Changeset 196760 in webkit


Ignore:
Timestamp:
Feb 18, 2016 9:19:33 AM (8 years ago)
Author:
Chris Dumez
Message:

Crash on SES selftest page when loading the page while WebInspector is open
https://bugs.webkit.org/show_bug.cgi?id=154378
<rdar://problem/24713422>

Reviewed by Mark Lam.

Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
returns early again if it detects that getOwnPropertySlot() returns a
non-own property. This check was removed in r196676 because we assumed that
only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
well.

Not having the check would lead to crashes when using the debugger because
we would get a slot with the CustomAccessor attribute but getDirect() would
then fail to return the property (because it is not an own property). We
would then cast the value returned by getDirect() to a CustomGetterSetter*
and dereference it.

  • runtime/JSObject.cpp:

(JSC::JSObject::getOwnPropertyDescriptor):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r196759 r196760  
     12016-02-18  Chris Dumez  <cdumez@apple.com>
     2
     3        Crash on SES selftest page when loading the page while WebInspector is open
     4        https://bugs.webkit.org/show_bug.cgi?id=154378
     5        <rdar://problem/24713422>
     6
     7        Reviewed by Mark Lam.
     8
     9        Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
     10        returns early again if it detects that getOwnPropertySlot() returns a
     11        non-own property. This check was removed in r196676 because we assumed that
     12        only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
     13        However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
     14        well.
     15
     16        Not having the check would lead to crashes when using the debugger because
     17        we would get a slot with the CustomAccessor attribute but getDirect() would
     18        then fail to return the property (because it is not an own property). We
     19        would then cast the value returned by getDirect() to a CustomGetterSetter*
     20        and dereference it.
     21
     22        * runtime/JSObject.cpp:
     23        (JSC::JSObject::getOwnPropertyDescriptor):
     24
    1252016-02-18  Filip Pizlo  <fpizlo@apple.com>
    226

  • trunk/Source/JavaScriptCore/runtime/JSObject.cpp

    r196722 r196760  
    25572557        return false;
    25582558
     2559    // DebuggerScope::getOwnPropertySlot() (and possibly others) may return attributes from the prototype chain
     2560    // but getOwnPropertyDescriptor() should only work for 'own' properties so we exit early if we detect that
     2561    // the property is not an own property.
     2562    if (slot.slotBase() != this && slot.slotBase()) {
     2563        auto* proxy = jsDynamicCast<JSProxy*>(this);
     2564        if (!proxy || proxy->target() != slot.slotBase())
     2565            return false;
     2566    }
     2567
    25592568    if (slot.isAccessor())
    25602569        descriptor.setAccessorDescriptor(slot.getterSetter(), slot.attributes());
Note: See TracChangeset for help on using the changeset viewer.