Diff
Modified: branches/safari-534-branch/LayoutTests/ChangeLog (87976 => 87977)
--- branches/safari-534-branch/LayoutTests/ChangeLog 2011-06-03 00:52:55 UTC (rev 87976)
+++ branches/safari-534-branch/LayoutTests/ChangeLog 2011-06-03 00:57:54 UTC (rev 87977)
@@ -1,3 +1,20 @@
+2011-06-02 Lucas Forschler <lforsch...@apple.com>
+
+ Merged 87826.
+
+ 2011-05-31 Oliver Hunt <oli...@apple.com>
+
+ Reviewed by Geoffrey Garen.
+
+ Freezing a function and its prototype causes browser to crash.
+ https://bugs.webkit.org/show_bug.cgi?id=61758
+
+ Add test to ensure correct behaviour
+
+ * fast/js/preventExtensions-expected.txt:
+ * fast/js/script-tests/preventExtensions.js:
+ (f):
+
2011-05-29 Mark Rowe <mr...@apple.com>
Merge r87660.
Modified: branches/safari-534-branch/LayoutTests/fast/js/preventExtensions-expected.txt (87976 => 87977)
--- branches/safari-534-branch/LayoutTests/fast/js/preventExtensions-expected.txt 2011-06-03 00:52:55 UTC (rev 87976)
+++ branches/safari-534-branch/LayoutTests/fast/js/preventExtensions-expected.txt 2011-06-03 00:57:54 UTC (rev 87977)
@@ -3,6 +3,9 @@
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+PASS (new inextensible).prototypeExists is true
+PASS (new sealed).prototypeExists is true
+PASS (new frozen).prototypeExists is true
PASS test(obj()) is "(b:4)(c:3)E"
PASS test(preventExtensions(obj())) is "(b:4)"
PASS test(seal(obj())) is "(a:1)(b:4)S"
Modified: branches/safari-534-branch/LayoutTests/fast/js/script-tests/preventExtensions.js (87976 => 87977)
--- branches/safari-534-branch/LayoutTests/fast/js/script-tests/preventExtensions.js 2011-06-03 00:52:55 UTC (rev 87976)
+++ branches/safari-534-branch/LayoutTests/fast/js/script-tests/preventExtensions.js 2011-06-03 00:57:54 UTC (rev 87977)
@@ -43,6 +43,23 @@
return obj;
}
+function inextensible(){}
+function sealed(){}
+function frozen(){};
+preventExtensions(inextensible);
+seal(sealed);
+freeze(frozen);
+new inextensible;
+new sealed;
+new frozen;
+inextensible.prototype.prototypeExists = true;
+sealed.prototype.prototypeExists = true;
+frozen.prototype.prototypeExists = true;
+
+shouldBeTrue("(new inextensible).prototypeExists");
+shouldBeTrue("(new sealed).prototypeExists");
+shouldBeTrue("(new frozen).prototypeExists");
+
shouldBe('test(obj())', '"(b:4)(c:3)E"'); // extensible, can delete a, can modify b, and can add c
shouldBe('test(preventExtensions(obj()))', '"(b:4)"'); // <nothing>, can delete a, can modify b, and CANNOT add c
shouldBe('test(seal(obj()))', '"(a:1)(b:4)S"'); // sealed, CANNOT delete a, can modify b, and CANNOT add c
Modified: branches/safari-534-branch/Source/_javascript_Core/ChangeLog (87976 => 87977)
--- branches/safari-534-branch/Source/_javascript_Core/ChangeLog 2011-06-03 00:52:55 UTC (rev 87976)
+++ branches/safari-534-branch/Source/_javascript_Core/ChangeLog 2011-06-03 00:57:54 UTC (rev 87977)
@@ -1,3 +1,28 @@
+2011-06-02 Lucas Forschler <lforsch...@apple.com>
+
+ Merged 87826.
+
+ 2011-05-31 Oliver Hunt <oli...@apple.com>
+
+ Reviewed by Geoffrey Garen.
+
+ Freezing a function and its prototype causes browser to crash.
