Bug 113353

Summary:

REGRESSION: Sometimes, operations on proven strings ignore changes to the string prototype

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam, webkit.review.bot

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	none
the patch	none
the patch	ggaren: review+

Filip Pizlo

Reported 2013-03-26 16:48:20 PDT

Here's the test case: function foo() { return String(this); } for (var i = 0; i < 100; ++i) { if (i == 99) String.prototype.toString = function() { return 42; } print(foo.call(new String("foo"))); } <rdar://problem/13510778>

Attachments
the patch (26.27 KB, patch) 2013-03-26 16:52 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
the patch (27.74 KB, patch) 2013-03-26 16:53 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
the patch (27.65 KB, patch) 2013-03-26 16:56 PDT, Filip Pizlo	ggaren: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2013-03-26 16:52:23 PDT

Created attachment 195187 [details] the patch

Filip Pizlo

Comment 2 2013-03-26 16:53:24 PDT

Created attachment 195188 [details] the patch

Filip Pizlo

Comment 3 2013-03-26 16:56:48 PDT

Created attachment 195190 [details] the patch

WebKit Review Bot

Comment 4 2013-03-26 17:00:10 PDT

Attachment 195190 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast/js/dfg-phantom-base-expected.txt', u'LayoutTests/fast/js/dfg-phantom-base.html', u'LayoutTests/fast/js/dfg-to-string-toString-becomes-bad-with-check-structure-expected.txt', u'LayoutTests/fast/js/dfg-to-string-toString-becomes-bad-with-check-structure.html', u'LayoutTests/fast/js/jsc-test-list', u'LayoutTests/fast/js/script-tests/dfg-phantom-base.js', u'LayoutTests/fast/js/script-tests/dfg-to-string-toString-becomes-bad-with-check-structure.js', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h']" exit_code: 1 LayoutTests/ChangeLog:9: Need whitespace between colon and description [changelog/filechangedescriptionwhitespace] [5] Total errors found: 1 in 11 files If any of these errors are false positives, please file a bug against check-webkit-style.

Geoffrey Garen

Comment 5 2013-03-26 17:04:09 PDT

Comment on attachment 195190 [details] the patch r=me

Filip Pizlo

Comment 6 2013-03-26 17:06:19 PDT

Landed in http://trac.webkit.org/changeset/146947

Note You need to log in before you can comment on or make changes to this bug.