Changeset 196723 in webkit


Ignore:
Timestamp:
Feb 17, 2016 2:59:59 PM (8 years ago)
Author:
Chris Dumez
Message:

SES selftest page crashes on nightly r196694
https://bugs.webkit.org/show_bug.cgi?id=154350
<rdar://problem/24704334>

Reviewed by Mark Lam.

Source/JavaScriptCore:

SES selftest page crashes after r196001 / r196145 when calling
Object.getOwnPropertyDescriptor(window, "length") after the window
has been reified and "length" has been shadowed by a value property.

It was crashing in JSObject::getOwnPropertyDescriptor() because
we are getting a slot that has attribute "CustomAccessor" but
the property is not a CustomGetterSetter. In this case, since
window.length is [Replaceable] and has been set to a numeric value,
it makes that the property is not a CustomGetterSetter. However,
the "CustomAccessor" attribute should have been dropped from the
slot when window.length was shadowed. Therefore, this code path
should not be exercised at all when calling
getOwnPropertyDescriptor().

The issue was that putDirectInternal() was updating the slot
attributes only if the "Accessor" flag has changed, but not
the "customAccessor" flag. This patch fixes the issue.

  • runtime/JSObject.h:

(JSC::JSObject::putDirectInternal):

LayoutTests:

Add test coverage for the crash which happens when shadowing window.length
with a value after the window property and then calling
Object.getOwnPropertyDescriptor(window, "length").

  • js/window-length-getOwnPropertyDescriptor-crash-expected.txt: Added.
  • js/window-length-getOwnPropertyDescriptor-crash.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r196719 r196723  
     12016-02-17  Chris Dumez  <cdumez@apple.com>
     2
     3        SES selftest page crashes on nightly r196694
     4        https://bugs.webkit.org/show_bug.cgi?id=154350
     5        <rdar://problem/24704334>
     6
     7        Reviewed by Mark Lam.
     8
     9        Add test coverage for the crash which happens when shadowing window.length
     10        with a value after the window property and then calling
     11        Object.getOwnPropertyDescriptor(window, "length").
     12
     13        * js/window-length-getOwnPropertyDescriptor-crash-expected.txt: Added.
     14        * js/window-length-getOwnPropertyDescriptor-crash.html: Added.
     15
    1162016-02-17  Simon Fraser  <simon.fraser@apple.com>
    217

  • trunk/Source/JavaScriptCore/ChangeLog

    r196722 r196723  
     12016-02-17  Chris Dumez  <cdumez@apple.com>
     2
     3        SES selftest page crashes on nightly r196694
     4        https://bugs.webkit.org/show_bug.cgi?id=154350
     5        <rdar://problem/24704334>
     6
     7        Reviewed by Mark Lam.
     8
     9        SES selftest page crashes after r196001 / r196145 when calling
     10        Object.getOwnPropertyDescriptor(window, "length") after the window
     11        has been reified and "length" has been shadowed by a value property.
     12
     13        It was crashing in JSObject::getOwnPropertyDescriptor() because
     14        we are getting a slot that has attribute "CustomAccessor" but
     15        the property is not a CustomGetterSetter. In this case, since
     16        window.length is [Replaceable] and has been set to a numeric value,
     17        it makes that the property is not a CustomGetterSetter. However,
     18        the "CustomAccessor" attribute should have been dropped from the
     19        slot when window.length was shadowed. Therefore, this code path
     20        should not be exercised at all when calling
     21        getOwnPropertyDescriptor().
     22
     23        The issue was that putDirectInternal() was updating the slot
     24        attributes only if the "Accessor" flag has changed, but not
     25        the "customAccessor" flag. This patch fixes the issue.
     26
     27        * runtime/JSObject.h:
     28        (JSC::JSObject::putDirectInternal):
     29
    1302016-02-17  Saam barati  <sbarati@apple.com>
    231

  • trunk/Source/JavaScriptCore/runtime/JSObject.h

    r196722 r196723  
    12291229            slot.setExistingProperty(this, offset);
    12301230
    1231             if ((attributes & Accessor) != (currentAttributes & Accessor)) {
     1231            if ((attributes & Accessor) != (currentAttributes & Accessor) || (attributes & CustomAccessor) != (currentAttributes & CustomAccessor)) {
    12321232                ASSERT(!(attributes & ReadOnly));
    12331233                setStructure(vm, Structure::attributeChangeTransition(vm, structure, propertyName, attributes));
Note: See TracChangeset for help on using the changeset viewer.