[webkit-changes] [210647] branches/safari-603-branch

Thu, 12 Jan 2017 08:45:07 -0800

Title: [210647] branches/safari-603-branch

Diff

Modified: branches/safari-603-branch/JSTests/ChangeLog (210646 => 210647)


--- branches/safari-603-branch/JSTests/ChangeLog	2017-01-12 16:45:22 UTC (rev 210646)
+++ branches/safari-603-branch/JSTests/ChangeLog	2017-01-12 16:45:25 UTC (rev 210647)
@@ -1,3 +1,23 @@
+2017-01-12  Matthew Hanson  <[email protected]>
+
+        Merge r210457. rdar://problem/27330808
+
+    2017-01-06  Michael Saboff  <[email protected]>
+
+            @putByValDirect in Array.of and Array.from overwrites non-writable/configurable properties
+            https://bugs.webkit.org/show_bug.cgi?id=153486
+
+            Reviewed by Saam Barati.
+
+            New regression test.
+
+            * stress/regress-153486.js: Added.
+            (shouldEqual):
+            (makeUnwriteableUnconfigurableObject):
+            (testArrayOf):
+            (testArrayFrom):
+            (runTest):
+
 2017-01-11  Matthew Hanson  <[email protected]>
 
         Merge r210451. rdar://problem/29909812

Added: branches/safari-603-branch/JSTests/stress/regress-153486.js (0 => 210647)


--- branches/safari-603-branch/JSTests/stress/regress-153486.js	                        (rev 0)
+++ branches/safari-603-branch/JSTests/stress/regress-153486.js	2017-01-12 16:45:25 UTC (rev 210647)
@@ -0,0 +1,48 @@
+// Check frozen Array.of and Array.from don't modify unwritable/unconfigurable entries.
+
+let totalFailed = 0;
+
+function shouldEqual(testId, iteration, actual, expected) {
+    if (actual != expected) {
+        throw "Test #" + testId + ", iteration " + iteration + ", ERROR: expected \"" + expected + "\", got \"" + actual + "\"";
+    }
+}
+
+function makeUnwriteableUnconfigurableObject()
+{
+    return Object.defineProperty([], 0, {value: "frozen", writable: false, configurable: false});
+}
+
+function testArrayOf(obj)
+{
+    Array.of.call(function() { return obj; }, "no longer frozen");
+}
+
+noInline(testArrayOf);
+
+function testArrayFrom(obj)
+{
+    Array.from.call(function() { return obj; }, ["no longer frozen"]);
+}
+
+noInline(testArrayFrom);
+
+let numIterations = 10000;
+
+function runTest(testId, test, sourceMaker, expectedException) {
+    for (var i = 0; i < numIterations; i++) {
+        var exception = "No exception";
+        var obj = sourceMaker();
+
+        try {
+            test(obj);
+        } catch (e) {
+            exception = "" + e;
+            exception = exception.substr(0, 10); // Search for "TypeError:".
+        }
+        shouldEqual(testId, i, exception, expectedException);
+    }
+}
+
+runTest(1, testArrayOf, makeUnwriteableUnconfigurableObject, "TypeError:");
+runTest(2, testArrayFrom, makeUnwriteableUnconfigurableObject, "TypeError:");

Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (210646 => 210647)


--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog	2017-01-12 16:45:22 UTC (rev 210646)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog	2017-01-12 16:45:25 UTC (rev 210647)
@@ -1,3 +1,19 @@
+2017-01-12  Matthew Hanson  <[email protected]>
+
+        Merge r210457. rdar://problem/27330808
+
+    2017-01-06  Michael Saboff  <[email protected]>
+
+            @putByValDirect in Array.of and Array.from overwrites non-writable/configurable properties
+            https://bugs.webkit.org/show_bug.cgi?id=153486
+
+            Reviewed by Saam Barati.
+
+            Moved read only check in putDirect() to all paths.
+
+            * runtime/SparseArrayValueMap.cpp:
+            (JSC::SparseArrayValueMap::putDirect):
+
 2017-01-11  Matthew Hanson  <[email protected]>
 
         Merge r210451. rdar://problem/29909812

Modified: branches/safari-603-branch/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp (210646 => 210647)


--- branches/safari-603-branch/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp	2017-01-12 16:45:22 UTC (rev 210646)
+++ branches/safari-603-branch/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp	2017-01-12 16:45:25 UTC (rev 210647)
@@ -137,17 +137,17 @@
     AddResult result = add(array, i);
     SparseArrayEntry& entry = result.iterator->value;
 
-    if (mode != PutDirectIndexLikePutDirect && !array->isStructureExtensible()) {
-        // To save a separate find & add, we first always add to the sparse map.
-        // In the uncommon case that this is a new property, and the array is not
-        // extensible, this is not the right thing to have done - so remove again.
-        if (result.isNewEntry) {
-            remove(result.iterator);
-            return typeError(exec, scope, shouldThrow, ASCIILiteral(NonExtensibleObjectPropertyDefineError));
-        }
-        if (entry.attributes & ReadOnly)
-            return typeError(exec, scope, shouldThrow, ASCIILiteral(ReadonlyPropertyWriteError));
+    // To save a separate find & add, we first always add to the sparse map.
+    // In the uncommon case that this is a new property, and the array is not
+    // extensible, this is not the right thing to have done - so remove again.
+    if (mode != PutDirectIndexLikePutDirect && result.isNewEntry && !array->isStructureExtensible()) {
+        remove(result.iterator);
+        return typeError(exec, scope, shouldThrow, ASCIILiteral(NonExtensibleObjectPropertyDefineError));
     }
+
+    if (entry.attributes & ReadOnly)
+        return typeError(exec, scope, shouldThrow, ASCIILiteral(ReadonlyPropertyWriteError));
+
     entry.attributes = attributes;
     entry.set(vm, this, value);
     return true;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to