Changeset 190923 in webkit
- Timestamp:
- Oct 12, 2015 8:24:02 PM (8 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 1 added
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r190916 r190923 1 2015-10-12 Yusuke Suzuki <utatane.tea@gmail.com> 2 3 Iterator loops over key twice after delete 4 https://bugs.webkit.org/show_bug.cgi?id=149811 5 6 Reviewed by Geoffrey Garen. 7 8 When an object is the dictionary mode, JSPropertyNameEnumerator collects property names through generic property name enumeration `getPropertyNames`. 9 The result vector contains indexed property names. But in this case, `publicLength()` may not be 0. 10 So without disabling indexed names enumeration phase explicitly, JSPropertyNameEnumerator produces indexed property names twice. 11 One in indexed name enumeration phase, and another in generic property name enumeration phase. 12 This patch disables indexed names enumeration by setting `indexedLength` to 0 when collecting names through generic property name enumeration. 13 14 * runtime/JSPropertyNameEnumerator.h: 15 (JSC::propertyNameEnumerator): 16 * tests/stress/property-name-enumerator-should-not-look-into-indexed-values-when-it-is-a-dictionary.js: Added. 17 (shouldBe): 18 (col2.of.Reflect.enumerate): 19 1 20 2015-10-12 Yusuke Suzuki <utatane.tea@gmail.com> 2 21 -
trunk/Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h
r187355 r190923 124 124 125 125 base->methodTable(vm)->getGenericPropertyNames(base, exec, propertyNames, EnumerationMode()); 126 } else 126 } else { 127 // Generic property names vector contains all indexed property names. 128 // So disable indexed property enumeration phase by setting |indexedLength| to 0. 129 indexedLength = 0; 127 130 base->methodTable(vm)->getPropertyNames(base, exec, propertyNames, EnumerationMode()); 131 } 128 132 129 133 ASSERT(propertyNames.size() < UINT32_MAX);
Note: See TracChangeset
for help on using the changeset viewer.