Title: [203015] trunk/Source/_javascript_Core
- Revision
- 203015
- Author
- sbar...@apple.com
- Date
- 2016-07-08 18:29:55 -0700 (Fri, 08 Jul 2016)
Log Message
We may add a ReadOnly property without setting the corresponding bit on Structure
https://bugs.webkit.org/show_bug.cgi?id=159542
<rdar://problem/27084591>
Reviewed by Benjamin Poulain.
The reason this usually is OK is due to happenstance. Often, instances that putDirectWithoutTransition
also happen to have a static property table. Having a static property table causes the
HasReadOnlyOrGetterSetterPropertiesExcludingProto on the structure to be set. However,
there are times where an object calls putDirectWithoutTransition, and it doesn't have a
static property hash table. The fix is simple, putDirectWithTransition needs to set the
HasReadOnlyOrGetterSetterPropertiesExcludingProto if it puts a ReadOnly property.
* runtime/JSObject.h:
(JSC::JSObject::putDirectWithoutTransition):
* tests/stress/proper-property-store-with-prototype-property-that-is-not-writable.js: Added.
(assert):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (203014 => 203015)
--- trunk/Source/_javascript_Core/ChangeLog 2016-07-09 00:43:16 UTC (rev 203014)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-07-09 01:29:55 UTC (rev 203015)
@@ -1,3 +1,23 @@
+2016-07-08 Saam Barati <sbar...@apple.com>
+
+ We may add a ReadOnly property without setting the corresponding bit on Structure
+ https://bugs.webkit.org/show_bug.cgi?id=159542
+ <rdar://problem/27084591>
+
+ Reviewed by Benjamin Poulain.
+
+ The reason this usually is OK is due to happenstance. Often, instances that putDirectWithoutTransition
+ also happen to have a static property table. Having a static property table causes the
+ HasReadOnlyOrGetterSetterPropertiesExcludingProto on the structure to be set. However,
+ there are times where an object calls putDirectWithoutTransition, and it doesn't have a
+ static property hash table. The fix is simple, putDirectWithTransition needs to set the
+ HasReadOnlyOrGetterSetterPropertiesExcludingProto if it puts a ReadOnly property.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::putDirectWithoutTransition):
+ * tests/stress/proper-property-store-with-prototype-property-that-is-not-writable.js: Added.
+ (assert):
+
2016-07-08 Michael Saboff <msab...@apple.com>
ASSERTION FAILED: Heap::isMarked(cell) in SlotVisitor::appendToMarkStack(JSC::JSCell *)
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (203014 => 203015)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2016-07-09 00:43:16 UTC (rev 203014)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2016-07-09 01:29:55 UTC (rev 203015)
@@ -1565,6 +1565,8 @@
newButterfly = growOutOfLineStorage(vm, structure()->outOfLineCapacity(), structure()->suggestedNewOutOfLineStorageCapacity());
Structure* structure = this->structure();
PropertyOffset offset = structure->addPropertyWithoutTransition(vm, propertyName, attributes);
+ if (attributes & ReadOnly)
+ structure->setContainsReadOnlyProperties();
bool shouldOptimize = false;
structure->willStoreValueForNewTransition(vm, propertyName, value, shouldOptimize);
setStructureAndButterfly(vm, structure, newButterfly);
Added: trunk/Source/_javascript_Core/tests/stress/proper-property-store-with-prototype-property-that-is-not-writable.js (0 => 203015)
--- trunk/Source/_javascript_Core/tests/stress/proper-property-store-with-prototype-property-that-is-not-writable.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/proper-property-store-with-prototype-property-that-is-not-writable.js 2016-07-09 01:29:55 UTC (rev 203015)
@@ -0,0 +1,13 @@
+function assert(b) {
+ if (!b)
+ throw new Error("Bad assertion.");
+}
+
+let x = (new Set)[Symbol.iterator]();
+assert(x[Symbol.toStringTag] === "Set Iterator");
+
+let y = {__proto__: x};
+assert(y[Symbol.toStringTag] === "Set Iterator");
+y[Symbol.toStringTag] = 25;
+assert(y[Symbol.toStringTag] === "Set Iterator");
+assert(x[Symbol.toStringTag] === "Set Iterator");
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
