Title: [196760] trunk/Source/_javascript_Core
- Revision
- 196760
- Author
- [email protected]
- Date
- 2016-02-18 09:19:33 -0800 (Thu, 18 Feb 2016)
Log Message
Crash on SES selftest page when loading the page while WebInspector is open
https://bugs.webkit.org/show_bug.cgi?id=154378
<rdar://problem/24713422>
Reviewed by Mark Lam.
Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
returns early again if it detects that getOwnPropertySlot() returns a
non-own property. This check was removed in r196676 because we assumed that
only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
well.
Not having the check would lead to crashes when using the debugger because
we would get a slot with the CustomAccessor attribute but getDirect() would
then fail to return the property (because it is not an own property). We
would then cast the value returned by getDirect() to a CustomGetterSetter*
and dereference it.
* runtime/JSObject.cpp:
(JSC::JSObject::getOwnPropertyDescriptor):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (196759 => 196760)
--- trunk/Source/_javascript_Core/ChangeLog 2016-02-18 16:55:58 UTC (rev 196759)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-02-18 17:19:33 UTC (rev 196760)
@@ -1,3 +1,27 @@
+2016-02-18 Chris Dumez <[email protected]>
+
+ Crash on SES selftest page when loading the page while WebInspector is open
+ https://bugs.webkit.org/show_bug.cgi?id=154378
+ <rdar://problem/24713422>
+
+ Reviewed by Mark Lam.
+
+ Do a partial revert of r196676 so that JSObject::getOwnPropertyDescriptor()
+ returns early again if it detects that getOwnPropertySlot() returns a
+ non-own property. This check was removed in r196676 because we assumed that
+ only JSDOMWindow::getOwnPropertySlot() could return non-own properties.
+ However, as it turns out, DebuggerScope::getOwnPropertySlot() does so as
+ well.
+
+ Not having the check would lead to crashes when using the debugger because
+ we would get a slot with the CustomAccessor attribute but getDirect() would
+ then fail to return the property (because it is not an own property). We
+ would then cast the value returned by getDirect() to a CustomGetterSetter*
+ and dereference it.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::getOwnPropertyDescriptor):
+
2016-02-18 Filip Pizlo <[email protected]>
Unreviewed, fix VS build. I didn't know we still did that, but apparently there's a bot
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (196759 => 196760)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2016-02-18 16:55:58 UTC (rev 196759)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2016-02-18 17:19:33 UTC (rev 196760)
@@ -2556,6 +2556,15 @@
if (!methodTable(exec->vm())->getOwnPropertySlot(this, exec, propertyName, slot))
return false;
+ // DebuggerScope::getOwnPropertySlot() (and possibly others) may return attributes from the prototype chain
+ // but getOwnPropertyDescriptor() should only work for 'own' properties so we exit early if we detect that
+ // the property is not an own property.
+ if (slot.slotBase() != this && slot.slotBase()) {
+ auto* proxy = jsDynamicCast<JSProxy*>(this);
+ if (!proxy || proxy->target() != slot.slotBase())
+ return false;
+ }
+
if (slot.isAccessor())
descriptor.setAccessorDescriptor(slot.getterSetter(), slot.attributes());
else if (slot.attributes() & CustomAccessor) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
