Title: [216561] trunk/Source/_javascript_Core
- Revision
- 216561
- Author
- fpi...@apple.com
- Date
- 2017-05-09 18:01:26 -0700 (Tue, 09 May 2017)
Log Message
JSInjectedScriptHost should get a copy of the boundArgs
https://bugs.webkit.org/show_bug.cgi?id=171897
Reviewed by Joseph Pecoraro.
The boundArgs array is very special - it cannot be mutated in any way. So, it makes sense
for the inspector to get a copy of it.
* inspector/JSInjectedScriptHost.cpp:
(Inspector::JSInjectedScriptHost::getInternalProperties):
* runtime/JSBoundFunction.cpp:
(JSC::JSBoundFunction::boundArgsCopy):
* runtime/JSBoundFunction.h:
(JSC::JSBoundFunction::boundArgs):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (216560 => 216561)
--- trunk/Source/_javascript_Core/ChangeLog 2017-05-10 00:33:36 UTC (rev 216560)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-05-10 01:01:26 UTC (rev 216561)
@@ -1,3 +1,20 @@
+2017-05-09 Filip Pizlo <fpi...@apple.com>
+
+ JSInjectedScriptHost should get a copy of the boundArgs
+ https://bugs.webkit.org/show_bug.cgi?id=171897
+
+ Reviewed by Joseph Pecoraro.
+
+ The boundArgs array is very special - it cannot be mutated in any way. So, it makes sense
+ for the inspector to get a copy of it.
+
+ * inspector/JSInjectedScriptHost.cpp:
+ (Inspector::JSInjectedScriptHost::getInternalProperties):
+ * runtime/JSBoundFunction.cpp:
+ (JSC::JSBoundFunction::boundArgsCopy):
+ * runtime/JSBoundFunction.h:
+ (JSC::JSBoundFunction::boundArgs):
+
2017-05-09 Mark Lam <mark....@apple.com>
Unindent some code in Watchdog::shouldTerminate().
Modified: trunk/Source/_javascript_Core/inspector/JSInjectedScriptHost.cpp (216560 => 216561)
--- trunk/Source/_javascript_Core/inspector/JSInjectedScriptHost.cpp 2017-05-10 00:33:36 UTC (rev 216560)
+++ trunk/Source/_javascript_Core/inspector/JSInjectedScriptHost.cpp 2017-05-10 01:01:26 UTC (rev 216561)
@@ -305,7 +305,7 @@
RETURN_IF_EXCEPTION(scope, JSValue());
if (boundFunction->boundArgs()) {
scope.release();
- array->putDirectIndex(exec, index++, constructInternalProperty(exec, "boundArgs", boundFunction->boundArgs()));
+ array->putDirectIndex(exec, index++, constructInternalProperty(exec, "boundArgs", boundFunction->boundArgsCopy(exec)));
return array;
}
return array;
Modified: trunk/Source/_javascript_Core/runtime/JSBoundFunction.cpp (216560 => 216561)
--- trunk/Source/_javascript_Core/runtime/JSBoundFunction.cpp 2017-05-10 00:33:36 UTC (rev 216560)
+++ trunk/Source/_javascript_Core/runtime/JSBoundFunction.cpp 2017-05-10 01:01:26 UTC (rev 216561)
@@ -191,6 +191,19 @@
{
}
+JSArray* JSBoundFunction::boundArgsCopy(ExecState* exec)
+{
+ VM& vm = exec->vm();
+ auto scope = DECLARE_THROW_SCOPE(vm);
+ JSArray* result = constructEmptyArray(exec, nullptr, globalObject());
+ RETURN_IF_EXCEPTION(scope, nullptr);
+ for (unsigned i = 0; i < m_boundArgs->length(); ++i) {
+ result->push(exec, m_boundArgs->getIndexQuickly(i));
+ RETURN_IF_EXCEPTION(scope, nullptr);
+ }
+ return result;
+}
+
void JSBoundFunction::finishCreation(VM& vm, NativeExecutable* executable, int length)
{
String name; // We lazily create our 'name' string property.
Modified: trunk/Source/_javascript_Core/runtime/JSBoundFunction.h (216560 => 216561)
--- trunk/Source/_javascript_Core/runtime/JSBoundFunction.h 2017-05-10 00:33:36 UTC (rev 216560)
+++ trunk/Source/_javascript_Core/runtime/JSBoundFunction.h 2017-05-10 01:01:26 UTC (rev 216561)
@@ -47,7 +47,8 @@
JSObject* targetFunction() { return m_targetFunction.get(); }
JSValue boundThis() { return m_boundThis.get(); }
- JSArray* boundArgs() { return m_boundArgs.get(); }
+ JSArray* boundArgs() { return m_boundArgs.get(); } // DO NOT allow this array to be mutated!
+ JSArray* boundArgsCopy(ExecState*);
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
