Changeset 202528 in webkit
- Timestamp:
- Jun 27, 2016 5:42:26 PM (8 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 1 added
- 2 edited
-
ChangeLog (modified) (1 diff)
-
runtime/StructureRareData.cpp (modified) (1 diff)
-
tests/stress/object-toString-with-proxy.js (added)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r202519 r202528 1 2016-06-27 Keith Miller <keith_miller@apple.com> 2 3 Fix bad assert in StructureRareData::setObjectToStringValue 4 https://bugs.webkit.org/show_bug.cgi?id=159171 5 <rdar://problem/26987355> 6 7 Reviewed by Mark Lam. 8 9 We should not have expected the generateConditionsForPrototypePropertyHit would succeed. 10 There are many reasons it might fail including that there is a proxy somewhere on the 11 prototype chain of the object. 12 13 * runtime/StructureRareData.cpp: 14 (JSC::StructureRareData::setObjectToStringValue): 15 * tests/stress/object-toString-with-proxy.js: Added. 16 (get target): 17 1 18 2016-06-27 Filip Pizlo <fpizlo@apple.com> 2 19 -
trunk/Source/JavaScriptCore/runtime/StructureRareData.cpp
r197563 r202528 127 127 // is not on the ownStructure so we will transisition if one is added and this cache will no longer be used. 128 128 conditionSet = generateConditionsForPrototypePropertyHit(vm, this, exec, ownStructure, toStringTagSymbolSlot.slotBase(), vm.propertyNames->toStringTagSymbol.impl()); 129 ASSERT( conditionSet.hasOneSlotBaseCondition());129 ASSERT(!conditionSet.isValid() || conditionSet.hasOneSlotBaseCondition()); 130 130 } else if (toStringTagSymbolSlot.isUnset()) 131 131 conditionSet = generateConditionsForPropertyMiss(vm, this, exec, ownStructure, vm.propertyNames->toStringTagSymbol.impl());
Note: See TracChangeset
for help on using the changeset viewer.
