Title: [202528] trunk/Source/_javascript_Core
- Revision
- 202528
- Author
- [email protected]
- Date
- 2016-06-27 17:42:26 -0700 (Mon, 27 Jun 2016)
Log Message
Fix bad assert in StructureRareData::setObjectToStringValue
https://bugs.webkit.org/show_bug.cgi?id=159171
<rdar://problem/26987355>
Reviewed by Mark Lam.
We should not have expected the generateConditionsForPrototypePropertyHit would succeed.
There are many reasons it might fail including that there is a proxy somewhere on the
prototype chain of the object.
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::setObjectToStringValue):
* tests/stress/object-toString-with-proxy.js: Added.
(get target):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (202527 => 202528)
--- trunk/Source/_javascript_Core/ChangeLog 2016-06-28 00:36:40 UTC (rev 202527)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-06-28 00:42:26 UTC (rev 202528)
@@ -1,3 +1,20 @@
+2016-06-27 Keith Miller <[email protected]>
+
+ Fix bad assert in StructureRareData::setObjectToStringValue
+ https://bugs.webkit.org/show_bug.cgi?id=159171
+ <rdar://problem/26987355>
+
+ Reviewed by Mark Lam.
+
+ We should not have expected the generateConditionsForPrototypePropertyHit would succeed.
+ There are many reasons it might fail including that there is a proxy somewhere on the
+ prototype chain of the object.
+
+ * runtime/StructureRareData.cpp:
+ (JSC::StructureRareData::setObjectToStringValue):
+ * tests/stress/object-toString-with-proxy.js: Added.
+ (get target):
+
2016-06-27 Filip Pizlo <[email protected]>
Crashing at an unreachable code trap in FTL should give more information
Modified: trunk/Source/_javascript_Core/runtime/StructureRareData.cpp (202527 => 202528)
--- trunk/Source/_javascript_Core/runtime/StructureRareData.cpp 2016-06-28 00:36:40 UTC (rev 202527)
+++ trunk/Source/_javascript_Core/runtime/StructureRareData.cpp 2016-06-28 00:42:26 UTC (rev 202528)
@@ -126,7 +126,7 @@
// This will not create a condition for the current structure but that is good because we know the Symbol.toStringTag
// is not on the ownStructure so we will transisition if one is added and this cache will no longer be used.
conditionSet = generateConditionsForPrototypePropertyHit(vm, this, exec, ownStructure, toStringTagSymbolSlot.slotBase(), vm.propertyNames->toStringTagSymbol.impl());
- ASSERT(conditionSet.hasOneSlotBaseCondition());
+ ASSERT(!conditionSet.isValid() || conditionSet.hasOneSlotBaseCondition());
} else if (toStringTagSymbolSlot.isUnset())
conditionSet = generateConditionsForPropertyMiss(vm, this, exec, ownStructure, vm.propertyNames->toStringTagSymbol.impl());
else
Added: trunk/Source/_javascript_Core/tests/stress/object-toString-with-proxy.js (0 => 202528)
--- trunk/Source/_javascript_Core/tests/stress/object-toString-with-proxy.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/object-toString-with-proxy.js 2016-06-28 00:42:26 UTC (rev 202528)
@@ -0,0 +1,27 @@
+let foo = {};
+let properties = [];
+let p = new Proxy(foo, { get:(target, property) => {
+ properties.push(property.toString());
+ if (property === Symbol.toStringTag)
+ return "bad things";
+ return target[property];
+}});
+
+for (i = 0; i < 5; i++) {
+ if (p != "[object bad things]")
+ throw new Error("bad toString result.");
+
+ if (properties[0] !== "Symbol(Symbol.toPrimitive)" || properties[1] !== "valueOf" || properties[2] !== "toString" || properties[3] !== "Symbol(Symbol.toStringTag)")
+ throw new Error("bad property accesses.");
+
+ properties = [];
+}
+
+p = createProxy(foo);
+
+for (i = 0; i < 5; i++) {
+ let str = "bad things" + i;
+ foo[Symbol.toStringTag] = str;
+ if (p != "[object " + str + "]")
+ throw new Error("bad toString result.");
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
