.cpp:

(JSC::JSObject::getOwnNonIndexPropertyNames):

• runtime/JSPropertyNameIterator.cpp:

(JSC::JSPropertyNameIterator::create):

• runtime/PropertyNameArray.h:

(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::numCacheableSlots):
(JSC::PropertyNameArray::setNumCacheableSlots):
(PropertyNameArray):

LayoutTests:

• fast/js/dom-static-property-for-in-iteration-expected.txt: Added.
• fast/js/dom-static-property-for-in-iteration.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/dom-static-property-for-in-iteration-expected.txt (added)
• LayoutTests/fast/js/dom-static-property-for-in-iteration.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/PropertyNameArray.h (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-04-02  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        get_by_pname can become confused when iterating over objects with static properties
+        https://bugs.webkit.org/show_bug.cgi?id=113831
+
+        Reviewed by Geoffrey Garen.
+
+        get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly 
+        access an object's backing store. One way to fix this is to not cache any properties when iterating over 
+        objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch.
+
+        * fast/js/dom-static-property-for-in-iteration-expected.txt: Added.
+        * fast/js/dom-static-property-for-in-iteration.html: Added.
+
 2013-04-03  Felipe Zimmerle  <felipe@zimmerle.org>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-04-02  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        get_by_pname can become confused when iterating over objects with static properties
+        https://bugs.webkit.org/show_bug.cgi?id=113831
+
+        Reviewed by Geoffrey Garen.
+
+        get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly 
+        access an object's backing store. One way to fix this is to not cache any properties when iterating over 
+        objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getOwnNonIndexPropertyNames):
+        * runtime/JSPropertyNameIterator.cpp:
+        (JSC::JSPropertyNameIterator::create):
+        * runtime/PropertyNameArray.h:
+        (JSC::PropertyNameArray::PropertyNameArray):
+        (JSC::PropertyNameArray::numCacheableSlots):
+        (JSC::PropertyNameArray::setNumCacheableSlots):
+        (PropertyNameArray):
+
 2013-04-02  Geoffrey Garen  <ggaren@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -1533 +1533 @@
 {
     getClassPropertyNames(exec, object->classInfo(), propertyNames, mode, object->staticFunctionsReified());
+    size_t preStructurePropertyNamesCount = propertyNames.size();
     object->structure()->getPropertyNamesFromStructure(exec->globalData(), propertyNames, mode);
+    size_t numCacheableSlots = preStructurePropertyNamesCount ? 0 : propertyNames.size();
+    propertyNames.setNumCacheableSlots(numCacheableSlots);
 }
 

trunk/Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp

@@ -55 +55 @@
     if (!o->structure()->hasNonEnumerableProperties() && !o->structure()->hasGetterSetterProperties()
         && !o->structure()->isUncacheableDictionary() && !o->structure()->typeInfo().overridesGetPropertyNames())
-        numCacheableSlots = o->structure()->totalStorageSize();
+        numCacheableSlots = propertyNames.numCacheableSlots();
     
     JSPropertyNameIterator* jsPropertyNameIterator = new (NotNull, allocateCell<JSPropertyNameIterator>(*exec->heap())) JSPropertyNameIterator(exec, propertyNames.data(), numCacheableSlots);

trunk/Source/JavaScriptCore/runtime/PropertyNameArray.h

@@ -56 +56 @@
             : m_data(PropertyNameArrayData::create())
             , m_globalData(globalData)
+            , m_numCacheableSlots(0)
         {
         }
@@ -62 +63 @@
             : m_data(PropertyNameArrayData::create())
             , m_globalData(&exec->globalData())
+            , m_numCacheableSlots(0)
         {
         }
@@ -84 +86 @@
         const_iterator end() const { return m_data->propertyNameVector().end(); }
 
+        size_t numCacheableSlots() const { return m_numCacheableSlots; }
+        void setNumCacheableSlots(size_t numCacheableSlots) { m_numCacheableSlots = numCacheableSlots; }
+
     private:
         typedef HashSet<StringImpl*, PtrHash<StringImpl*> > IdentifierSet;
@@ -90 +95 @@
         IdentifierSet m_set;
         JSGlobalData* m_globalData;
+        size_t m_numCacheableSlots;
     };