Changeset 190923 in webkit


Ignore:
Timestamp:
Oct 12, 2015 8:24:02 PM (8 years ago)
Author:
Yusuke Suzuki
Message:

Iterator loops over key twice after delete
https://bugs.webkit.org/show_bug.cgi?id=149811

Reviewed by Geoffrey Garen.

When an object is the dictionary mode, JSPropertyNameEnumerator collects property names through generic property name enumeration getPropertyNames.
The result vector contains indexed property names. But in this case, publicLength() may not be 0.
So without disabling indexed names enumeration phase explicitly, JSPropertyNameEnumerator produces indexed property names twice.
One in indexed name enumeration phase, and another in generic property name enumeration phase.
This patch disables indexed names enumeration by setting indexedLength to 0 when collecting names through generic property name enumeration.

  • runtime/JSPropertyNameEnumerator.h:

(JSC::propertyNameEnumerator):

  • tests/stress/property-name-enumerator-should-not-look-into-indexed-values-when-it-is-a-dictionary.js: Added.

(shouldBe):
(col2.of.Reflect.enumerate):

Location:
trunk/Source/JavaScriptCore
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r190916 r190923  
     12015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
     2
     3        Iterator loops over key twice after delete
     4        https://bugs.webkit.org/show_bug.cgi?id=149811
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        When an object is the dictionary mode, JSPropertyNameEnumerator collects property names through generic property name enumeration `getPropertyNames`.
     9        The result vector contains indexed property names. But in this case, `publicLength()` may not be 0.
     10        So without disabling indexed names enumeration phase explicitly, JSPropertyNameEnumerator produces indexed property names twice.
     11        One in indexed name enumeration phase, and another in generic property name enumeration phase.
     12        This patch disables indexed names enumeration by setting `indexedLength` to 0 when collecting names through generic property name enumeration.
     13
     14        * runtime/JSPropertyNameEnumerator.h:
     15        (JSC::propertyNameEnumerator):
     16        * tests/stress/property-name-enumerator-should-not-look-into-indexed-values-when-it-is-a-dictionary.js: Added.
     17        (shouldBe):
     18        (col2.of.Reflect.enumerate):
     19
    1202015-10-12  Yusuke Suzuki  <utatane.tea@gmail.com>
    221
  • trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h

    r187355 r190923  
    124124
    125125        base->methodTable(vm)->getGenericPropertyNames(base, exec, propertyNames, EnumerationMode());
    126     } else
     126    } else {
     127        // Generic property names vector contains all indexed property names.
     128        // So disable indexed property enumeration phase by setting |indexedLength| to 0.
     129        indexedLength = 0;
    127130        base->methodTable(vm)->getPropertyNames(base, exec, propertyNames, EnumerationMode());
     131    }
    128132
    129133    ASSERT(propertyNames.size() < UINT32_MAX);
Note: See TracChangeset for help on using the changeset viewer.