+ https://bugs.webkit.org/show_bug.cgi?id=61758
+
+ Make JSObject::preventExtensions virtual so that we can override it
+ and instantiate all lazy
+
+ * _javascript_Core.exp:
+ * runtime/JSFunction.cpp:
+ (JSC::createPrototypeProperty):
+ (JSC::JSFunction::preventExtensions):
+ (JSC::JSFunction::getOwnPropertySlot):
+ * runtime/JSFunction.h:
+ * runtime/JSObject.h:
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::seal):
+ (JSC::JSObject::seal):
+
2011-05-27 Mark Rowe <mr...@apple.com>
Merge r87580.
Modified: branches/safari-534-branch/Source/_javascript_Core/_javascript_Core.exp (87976 => 87977)
--- branches/safari-534-branch/Source/_javascript_Core/_javascript_Core.exp 2011-06-03 00:52:55 UTC (rev 87976)
+++ branches/safari-534-branch/Source/_javascript_Core/_javascript_Core.exp 2011-06-03 00:57:54 UTC (rev 87977)
@@ -299,6 +299,7 @@
__ZN3JSC8JSObject15unwrappedObjectEv
__ZN3JSC8JSObject16getPropertyNamesEPNS_9ExecStateERNS_17PropertyNameArrayENS_15EnumerationModeE
__ZN3JSC8JSObject17defineOwnPropertyEPNS_9ExecStateERKNS_10IdentifierERNS_18PropertyDescriptorEb
+__ZN3JSC8JSObject17preventExtensionsERNS_12JSGlobalDataE
__ZN3JSC8JSObject17putDirectFunctionEPNS_9ExecStateEPNS_10JSFunctionEj
__ZN3JSC8JSObject17putDirectFunctionEPNS_9ExecStateEPNS_16InternalFunctionEj
__ZN3JSC8JSObject17putWithAttributesEPNS_12JSGlobalDataERKNS_10IdentifierENS_7JSValueEj
Modified: branches/safari-534-branch/Source/_javascript_Core/_javascript_Core.vcproj/_javascript_Core/_javascript_Core.def (87976 => 87977)
--- branches/safari-534-branch/Source/_javascript_Core/_javascript_Core.vcproj/_javascript_Core/_javascript_Core.def 2011-06-03 00:52:55 UTC (rev 87976)
+++ branches/safari-534-branch/Source/_javascript_Core/_javascript_Core.vcproj/_javascript_Core/_javascript_Core.def 2011-06-03 00:57:54 UTC (rev 87977)
@@ -258,6 +258,7 @@
?objectCount@Heap@JSC@@QBEIXZ
?objectProtoFuncToString@JSC@@YI_JPAVExecState@1@@Z
?parseDateFromNullTerminatedCharacters@WTF@@YANPBD@Z
+ ?preventExtensions@JSObject@JSC@@UAEXAAVJSGlobalData@2@@Z
?profiler@Profiler@JSC@@SAPAV12@XZ
?protect@Heap@JSC@@QAEXVJSValue@2@@Z
?protectedGlobalObjectCount@Heap@JSC@@QAEIXZ
Modified: branches/safari-534-branch/Source/_javascript_Core/runtime/JSFunction.cpp (87976 => 87977)
--- branches/safari-534-branch/Source/_javascript_Core/runtime/JSFunction.cpp 2011-06-03 00:52:55 UTC (rev 87976)
+++ branches/safari-534-branch/Source/_javascript_Core/runtime/JSFunction.cpp 2011-06-03 00:57:54 UTC (rev 87977)
@@ -177,6 +177,23 @@
return jsNumber(thisObj->jsExecutable()->parameterCount());
}
+static inline WriteBarrierBase<Unknown>* createPrototypeProperty(JSGlobalData& globalData, JSGlobalObject* globalObject, JSFunction* function)
+{
+ ExecState* exec = globalObject->globalExec();
+ if (WriteBarrierBase<Unknown>* location = function->getDirectLocation(globalData, exec->propertyNames().prototype))
+ return location;
+ JSObject* prototype = constructEmptyObject(exec, globalObject->emptyObjectStructure());
+ prototype->putDirect(globalData, exec->propertyNames().constructor, function, DontEnum);
+ function->putDirect(globalData, exec->propertyNames().prototype, prototype, DontDelete | DontEnum);
+ return function->getDirectLocation(exec->globalData(), exec->propertyNames().prototype);
