RESOLVED FIXED 201484
LazyClassStructure::setConstructor should not store the constructor to the global object
https://bugs.webkit.org/show_bug.cgi?id=201484
Summary LazyClassStructure::setConstructor should not store the constructor to the gl...
Tadeu Zagallo
Reported 2019-09-04 18:53:51 PDT
Attachments
Patch (6.53 KB, patch)
2019-09-04 19:10 PDT, Tadeu Zagallo
no flags
Patch (6.49 KB, patch)
2019-09-04 19:32 PDT, Tadeu Zagallo
no flags
Patch for landing (6.48 KB, patch)
2019-09-05 11:00 PDT, Tadeu Zagallo
no flags
Tadeu Zagallo
Comment 1 2019-09-04 19:10:16 PDT
Yusuke Suzuki
Comment 2 2019-09-04 19:14:47 PDT
Comment on attachment 378035 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=378035&action=review r=me with comment. > Source/JavaScriptCore/runtime/Lookup.h:367 > + if (!propertyName.isNull()) I think this never happens because this function is called for property materialization. I think `propertyName.isNull()` code in the original one exists for the use case not through static-property-table. And I believe we do not have a case like, 1. While using LazyClassStructure without specifying it in static-property-table... 2. But still we want global object property for that. Can you ensure that the above use case does not exist in our code base?
Tadeu Zagallo
Comment 3 2019-09-04 19:30:01 PDT
(In reply to Yusuke Suzuki from comment #2) > I think this never happens because this function is called for property > materialization. > I think `propertyName.isNull()` code in the original one exists for the use > case not through static-property-table. And I believe we do not have a case > like, > > 1. While using LazyClassStructure without specifying it in > static-property-table... > 2. But still we want global object property for that. > > Can you ensure that the above use case does not exist in our code base? You're right, thanks! I've updated the patch.
Tadeu Zagallo
Comment 4 2019-09-04 19:32:19 PDT
Yusuke Suzuki
Comment 5 2019-09-04 21:17:43 PDT
Comment on attachment 378038 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=378038&action=review > Source/JavaScriptCore/runtime/Lookup.h:367 > + thisObj.putDirect(vm, propertyName, constructor, static_cast<unsigned>(PropertyAttribute::DontEnum)); Oops, please check attribute. This doesn't matter since all LazyClassStructure property's attribute is now DontEnum, but it is possible that other properties will use LazyClassStructure in the future. So, can you use `value.attributes()` ?
Tadeu Zagallo
Comment 6 2019-09-05 10:55:39 PDT
Comment on attachment 378038 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=378038&action=review >> Source/JavaScriptCore/runtime/Lookup.h:367 >> + thisObj.putDirect(vm, propertyName, constructor, static_cast<unsigned>(PropertyAttribute::DontEnum)); > > Oops, please check attribute. This doesn't matter since all LazyClassStructure property's attribute is now DontEnum, but it is possible that other properties will use LazyClassStructure in the future. > So, can you use `value.attributes()` ? Oops, good catch, I'll fix it. Thanks!
Tadeu Zagallo
Comment 7 2019-09-05 11:00:31 PDT
Created attachment 378099 [details] Patch for landing
WebKit Commit Bot
Comment 8 2019-09-05 11:48:02 PDT
Comment on attachment 378099 [details] Patch for landing Clearing flags on attachment: 378099 Committed r249538: <https://trac.webkit.org/changeset/249538>
WebKit Commit Bot
Comment 9 2019-09-05 11:48:03 PDT
All reviewed patches have been landed. Closing bug.
Keith Miller
Comment 10 2019-10-02 07:57:03 PDT
*** Bug 202433 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.