WebKit Bugzilla
Attachment 343372 Details for
Bug 186943
: PropertyCondition::isValidValueForAttributes() should also consider deleted values.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-186943.patch (text/plain), 3.96 KB, created by
Mark Lam
on 2018-06-22 15:02:19 PDT
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2018-06-22 15:02:19 PDT
Size:
3.96 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 233101) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2018-06-22 Mark Lam <mark.lam@apple.com> >+ >+ PropertyCondition::isValidValueForAttributes() should also consider deleted values. >+ https://bugs.webkit.org/show_bug.cgi?id=186943 >+ <rdar://problem/41370337> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/regress-186943.js: Added. >+ > 2018-06-20 Keith Miller <keith_miller@apple.com> > > flattenDictionaryStruture needs to zero inline storage. >Index: JSTests/stress/regress-186943.js >=================================================================== >--- JSTests/stress/regress-186943.js (nonexistent) >+++ JSTests/stress/regress-186943.js (working copy) >@@ -0,0 +1,5 @@ >+// This test should not crash. >+x = Reflect; >+delete this.Reflect; >+ >+for (var i = 0; i < 10000; ++i) { } >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 233083) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,20 @@ >+2018-06-22 Mark Lam <mark.lam@apple.com> >+ >+ PropertyCondition::isValidValueForAttributes() should also consider deleted values. >+ https://bugs.webkit.org/show_bug.cgi?id=186943 >+ <rdar://problem/41370337> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ PropertyCondition::isValidValueForAttributes() should check if the passed in value >+ is a deleted one before it does a jsDynamicCast on it. >+ >+ * bytecode/PropertyCondition.cpp: >+ (JSC::PropertyCondition::isValidValueForAttributes): >+ * runtime/JSCJSValue.h: >+ * runtime/JSCJSValueInlines.h: >+ (JSC::JSValue::isCleared const): >+ > 2018-06-20 Darin Adler <darin@apple.com> > > [Cocoa] Use the isDirectory: variants of NSURL methods more to eliminate unnecessary file system activity >Index: Source/JavaScriptCore/bytecode/PropertyCondition.cpp >=================================================================== >--- Source/JavaScriptCore/bytecode/PropertyCondition.cpp (revision 233083) >+++ Source/JavaScriptCore/bytecode/PropertyCondition.cpp (working copy) >@@ -377,6 +377,8 @@ void PropertyCondition::validateReferenc > > bool PropertyCondition::isValidValueForAttributes(VM& vm, JSValue value, unsigned attributes) > { >+ if (value.isCleared()) >+ return false; > bool attributesClaimAccessor = !!(attributes & PropertyAttribute::Accessor); > bool valueClaimsAccessor = !!jsDynamicCast<GetterSetter*>(vm, value); > return attributesClaimAccessor == valueClaimsAccessor; >Index: Source/JavaScriptCore/runtime/JSCJSValue.h >=================================================================== >--- Source/JavaScriptCore/runtime/JSCJSValue.h (revision 233083) >+++ Source/JavaScriptCore/runtime/JSCJSValue.h (working copy) >@@ -217,6 +217,7 @@ public: > int32_t asInt32ForArithmetic() const; // Boolean becomes an int, but otherwise like asInt32(). > > // Querying the type. >+ bool isCleared() const; > bool isEmpty() const; > bool isFunction(VM&) const; > bool isCallable(VM&, CallType&, CallData&) const; >Index: Source/JavaScriptCore/runtime/JSCJSValueInlines.h >=================================================================== >--- Source/JavaScriptCore/runtime/JSCJSValueInlines.h (revision 233083) >+++ Source/JavaScriptCore/runtime/JSCJSValueInlines.h (working copy) >@@ -407,6 +407,15 @@ inline bool JSValue::operator!=(const JS > return u.asInt64 != other.u.asInt64; > } > >+// This is needed because we clear unused properties with a nullptr value. >+// On 64-bit, this is ValueEmpty. On 32-bit, this is a double value. >+// This method is provided so that we can just do a bitwise check of the >+// cleared value that works for both 64-bit and 32-bit. >+inline bool JSValue::isCleared() const >+{ >+ return !u.asInt64; >+} >+ > inline bool JSValue::isEmpty() const > { > return u.asInt64 == ValueEmpty;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343372">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186943
:
343372
|
343374
|
343375
|
343381