+}
+
+void JSFunction::preventExtensions(JSGlobalData& globalData)
+{
+ createPrototypeProperty(globalData, scope()->globalObject.get(), this);
+ JSObject::preventExtensions(globalData);
+}
+
bool JSFunction::getOwnPropertySlot(ExecState* exec, const Identifier& propertyName, PropertySlot& slot)
{
if (isHostFunction())
@@ -185,12 +202,8 @@
if (propertyName == exec->propertyNames().prototype) {
WriteBarrierBase<Unknown>* location = getDirectLocation(exec->globalData(), propertyName);
- if (!location) {
- JSObject* prototype = constructEmptyObject(exec, scope()->globalObject->emptyObjectStructure());
- prototype->putDirect(exec->globalData(), exec->propertyNames().constructor, this, DontEnum);
- putDirect(exec->globalData(), exec->propertyNames().prototype, prototype, DontDelete | DontEnum);
- location = getDirectLocation(exec->globalData(), propertyName);
- }
+ if (!location)
+ location = createPrototypeProperty(exec->globalData(), scope()->globalObject.get(), this);
slot.setValue(this, location->get(), offsetForLocation(location));
}
Modified: branches/safari-534-branch/Source/_javascript_Core/runtime/JSFunction.h (87976 => 87977)
--- branches/safari-534-branch/Source/_javascript_Core/runtime/JSFunction.h 2011-06-03 00:52:55 UTC (rev 87976)
+++ branches/safari-534-branch/Source/_javascript_Core/runtime/JSFunction.h 2011-06-03 00:57:54 UTC (rev 87977)
@@ -91,6 +91,7 @@
bool isHostFunctionNonInline() const;
+ virtual void preventExtensions(JSGlobalData&);
virtual bool getOwnPropertySlot(ExecState*, const Identifier&, PropertySlot&);
virtual bool getOwnPropertyDescriptor(ExecState*, const Identifier&, PropertyDescriptor&);
virtual void getOwnPropertyNames(ExecState*, PropertyNameArray&, EnumerationMode mode = ExcludeDontEnumProperties);
Modified: branches/safari-534-branch/Source/_javascript_Core/runtime/JSObject.cpp (87976 => 87977)
--- branches/safari-534-branch/Source/_javascript_Core/runtime/JSObject.cpp 2011-06-03 00:52:55 UTC (rev 87976)
+++ branches/safari-534-branch/Source/_javascript_Core/runtime/JSObject.cpp 2011-06-03 00:57:54 UTC (rev 87977)
@@ -509,11 +509,17 @@
void JSObject::seal(JSGlobalData& globalData)
{
+ if (isSealed(globalData))
+ return;
+ preventExtensions(globalData);
setStructure(globalData, Structure::sealTransition(globalData, m_structure.get()));
}
void JSObject::freeze(JSGlobalData& globalData)
{
+ if (isFrozen(globalData))
+ return;
+ preventExtensions(globalData);
setStructure(globalData, Structure::freezeTransition(globalData, m_structure.get()));
}
Modified: branches/safari-534-branch/Source/_javascript_Core/runtime/JSObject.h (87976 => 87977)
--- branches/safari-534-branch/Source/_javascript_Core/runtime/JSObject.h 2011-06-03 00:52:55 UTC (rev 87976)
+++ branches/safari-534-branch/Source/_javascript_Core/runtime/JSObject.h 2011-06-03 00:57:54 UTC (rev 87977)
@@ -211,7 +211,7 @@
void seal(JSGlobalData&);
void freeze(JSGlobalData&);
- void preventExtensions(JSGlobalData&);
+ virtual void preventExtensions(JSGlobalData&);
bool isSealed(JSGlobalData& globalData) { return m_structure->isSealed(globalData); }
bool isFrozen(JSGlobalData& globalData) { return m_structure->isFrozen(globalData); }
bool isExtensible() { return m_structure->isExtensible(); }
