Bug 153816 - JSSymbolTableObject::deleteProperty() crashes deleting Symbols
Summary: JSSymbolTableObject::deleteProperty() crashes deleting Symbols
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Safari 9
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-02 20:28 PST by Caitlin Potter (:caitp)
Modified: 2016-02-02 22:34 PST (History)
8 users (show)

See Also:

Attachments
Patch (3.61 KB, patch)
2016-02-02 20:39 PST, Caitlin Potter (:caitp) 		no flags Details | Formatted Diff | Diff
Patch (3.63 KB, patch)
2016-02-02 20:47 PST, Caitlin Potter (:caitp) 		no flags Details | Formatted Diff | Diff
Patch (3.62 KB, patch)
2016-02-02 20:48 PST, Caitlin Potter (:caitp) 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Caitlin Potter (:caitp) 2016-02-02 20:28:37 PST 
The following simple repro crashes on ToT, as well as in Safari 9:

```
var symbol = Symbol("");
window[symbol] = "crasher";
delete window[symbol]; // CRASH
```

Repro: https://jsfiddle.net/c820tLLt/
Comment 1 Caitlin Potter (:caitp) 2016-02-02 20:39:24 PST 
Created attachment 270543 [details]
Patch
Comment 2 Darin Adler 2016-02-02 20:41:18 PST 
Comment on attachment 270543 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=270543&action=review

> Source/JavaScriptCore/tests/stress/regress-153816.js:10
> +    if (globalProxy[symbolProperty] !== undefined)
> +        throw new Error("bad value: " + String(globalProxy[symbolProperty]));

Might also want to check "symbolProperty in globalProxy".
Comment 3 Caitlin Potter (:caitp) 2016-02-02 20:47:11 PST 
Created attachment 270545 [details]
Patch
Comment 4 Caitlin Potter (:caitp) 2016-02-02 20:48:47 PST 
Created attachment 270546 [details]
Patch
Comment 5 Caitlin Potter (:caitp) 2016-02-02 21:03:29 PST 
Comment on attachment 270543 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=270543&action=review

>> Source/JavaScriptCore/tests/stress/regress-153816.js:10
>> +        throw new Error("bad value: " + String(globalProxy[symbolProperty]));
> 
> Might also want to check "symbolProperty in globalProxy".

good point, done
Comment 6 WebKit Commit Bot 2016-02-02 22:34:11 PST 
Comment on attachment 270546 [details]
Patch

Clearing flags on attachment: 270546

Committed r196051: <http://trac.webkit.org/changeset/196051>
Comment 7 WebKit Commit Bot 2016-02-02 22:34:14 PST 
All reviewed patches have been landed.  Closing bug.