Changeset 200406 in webkit
- Timestamp:
- May 3, 2016 10:01:08 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r200402 r200406 1 2016-05-03 Filip Pizlo <fpizlo@apple.com> 2 3 REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes 4 https://bugs.webkit.org/show_bug.cgi?id=157333 5 6 Reviewed by Benjamin Poulain. 7 8 This is JoePeck's original test case. It used to crash and now it doesn't crash anymore. 9 10 * js/dom/cross-window-put-math-expected.txt: Added. 11 * js/dom/cross-window-put-math.html: Added. 12 1 13 2016-05-03 Yusuke Suzuki <utatane.tea@gmail.com> 2 14 -
trunk/Source/JavaScriptCore/ChangeLog
r200405 r200406 1 2016-05-03 Filip Pizlo <fpizlo@apple.com> 2 3 REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes 4 https://bugs.webkit.org/show_bug.cgi?id=157333 5 6 Reviewed by Benjamin Poulain. 7 8 I forgot to add logic for lazy properties in putEntry(). It turns out that it's easy to 9 add. 10 11 * runtime/Lookup.h: 12 (JSC::putEntry): 13 * runtime/PropertySlot.h: 14 1 15 2016-05-03 Filip Pizlo <fpizlo@apple.com> 2 16 -
trunk/Source/JavaScriptCore/runtime/Lookup.h
r200383 r200406 294 294 inline bool putEntry(ExecState* exec, const HashTableValue* entry, JSObject* base, JSObject* thisValue, PropertyName propertyName, JSValue value, PutPropertySlot& slot) 295 295 { 296 if (entry->attributes() & BuiltinOrFunction ) {296 if (entry->attributes() & BuiltinOrFunctionOrLazyProperty) { 297 297 if (!(entry->attributes() & ReadOnly)) { 298 // If this is a function put it as an override property. 298 // If this is a function or lazy property put then we just do the put because 299 // logically the object already had the property, so this is just a replace. 299 300 if (JSObject* thisObject = jsDynamicCast<JSObject*>(thisValue)) 300 301 thisObject->putDirect(exec->vm(), propertyName, value); -
trunk/Source/JavaScriptCore/runtime/PropertySlot.h
r200383 r200406 51 51 PropertyCallback = 1 << 13, // property that is a lazy property callback - only used by static hashtables 52 52 BuiltinOrFunction = Builtin | Function, // helper only used by static hashtables 53 BuiltinOrFunctionOrLazyProperty = Builtin | Function | CellProperty | ClassStructure | PropertyCallback, // helper only used by static hashtables 53 54 BuiltinOrFunctionOrAccessorOrLazyProperty = Builtin | Function | Accessor | CellProperty | ClassStructure | PropertyCallback, // helper only used by static hashtables 54 55 BuiltinOrFunctionOrAccessorOrLazyPropertyOrConstant = Builtin | Function | Accessor | CellProperty | ClassStructure | PropertyCallback | ConstantInteger // helper only used by static hashtables
Note: See TracChangeset
for help on using the changeset viewer.