Changeset 200406 in webkit


Ignore:
Timestamp:
May 3, 2016 10:01:08 PM (8 years ago)
Author:
fpizlo@apple.com
Message:

REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes
https://bugs.webkit.org/show_bug.cgi?id=157333

Reviewed by Benjamin Poulain.

Source/JavaScriptCore:

I forgot to add logic for lazy properties in putEntry(). It turns out that it's easy to
add.

  • runtime/Lookup.h:

(JSC::putEntry):

  • runtime/PropertySlot.h:

LayoutTests:

This is JoePeck's original test case. It used to crash and now it doesn't crash anymore.

  • js/dom/cross-window-put-math-expected.txt: Added.
  • js/dom/cross-window-put-math.html: Added.
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r200402 r200406  
     12016-05-03  Filip Pizlo  <fpizlo@apple.com>
     2
     3        REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes
     4        https://bugs.webkit.org/show_bug.cgi?id=157333
     5
     6        Reviewed by Benjamin Poulain.
     7       
     8        This is JoePeck's original test case. It used to crash and now it doesn't crash anymore.
     9
     10        * js/dom/cross-window-put-math-expected.txt: Added.
     11        * js/dom/cross-window-put-math.html: Added.
     12
    1132016-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
    214
  • trunk/Source/JavaScriptCore/ChangeLog

    r200405 r200406  
     12016-05-03  Filip Pizlo  <fpizlo@apple.com>
     2
     3        REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes
     4        https://bugs.webkit.org/show_bug.cgi?id=157333
     5
     6        Reviewed by Benjamin Poulain.
     7       
     8        I forgot to add logic for lazy properties in putEntry(). It turns out that it's easy to
     9        add.
     10
     11        * runtime/Lookup.h:
     12        (JSC::putEntry):
     13        * runtime/PropertySlot.h:
     14
    1152016-05-03  Filip Pizlo  <fpizlo@apple.com>
    216
  • trunk/Source/JavaScriptCore/runtime/Lookup.h

    r200383 r200406  
    294294inline bool putEntry(ExecState* exec, const HashTableValue* entry, JSObject* base, JSObject* thisValue, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
    295295{
    296     if (entry->attributes() & BuiltinOrFunction) {
     296    if (entry->attributes() & BuiltinOrFunctionOrLazyProperty) {
    297297        if (!(entry->attributes() & ReadOnly)) {
    298             // If this is a function put it as an override property.
     298            // If this is a function or lazy property put then we just do the put because
     299            // logically the object already had the property, so this is just a replace.
    299300            if (JSObject* thisObject = jsDynamicCast<JSObject*>(thisValue))
    300301                thisObject->putDirect(exec->vm(), propertyName, value);
  • trunk/Source/JavaScriptCore/runtime/PropertySlot.h

    r200383 r200406  
    5151    PropertyCallback  = 1 << 13, // property that is a lazy property callback - only used by static hashtables
    5252    BuiltinOrFunction = Builtin | Function, // helper only used by static hashtables
     53    BuiltinOrFunctionOrLazyProperty = Builtin | Function | CellProperty | ClassStructure | PropertyCallback, // helper only used by static hashtables
    5354    BuiltinOrFunctionOrAccessorOrLazyProperty = Builtin | Function | Accessor | CellProperty | ClassStructure | PropertyCallback, // helper only used by static hashtables
    5455    BuiltinOrFunctionOrAccessorOrLazyPropertyOrConstant = Builtin | Function | Accessor | CellProperty | ClassStructure | PropertyCallback | ConstantInteger // helper only used by static hashtables
Note: See TracChangeset for help on using the changeset viewer.