Skip to site navigation (Press enter)

[webkit-changes] [196723] trunk

cdumez Wed, 17 Feb 2016 14:59:57 -0800

Title: [196723] trunk

Revision: 196723
Author: [email protected]
Date: 2016-02-17 14:59:59 -0800 (Wed, 17 Feb 2016)

Log Message

SES selftest page crashes on nightly r196694
https://bugs.webkit.org/show_bug.cgi?id=154350
<rdar://problem/24704334>


Reviewed by Mark Lam.

Source/_javascript_Core:

SES selftest page crashes after r196001 / r196145 when calling
Object.getOwnPropertyDescriptor(window, "length") after the window
has been reified and "length" has been shadowed by a value property.

It was crashing in JSObject::getOwnPropertyDescriptor() because
we are getting a slot that has attribute "CustomAccessor" but
the property is not a CustomGetterSetter. In this case, since
window.length is [Replaceable] and has been set to a numeric value,
it makes that the property is not a CustomGetterSetter. However,
the "CustomAccessor" attribute should have been dropped from the
slot when window.length was shadowed. Therefore, this code path
should not be exercised at all when calling
getOwnPropertyDescriptor().

The issue was that putDirectInternal() was updating the slot
attributes only if the "Accessor" flag has changed, but not
the "customAccessor" flag. This patch fixes the issue.

* runtime/JSObject.h:
(JSC::JSObject::putDirectInternal):

LayoutTests:

Add test coverage for the crash which happens when shadowing window.length
with a value after the window property and then calling
Object.getOwnPropertyDescriptor(window, "length").

* js/window-length-getOwnPropertyDescriptor-crash-expected.txt: Added.
* js/window-length-getOwnPropertyDescriptor-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSObject.h

Added Paths

trunk/LayoutTests/js/window-length-getOwnPropertyDescriptor-crash-expected.txt
trunk/LayoutTests/js/window-length-getOwnPropertyDescriptor-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (196722 => 196723)


--- trunk/LayoutTests/ChangeLog	2016-02-17 22:11:39 UTC (rev 196722)
+++ trunk/LayoutTests/ChangeLog	2016-02-17 22:59:59 UTC (rev 196723)
@@ -1,3 +1,18 @@
+2016-02-17  Chris Dumez  <[email protected]>
+
+        SES selftest page crashes on nightly r196694
+        https://bugs.webkit.org/show_bug.cgi?id=154350
+        <rdar://problem/24704334>
+
+        Reviewed by Mark Lam.
+
+        Add test coverage for the crash which happens when shadowing window.length
+        with a value after the window property and then calling
+        Object.getOwnPropertyDescriptor(window, "length").
+
+        * js/window-length-getOwnPropertyDescriptor-crash-expected.txt: Added.
+        * js/window-length-getOwnPropertyDescriptor-crash.html: Added.
+
 2016-02-17  Simon Fraser  <[email protected]>
 
         Add tests for iframe and overflow scrollability after navigating back

Added: trunk/LayoutTests/js/window-length-getOwnPropertyDescriptor-crash-expected.txt (0 => 196723)


--- trunk/LayoutTests/js/window-length-getOwnPropertyDescriptor-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/window-length-getOwnPropertyDescriptor-crash-expected.txt	2016-02-17 22:59:59 UTC (rev 196723)
@@ -0,0 +1,14 @@
+PASS descriptor.get is an instance of Function
+PASS descriptor.set is an instance of Function
+PASS descriptor.configurable is true
+PASS descriptor.enumerable is true
+PASS window.length is 0
+window.length = 1
+PASS descriptor.value is 1
+PASS descriptor.configurable is true
+PASS descriptor.enumerable is true
+PASS window.length is 1
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/js/window-length-getOwnPropertyDescriptor-crash.html (0 => 196723)


--- trunk/LayoutTests/js/window-length-getOwnPropertyDescriptor-crash.html	                        (rev 0)
+++ trunk/LayoutTests/js/window-length-getOwnPropertyDescriptor-crash.html	2016-02-17 22:59:59 UTC (rev 196723)
@@ -0,0 +1,21 @@
+<script src=""
+<script>
+// Reify the window object.
+delete window.name;
+
+var descriptor = Object.getOwnPropertyDescriptor(window, "length");
+shouldBeType("descriptor.get", "Function");
+shouldBeType("descriptor.set", "Function");
+shouldBeTrue("descriptor.configurable");
+shouldBeTrue("descriptor.enumerable");
+shouldBe("window.length", "0");
+
+// window.length is [Replaceable] so it can be shadowed.
+evalAndLog("window.length = 1");
+descriptor = Object.getOwnPropertyDescriptor(window, "length");
+shouldBe("descriptor.value", "1");
+shouldBeTrue("descriptor.configurable");
+shouldBeTrue("descriptor.enumerable");
+shouldBe("window.length", "1");
+</script>
+<script src=""

Modified: trunk/Source/_javascript_Core/ChangeLog (196722 => 196723)


--- trunk/Source/_javascript_Core/ChangeLog	2016-02-17 22:11:39 UTC (rev 196722)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-02-17 22:59:59 UTC (rev 196723)
@@ -1,3 +1,32 @@
+2016-02-17  Chris Dumez  <[email protected]>
+
+        SES selftest page crashes on nightly r196694
+        https://bugs.webkit.org/show_bug.cgi?id=154350
+        <rdar://problem/24704334>
+
+        Reviewed by Mark Lam.
+
+        SES selftest page crashes after r196001 / r196145 when calling
+        Object.getOwnPropertyDescriptor(window, "length") after the window
+        has been reified and "length" has been shadowed by a value property.
+
+        It was crashing in JSObject::getOwnPropertyDescriptor() because
+        we are getting a slot that has attribute "CustomAccessor" but
+        the property is not a CustomGetterSetter. In this case, since
+        window.length is [Replaceable] and has been set to a numeric value,
+        it makes that the property is not a CustomGetterSetter. However,
+        the "CustomAccessor" attribute should have been dropped from the
+        slot when window.length was shadowed. Therefore, this code path
+        should not be exercised at all when calling
+        getOwnPropertyDescriptor().
+
+        The issue was that putDirectInternal() was updating the slot
+        attributes only if the "Accessor" flag has changed, but not
+        the "customAccessor" flag. This patch fixes the issue.
+
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirectInternal):
+
 2016-02-17  Saam barati  <[email protected]>
 
         Implement Proxy [[Get]]

Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (196722 => 196723)


--- trunk/Source/_javascript_Core/runtime/JSObject.h	2016-02-17 22:11:39 UTC (rev 196722)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h	2016-02-17 22:59:59 UTC (rev 196723)
@@ -1228,7 +1228,7 @@
             structure->didReplaceProperty(offset);
             slot.setExistingProperty(this, offset);
 
-            if ((attributes & Accessor) != (currentAttributes & Accessor)) {
+            if ((attributes & Accessor) != (currentAttributes & Accessor) || (attributes & CustomAccessor) != (currentAttributes & CustomAccessor)) {
                 ASSERT(!(attributes & ReadOnly));
                 setStructure(vm, Structure::attributeChangeTransition(vm, structure, propertyName, attributes));
             }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes