Changeset 196051 in webkit


Ignore:
Timestamp:
Feb 2, 2016 10:34:06 PM (8 years ago)
Author:
commit-queue@webkit.org
Message:

JSSymbolTableObject::deleteProperty() crashes deleting Symbols
https://bugs.webkit.org/show_bug.cgi?id=153816

Patch by Caitlin Potter <caitp@igalia.com> on 2016-02-02
Reviewed by Darin Adler.

Changes JSSymbolTableObject::deleteProperty() to check if its
symbolTable() contains the property's uid() rather than publicName().
This ensures that it will not crash in the case of Symbols.

  • runtime/JSSymbolTableObject.cpp:

(JSC::JSSymbolTableObject::deleteProperty):

  • tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js:

(testGlobalProxy):

  • tests/stress/regress-153816.js: Added.

(deleteSymbolFromJSSymbolTableObject):

Location:
trunk/Source/JavaScriptCore
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r196045 r196051  
     12016-02-02  Caitlin Potter  <caitp@igalia.com>
     2
     3        JSSymbolTableObject::deleteProperty() crashes deleting Symbols
     4        https://bugs.webkit.org/show_bug.cgi?id=153816
     5
     6        Reviewed by Darin Adler.
     7
     8        Changes JSSymbolTableObject::deleteProperty() to check if its
     9        symbolTable() contains the property's uid() rather than publicName().
     10        This ensures that it will not crash in the case of Symbols.
     11
     12        * runtime/JSSymbolTableObject.cpp:
     13        (JSC::JSSymbolTableObject::deleteProperty):
     14        * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js:
     15        (testGlobalProxy):
     16        * tests/stress/regress-153816.js: Added.
     17        (deleteSymbolFromJSSymbolTableObject):
     18
    1192016-02-02  Benjamin Poulain  <benjamin@webkit.org>
    220
  • trunk/Source/JavaScriptCore/runtime/JSSymbolTableObject.cpp

    r187969 r196051  
    4848{
    4949    JSSymbolTableObject* thisObject = jsCast<JSSymbolTableObject*>(cell);
    50     if (thisObject->symbolTable()->contains(propertyName.publicName()))
     50    if (thisObject->symbolTable()->contains(propertyName.uid()))
    5151        return false;
    5252
  • trunk/Source/JavaScriptCore/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js

    r196042 r196051  
    9090
    9191    shouldBeDataProperty(result[symbol], 'Symbol(test)', 'global[Symbol(test)]');
    92     // FIXME: Can't delete Symbol properties from a JSSymbolTableObject.
    93     // delete global[symbol];
     92    delete global[symbol];
    9493})(this);
Note: See TracChangeset for help on using the changeset viewer.