Changeset 195462 in webkit
- Timestamp:
- Jan 22, 2016 11:31:06 AM (8 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 1 added
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r195460 r195462 1 2016-01-22 Keith Miller <keith_miller@apple.com> 2 3 Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset 4 https://bugs.webkit.org/show_bug.cgi?id=152912 5 6 Reviewed by Mark Lam. 7 8 When checking the validity of an Equivalence PropertyCondition we do not check that the offset returned by 9 the structure of the object in the equivalence condition is valid. The offset might be wrong for many reasons. 10 The one we now test for is when the GlobalObject has a property that becomes a variable the property is deleted 11 thus the offset is now invalid. 12 13 * bytecode/PropertyCondition.cpp: 14 (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint): 15 * tests/stress/global-property-into-variable-get-from-scope.js: Added. 16 1 17 2016-01-22 Keith Miller <keith_miller@apple.com> 2 18 -
trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp
r192693 r195462 173 173 174 174 PropertyOffset currentOffset = structure->getConcurrently(uid()); 175 if (currentOffset == invalidOffset) { 176 if (verbose) { 177 dataLog( 178 "Invalid because the base no long appears to have ", uid(), " on its structure: ", 179 RawPointer(base), "\n"); 180 } 181 return false; 182 } 183 175 184 JSValue currentValue = base->getDirect(currentOffset); 176 185 if (currentValue != requiredValue()) {
Note: See TracChangeset
for help on using the changeset viewer.