[webkit-changes] [201712] trunk

[cdumez]

Title: [201712] trunk

Revision

201712

Author

cdu...@apple.com

Date

2016-06-06 09:40:02 -0700 (Mon, 06 Jun 2016)

Log Message

Crash under JSObject::getOwnPropertyDescriptor()
https://bugs.webkit.org/show_bug.cgi?id=158382
<rdar://problem/26605004>

Reviewed by Mark Lam.

Source/_javascript_Core:

* runtime/JSObject.h:
(JSC::JSObject::putDirectInternal):
We were crashing under getOwnPropertyDescriptor() because the
CustomAccessor was not properly reset on window.statusbar when
setting it to false (which is allowed because the property is
marked as [Replaceable] in the IDL). We now property reset the
CustomAccessor flag in putDirectInternal() when needed. This
fixes the crash.

LayoutTests:

Add layout test to cover the crash in JSObject::getOwnPropertyDescriptor().

* js/dom/getOwnPropertyDescriptor-crash-expected.txt: Added.
* js/dom/getOwnPropertyDescriptor-crash.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSObject.h

Added Paths

• trunk/LayoutTests/js/dom/getOwnPropertyDescriptor-crash-expected.txt
• trunk/LayoutTests/js/dom/getOwnPropertyDescriptor-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (201711 => 201712)

--- trunk/LayoutTests/ChangeLog	2016-06-06 14:31:19 UTC (rev 201711)
+++ trunk/LayoutTests/ChangeLog	2016-06-06 16:40:02 UTC (rev 201712)
@@ -1,3 +1,16 @@
+2016-06-06  Chris Dumez  <cdu...@apple.com>
+
+        Crash under JSObject::getOwnPropertyDescriptor()
+        https://bugs.webkit.org/show_bug.cgi?id=158382
+        <rdar://problem/26605004>
+
+        Reviewed by Mark Lam.
+
+        Add layout test to cover the crash in JSObject::getOwnPropertyDescriptor().
+
+        * js/dom/getOwnPropertyDescriptor-crash-expected.txt: Added.
+        * js/dom/getOwnPropertyDescriptor-crash.html: Added.
+
 2016-06-06  Javier Fernandez  <jfernan...@igalia.com>
 
         [css-grid] Horizontal scroll must account for grid container's height

Added: trunk/LayoutTests/js/dom/getOwnPropertyDescriptor-crash-expected.txt (0 => 201712)

--- trunk/LayoutTests/js/dom/getOwnPropertyDescriptor-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/dom/getOwnPropertyDescriptor-crash-expected.txt	2016-06-06 16:40:02 UTC (rev 201712)
@@ -0,0 +1 @@
+This test passes if it does not crash.

Added: trunk/LayoutTests/js/dom/getOwnPropertyDescriptor-crash.html (0 => 201712)

--- trunk/LayoutTests/js/dom/getOwnPropertyDescriptor-crash.html	                        (rev 0)
+++ trunk/LayoutTests/js/dom/getOwnPropertyDescriptor-crash.html	2016-06-06 16:40:02 UTC (rev 201712)
@@ -0,0 +1,22 @@
+<html>
+<body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+function foo() {
+    window.prototype;
+}
+
+Object.getOwnPropertyDescriptor(window, "statusbar");
+
+// Need to baseline compile foo().
+for (var i = 0; i < 200; i++)
+    foo();
+
+window.statusbar = false;
+Object.getOwnPropertyDescriptor(window, "statusbar");
+</script>
+<p>This test passes if it does not crash.</p>
+</body>
+</html>

Modified: trunk/Source/_javascript_Core/ChangeLog (201711 => 201712)

--- trunk/Source/_javascript_Core/ChangeLog	2016-06-06 14:31:19 UTC (rev 201711)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-06-06 16:40:02 UTC (rev 201712)
@@ -1,3 +1,20 @@
+2016-06-06  Chris Dumez  <cdu...@apple.com>
+
+        Crash under JSObject::getOwnPropertyDescriptor()
+        https://bugs.webkit.org/show_bug.cgi?id=158382
+        <rdar://problem/26605004>
+
+        Reviewed by Mark Lam.
+
+        * runtime/JSObject.h:
+        (JSC::JSObject::putDirectInternal):
+        We were crashing under getOwnPropertyDescriptor() because the
+        CustomAccessor was not properly reset on window.statusbar when
+        setting it to false (which is allowed because the property is
+        marked as [Replaceable] in the IDL). We now property reset the
+        CustomAccessor flag in putDirectInternal() when needed. This
+        fixes the crash.
+
 2016-06-06  Gyuyoung Kim  <gyuyoung....@webkit.org>
 
         [EFL] Move efl include paths to _javascript_Core_SYSTEM_INCLUDE_DIRECTORIES

Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (201711 => 201712)

--- trunk/Source/_javascript_Core/runtime/JSObject.h	2016-06-06 14:31:19 UTC (rev 201711)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h	2016-06-06 16:40:02 UTC (rev 201712)
@@ -1466,7 +1466,7 @@
         slot.setExistingProperty(this, offset);
         putDirect(vm, offset, value);
 
-        if ((attributes & Accessor) != (currentAttributes & Accessor)) {
+        if ((attributes & Accessor) != (currentAttributes & Accessor) || (attributes & CustomAccessor) != (currentAttributes & CustomAccessor)) {
             ASSERT(!(attributes & ReadOnly));
             setStructure(vm, Structure::attributeChangeTransition(vm, structure, propertyName, attributes));
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes