RESOLVED FIXED 153816
JSSymbolTableObject::deleteProperty() crashes deleting Symbols 
https://bugs.webkit.org/show_bug.cgi?id=153816
Summary JSSymbolTableObject::deleteProperty() crashes deleting Symbols
Caitlin Potter (:caitp)
Reported 2016-02-02 20:28:37 PST
The following simple repro crashes on ToT, as well as in Safari 9: ``` var symbol = Symbol(""); window[symbol] = "crasher"; delete window[symbol]; // CRASH ``` Repro: https://jsfiddle.net/c820tLLt/
Attachments
Patch (3.61 KB, patch)
2016-02-02 20:39 PST, Caitlin Potter (:caitp) 		no flags
DetailsFormatted DiffDiff
Patch (3.63 KB, patch)
2016-02-02 20:47 PST, Caitlin Potter (:caitp) 		no flags
DetailsFormatted DiffDiff
Patch (3.62 KB, patch)
2016-02-02 20:48 PST, Caitlin Potter (:caitp) 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Caitlin Potter (:caitp)
Comment 1 2016-02-02 20:39:24 PST
Created attachment 270543 [details] Patch
Darin Adler
Comment 2 2016-02-02 20:41:18 PST
Comment on attachment 270543 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=270543&action=review > Source/JavaScriptCore/tests/stress/regress-153816.js:10 > + if (globalProxy[symbolProperty] !== undefined) > + throw new Error("bad value: " + String(globalProxy[symbolProperty])); Might also want to check "symbolProperty in globalProxy".
Caitlin Potter (:caitp)
Comment 3 2016-02-02 20:47:11 PST
Created attachment 270545 [details] Patch
Caitlin Potter (:caitp)
Comment 4 2016-02-02 20:48:47 PST
Created attachment 270546 [details] Patch
Caitlin Potter (:caitp)
Comment 5 2016-02-02 21:03:29 PST
Comment on attachment 270543 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=270543&action=review >> Source/JavaScriptCore/tests/stress/regress-153816.js:10 >> + throw new Error("bad value: " + String(globalProxy[symbolProperty])); > > Might also want to check "symbolProperty in globalProxy". good point, done
WebKit Commit Bot
Comment 6 2016-02-02 22:34:11 PST
Comment on attachment 270546 [details] Patch Clearing flags on attachment: 270546 Committed r196051: <http://trac.webkit.org/changeset/196051>
WebKit Commit Bot
Comment 7 2016-02-02 22:34:14 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.