JSValue::get is implemented to: 1) Check if the value is a cell – if not, synthesize a prototype to search, 2) call getOwnPropertySlot on the cell, 3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain. By all rights this should crash when passed a string and accessing a property that does not exist, because the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe. To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the prototype chain, and faking out a return value of undefined if no property is found. This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells from elsewhere would introduce bugs. Fortunately it is only ever called in this one place. The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property slots anyway.
Created attachment 207862 [details] fix
Comment on attachment 207862 [details] fix View in context: https://bugs.webkit.org/attachment.cgi?id=207862&action=review r=me > Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:675 > - > + Please revert.
Comment on attachment 207862 [details] fix Attachment 207862 [details] did not pass win-ews (win): Output: http://webkit-queues.appspot.com/results/1297657
Fixed in r153532, r153537.
This broke bindings generation tests; please fix: http://build.webkit.org/builders/Apple%20MountainLion%20Release%20WK1%20%28Tests%29?numbuilds=200
(In reply to comment #5) > This broke bindings generation tests; please fix: > http://build.webkit.org/builders/Apple%20MountainLion%20Release%20WK1%20%28Tests%29?numbuilds=200 The fix for the bindings test is at https://bugs.webkit.org/show_bug.cgi?id=119410.