Title: [202124] trunk/Source/_javascript_Core
- Revision
- 202124
- Author
- mark....@apple.com
- Date
- 2016-06-15 21:41:18 -0700 (Wed, 15 Jun 2016)
Log Message
Assertion failure when returning incomplete property descriptor from proxy trap.
https://bugs.webkit.org/show_bug.cgi?id=157078
Reviewed by Saam Barati.
If the proxy returns a descriptor that expects a value but does not specify one,
we should use undefined for the value.
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::performInternalMethodGetOwnProperty):
* tests/stress/proxy-returning-incomplete-property-descriptor.js: Added.
(truthiness):
(compare):
(shouldBe):
(test):
(get test):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (202123 => 202124)
--- trunk/Source/_javascript_Core/ChangeLog 2016-06-16 03:30:22 UTC (rev 202123)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-06-16 04:41:18 UTC (rev 202124)
@@ -1,3 +1,22 @@
+2016-06-15 Mark Lam <mark....@apple.com>
+
+ Assertion failure when returning incomplete property descriptor from proxy trap.
+ https://bugs.webkit.org/show_bug.cgi?id=157078
+
+ Reviewed by Saam Barati.
+
+ If the proxy returns a descriptor that expects a value but does not specify one,
+ we should use undefined for the value.
+
+ * runtime/ProxyObject.cpp:
+ (JSC::ProxyObject::performInternalMethodGetOwnProperty):
+ * tests/stress/proxy-returning-incomplete-property-descriptor.js: Added.
+ (truthiness):
+ (compare):
+ (shouldBe):
+ (test):
+ (get test):
+
2016-06-15 Keith Miller <keith_mil...@apple.com>
Unreviewed, fix typo in test and move tests to the correct files.
Modified: trunk/Source/_javascript_Core/runtime/ProxyObject.cpp (202123 => 202124)
--- trunk/Source/_javascript_Core/runtime/ProxyObject.cpp 2016-06-16 03:30:22 UTC (rev 202123)
+++ trunk/Source/_javascript_Core/runtime/ProxyObject.cpp 2016-06-16 04:41:18 UTC (rev 202124)
@@ -262,7 +262,7 @@
if (exec->hadException())
return false;
slot.setGetterSlot(this, trapResultAsDescriptor.attributes(), getterSetter);
- } else if (trapResultAsDescriptor.isDataDescriptor())
+ } else if (trapResultAsDescriptor.isDataDescriptor() && !trapResultAsDescriptor.value().isEmpty())
slot.setValue(this, trapResultAsDescriptor.attributes(), trapResultAsDescriptor.value());
else
slot.setValue(this, trapResultAsDescriptor.attributes(), jsUndefined()); // We use undefined because it's the default value in object properties.
Added: trunk/Source/_javascript_Core/tests/stress/proxy-returning-incomplete-property-descriptor.js (0 => 202124)
--- trunk/Source/_javascript_Core/tests/stress/proxy-returning-incomplete-property-descriptor.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/proxy-returning-incomplete-property-descriptor.js 2016-06-16 04:41:18 UTC (rev 202124)
@@ -0,0 +1,36 @@
+// This test should not crash.
+function truthiness(x) {
+ return !!x;
+}
+
+function compare(a, b) {
+ for (var i in a.desc) {
+ let propA = a.desc[i];
+ let propB = b.desc[i];
+ if (propA == propB)
+ continue;
+ if (typeof propA == "boolean" && truthiness(propA) == truthiness(propB))
+ continue;
+ throw Error(a.name + "[" + i + "] : " + propA + " != " + b.name + "[" + i + "] : " + propB);
+ }
+}
+
+function shouldBe(actualDesc, expectedDesc) {
+ compare({ name: "actual", desc: actualDesc }, { name: "expected", desc: expectedDesc });
+ compare({ name: "expected", desc: expectedDesc }, { name: "actual", desc: actualDesc });
+}
+
+function test(expectedDesc) {
+ var desc = Object.getOwnPropertyDescriptor(new Proxy({a:0}, {
+ getOwnPropertyDescriptor(t,pk) {
+ return expectedDesc
+ }
+ }), "");
+ shouldBe(desc, expectedDesc);
+}
+
+test({ configurable:true });
+test({ writable:true, configurable:true });
+test({ writable:true, enumerable:true, configurable:true });
+test({ enumerable:true, configurable:true, get: function() {} });
+test({ enumerable:true, configurable:true, set: function() {} });
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
