[webkit-changes] [90402] trunk

[barraclough]

Title: [90402] trunk

Revision

90402

Author

barraclo...@apple.com

Date

2011-07-05 12:02:44 -0700 (Tue, 05 Jul 2011)

Log Message

https://bugs.webkit.org/show_bug.cgi?id=63947
ASSERT running Object.preventExtensions(Math.sin)

Reviewed by Oliver Hunt.

This is due to calling scope() on a hostFunction as a part of
calling createPrototypeProperty to reify the prototype property.
But host functions don't have a prototype property anyway!

Source/_javascript_Core: 

Prevent callling createPrototypeProperty on a host function.

* runtime/JSFunction.cpp:
(JSC::JSFunction::createPrototypeProperty):
(JSC::JSFunction::preventExtensions):

LayoutTests: 

Add test case for calling preventExtensions on a host function.

* fast/js/preventExtensions-expected.txt:
* fast/js/script-tests/preventExtensions.js:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/js/preventExtensions-expected.txt
• trunk/LayoutTests/fast/js/script-tests/preventExtensions.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSFunction.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (90401 => 90402)

--- trunk/LayoutTests/ChangeLog	2011-07-05 19:01:41 UTC (rev 90401)
+++ trunk/LayoutTests/ChangeLog	2011-07-05 19:02:44 UTC (rev 90402)
@@ -1,3 +1,19 @@
+2011-07-05  Gavin Barraclough  <barraclo...@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=63947
+        ASSERT running Object.preventExtensions(Math.sin)
+
+        Reviewed by Oliver Hunt.
+
+        This is due to calling scope() on a hostFunction as a part of
+        calling createPrototypeProperty to reify the prototype property.
+        But host functions don't have a prototype property anyway!
+
+        Add test case for calling preventExtensions on a host function.
+
+        * fast/js/preventExtensions-expected.txt:
+        * fast/js/script-tests/preventExtensions.js:
+
 2011-07-04  Gavin Barraclough  <barraclo...@apple.com>
 
         https://bugs.webkit.org/show_bug.cgi?id=63880

Modified: trunk/LayoutTests/fast/js/preventExtensions-expected.txt (90401 => 90402)

--- trunk/LayoutTests/fast/js/preventExtensions-expected.txt	2011-07-05 19:01:41 UTC (rev 90401)
+++ trunk/LayoutTests/fast/js/preventExtensions-expected.txt	2011-07-05 19:02:44 UTC (rev 90402)
@@ -10,6 +10,7 @@
 PASS test(preventExtensions(obj())) is "(b:4)"
 PASS test(seal(obj())) is "(a:1)(b:4)S"
 PASS test(freeze(obj())) is "(a:1)(b:2)SF"
+PASS Object.preventExtensions(Math.sin) is Math.sin
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/fast/js/script-tests/preventExtensions.js (90401 => 90402)

--- trunk/LayoutTests/fast/js/script-tests/preventExtensions.js	2011-07-05 19:01:41 UTC (rev 90401)
+++ trunk/LayoutTests/fast/js/script-tests/preventExtensions.js	2011-07-05 19:02:44 UTC (rev 90402)
@@ -65,4 +65,7 @@
 shouldBe('test(seal(obj()))', '"(a:1)(b:4)S"'); // sealed, CANNOT delete a, can modify b, and CANNOT add c
 shouldBe('test(freeze(obj()))', '"(a:1)(b:2)SF"'); // sealed and frozen, CANNOT delete a, CANNOT modify b, and CANNOT add c
 
+// check that we can preventExtensions on a host function.
+shouldBe('Object.preventExtensions(Math.sin)', 'Math.sin');
+
 successfullyParsed = true;
\ No newline at end of file

Modified: trunk/Source/_javascript_Core/ChangeLog (90401 => 90402)

--- trunk/Source/_javascript_Core/ChangeLog	2011-07-05 19:01:41 UTC (rev 90401)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-07-05 19:02:44 UTC (rev 90402)
@@ -1,3 +1,20 @@
+2011-07-05  Gavin Barraclough  <barraclo...@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=63947
+        ASSERT running Object.preventExtensions(Math.sin)
+
+        Reviewed by Oliver Hunt.
+
+        This is due to calling scope() on a hostFunction as a part of
+        calling createPrototypeProperty to reify the prototype property.
+        But host functions don't have a prototype property anyway!
+
+        Prevent callling createPrototypeProperty on a host function.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::createPrototypeProperty):
+        (JSC::JSFunction::preventExtensions):
+
 2011-07-04  Gavin Barraclough  <barraclo...@apple.com>
 
         https://bugs.webkit.org/show_bug.cgi?id=63880

Modified: trunk/Source/_javascript_Core/runtime/JSFunction.cpp (90401 => 90402)

--- trunk/Source/_javascript_Core/runtime/JSFunction.cpp	2011-07-05 19:01:41 UTC (rev 90401)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.cpp	2011-07-05 19:02:44 UTC (rev 90402)
@@ -179,6 +179,8 @@
 
 static inline WriteBarrierBase<Unknown>* createPrototypeProperty(JSGlobalData& globalData, JSGlobalObject* globalObject, JSFunction* function)
 {
+    ASSERT(!isHostFunction());
+
     ExecState* exec = globalObject->globalExec();
     if (WriteBarrierBase<Unknown>* location = function->getDirectLocation(globalData, exec->propertyNames().prototype))
         return location;
@@ -190,7 +192,8 @@
 
 void JSFunction::preventExtensions(JSGlobalData& globalData)
 {
-    createPrototypeProperty(globalData, scope()->globalObject.get(), this);
+    if (!isHostFunction())
+        createPrototypeProperty(globalData, scope()->globalObject.get(), this);
     JSObject::preventExtensions(globalData);
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes