154175 2016-02-12 11:00:14 -0800 Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn’t have a value 2016-02-12 11:51:05 -0800 1 1 1 Unclassified WebKit JavaScriptCore WebKit Nightly Build All All RESOLVED FIXED P2 Normal --- 1 fpizlo fpizlo commit-queue ggaren keith_miller mark.lam msaboff saam oldest_to_newest 1164206 0 fpizlo 2016-02-12 11:00:14 -0800 Patch forthcoming. 1164208 1 271190 fpizlo 2016-02-12 11:02:32 -0800 Created attachment 271190 the patch 1164214 2 271190 ggaren 2016-02-12 11:09:25 -0800 Comment on attachment 271190 the patch r=me 1164216 3 ggaren 2016-02-12 11:13:27 -0800 I know that there's a large test suite you're working on, which will reveal this bug -- meeting the WebKit requirement for tests with patches. Still, it seems like it would be nice to add a reduced test case here. 1164222 4 fpizlo 2016-02-12 11:21:36 -0800 (In reply to comment #3) > I know that there's a large test suite you're working on, which will reveal > this bug -- meeting the WebKit requirement for tests with patches. Still, it > seems like it would be nice to add a reduced test case here. I agree - for some reason at first I thought that the test would be hard because of the sparse indexing issue. It's actually not: var array = []; array[10000000] = 42; Object.defineProperty(array, 10000000, {configurable: true, enumerable: true, writable: true}); var result = array[10000000]; if (result != 42) throw "Error: bad result: " + result; That crashes on trunk. 1164242 5 fpizlo 2016-02-12 11:51:05 -0800 Landed in http://trac.webkit.org/changeset/196490 271190 2016-02-12 11:02:32 -0800 2016-02-12 11:09:25 -0800 the patch blah.patch text/plain 3089 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTk2NDgzKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBA CisyMDE2LTAyLTEyICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg RmFzdCBwYXRoIGluIEpTT2JqZWN0OjpkZWZpbmVPd25JbmRleGVkUHJvcGVydHkoKSBmb3JnZXRz IHRvIGNoZWNrIGZvciB0aGUgcG9zaWJpbGl0eSBvZiBhIGRlc2NyaXB0b3IgdGhhdCBkb2Vzbid0 IGhhdmUgYSB2YWx1ZQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5j Z2k/aWQ9MTU0MTc1CisgICAgICAgIHJkYXI6Ly9wcm9ibGVtLzI0MjkxNDk3CisKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBydW50aW1lL0pTT2JqZWN0 LmNwcDoKKyAgICAgICAgKEpTQzo6SlNPYmplY3Q6OmRlZmluZU93bkluZGV4ZWRQcm9wZXJ0eSk6 CisgICAgICAgICogcnVudGltZS9TcGFyc2VBcnJheVZhbHVlTWFwLmNwcDoKKyAgICAgICAgKEpT Qzo6U3BhcnNlQXJyYXlWYWx1ZU1hcDo6cHV0RW50cnkpOgorICAgICAgICAoSlNDOjpTcGFyc2VB cnJheVZhbHVlTWFwOjpwdXREaXJlY3QpOgorCiAyMDE2LTAyLTExICBCcmlhbiBCdXJnICA8YmJ1 cmdAYXBwbGUuY29tPgogCiAgICAgICAgIFdlYiBJbnNwZWN0b3I6IFJlbW90ZUluc3BlY3Rvcidz IGxpc3RpbmdzIHNob3VsZCBpbmNsdWRlIHdoZXRoZXIgYW4gQXV0b21hdGlvblRhcmdldCBpcyBw YWlyZWQKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0pTT2JqZWN0LmNwcAo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9KU09iamVjdC5jcHAJ KHJldmlzaW9uIDE5NjQ4MSkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0pTT2Jq ZWN0LmNwcAkod29ya2luZyBjb3B5KQpAQCAtMTc2OSw3ICsxNzY5LDcgQEAgYm9vbCBKU09iamVj dDo6ZGVmaW5lT3duSW5kZXhlZFByb3BlcnR5KAogICAgICAgICAvLyBGSVhNRTogdGhpcyB3aWxs IHBlc3NpbWlzdGljYWxseSBhc3N1bWUgdGhhdCBpZiBhdHRyaWJ1dGVzIGFyZSBtaXNzaW5nIHRo ZW4gdGhleSdsbCBkZWZhdWx0IHRvIGZhbHNlCiAgICAgICAgIC8vIGhvd2V2ZXIgaWYgdGhlIHBy b3BlcnR5IGN1cnJlbnRseSBleGlzdHMgbWlzc2luZyBhdHRyaWJ1dGVzIHdpbGwgb3ZlcnJpZGUg ZnJvbSB0aGVpciBjdXJyZW50ICd0cnVlJwogICAgICAgICAvLyBzdGF0ZSAoaS5lLiBkZWZpbmVP d25Qcm9wZXJ0eSBjb3VsZCBiZSB1c2VkIHRvIHNldCBhIHZhbHVlIHdpdGhvdXQgbmVlZGluZyB0 byBlbnRlcmluZyAnU3BhcnNlTW9kZScpLgotICAgICAgICBpZiAoIWRlc2NyaXB0b3IuYXR0cmli dXRlcygpKSB7CisgICAgICAgIGlmICghZGVzY3JpcHRvci5hdHRyaWJ1dGVzKCkgJiYgZGVzY3Jp cHRvci52YWx1ZSgpKSB7CiAgICAgICAgICAgICBBU1NFUlQoIWRlc2NyaXB0b3IuaXNBY2Nlc3Nv ckRlc2NyaXB0b3IoKSk7CiAgICAgICAgICAgICByZXR1cm4gcHV0RGlyZWN0SW5kZXgoZXhlYywg aW5kZXgsIGRlc2NyaXB0b3IudmFsdWUoKSwgMCwgdGhyb3dFeGNlcHRpb24gPyBQdXREaXJlY3RJ bmRleFNob3VsZFRocm93IDogUHV0RGlyZWN0SW5kZXhTaG91bGROb3RUaHJvdyk7CiAgICAgICAg IH0KSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL1NwYXJzZUFycmF5VmFsdWVN YXAuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL1NwYXJz ZUFycmF5VmFsdWVNYXAuY3BwCShyZXZpc2lvbiAxOTY0ODEpCisrKyBTb3VyY2UvSmF2YVNjcmlw dENvcmUvcnVudGltZS9TcGFyc2VBcnJheVZhbHVlTWFwLmNwcAkod29ya2luZyBjb3B5KQpAQCAt MSw1ICsxLDUgQEAKIC8qCi0gKiBDb3B5cmlnaHQgKEMpIDIwMTEsIDIwMTIgQXBwbGUgSW5jLiBB bGwgcmlnaHRzIHJlc2VydmVkLgorICogQ29weXJpZ2h0IChDKSAyMDExLCAyMDEyLCAyMDE2IEFw cGxlIEluYy4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KICAqCiAgKiBSZWRpc3RyaWJ1dGlvbiBhbmQg dXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKICAqIG1vZGlm aWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgY29uZGl0 aW9ucwpAQCAtOTAsNiArOTAsOCBAQCBTcGFyc2VBcnJheVZhbHVlTWFwOjpBZGRSZXN1bHQgU3Bh cnNlQXJyCiAKIHZvaWQgU3BhcnNlQXJyYXlWYWx1ZU1hcDo6cHV0RW50cnkoRXhlY1N0YXRlKiBl eGVjLCBKU09iamVjdCogYXJyYXksIHVuc2lnbmVkIGksIEpTVmFsdWUgdmFsdWUsIGJvb2wgc2hv dWxkVGhyb3cpCiB7CisgICAgQVNTRVJUKHZhbHVlKTsKKyAgICAKICAgICBBZGRSZXN1bHQgcmVz dWx0ID0gYWRkKGFycmF5LCBpKTsKICAgICBTcGFyc2VBcnJheUVudHJ5JiBlbnRyeSA9IHJlc3Vs dC5pdGVyYXRvci0+dmFsdWU7CiAKQEAgLTEwOCw2ICsxMTAsOCBAQCB2b2lkIFNwYXJzZUFycmF5 VmFsdWVNYXA6OnB1dEVudHJ5KEV4ZWNTCiAKIGJvb2wgU3BhcnNlQXJyYXlWYWx1ZU1hcDo6cHV0 RGlyZWN0KEV4ZWNTdGF0ZSogZXhlYywgSlNPYmplY3QqIGFycmF5LCB1bnNpZ25lZCBpLCBKU1Zh bHVlIHZhbHVlLCB1bnNpZ25lZCBhdHRyaWJ1dGVzLCBQdXREaXJlY3RJbmRleE1vZGUgbW9kZSkK IHsKKyAgICBBU1NFUlQodmFsdWUpOworICAgIAogICAgIEFkZFJlc3VsdCByZXN1bHQgPSBhZGQo YXJyYXksIGkpOwogICAgIFNwYXJzZUFycmF5RW50cnkmIGVudHJ5ID0gcmVzdWx0Lml0ZXJhdG9y LT52YWx1ZTsKIAo=