Bug 153816

Summary: JSSymbolTableObject::deleteProperty() crashes deleting Symbols
Product: WebKit Reporter: Caitlin Potter (:caitp) <caitp>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, ggaren, keith_miller, mark.lam, msaboff, saam, ysuzuki
Priority: P2    
Version: Safari 9   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Caitlin Potter (:caitp)
Reported 2016-02-02 20:28:37 PST
The following simple repro crashes on ToT, as well as in Safari 9: ``` var symbol = Symbol(""); window[symbol] = "crasher"; delete window[symbol]; // CRASH ``` Repro: https://jsfiddle.net/c820tLLt/
Attachments
Patch (3.61 KB, patch)
2016-02-02 20:39 PST, Caitlin Potter (:caitp) 		no flags
DetailsFormatted DiffDiff
Patch (3.63 KB, patch)
2016-02-02 20:47 PST, Caitlin Potter (:caitp) 		no flags
DetailsFormatted DiffDiff
Patch (3.62 KB, patch)
2016-02-02 20:48 PST, Caitlin Potter (:caitp) 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Caitlin Potter (:caitp)
Comment 1 2016-02-02 20:39:24 PST
Created attachment 270543 [details] Patch
Darin Adler
Comment 2 2016-02-02 20:41:18 PST
Comment on attachment 270543 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=270543&action=review > Source/JavaScriptCore/tests/stress/regress-153816.js:10 > + if (globalProxy[symbolProperty] !== undefined) > + throw new Error("bad value: " + String(globalProxy[symbolProperty])); Might also want to check "symbolProperty in globalProxy".
Caitlin Potter (:caitp)
Comment 3 2016-02-02 20:47:11 PST
Created attachment 270545 [details] Patch
Caitlin Potter (:caitp)
Comment 4 2016-02-02 20:48:47 PST
Created attachment 270546 [details] Patch
Caitlin Potter (:caitp)
Comment 5 2016-02-02 21:03:29 PST
Comment on attachment 270543 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=270543&action=review >> Source/JavaScriptCore/tests/stress/regress-153816.js:10 >> + throw new Error("bad value: " + String(globalProxy[symbolProperty])); > > Might also want to check "symbolProperty in globalProxy". good point, done
WebKit Commit Bot
Comment 6 2016-02-02 22:34:11 PST
Comment on attachment 270546 [details] Patch Clearing flags on attachment: 270546 Committed r196051: <http://trac.webkit.org/changeset/196051>
WebKit Commit Bot
Comment 7 2016-02-02 22:34:14 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.