Title: [216309] trunk/Source/_javascript_Core
- Revision
- 216309
- Author
- [email protected]
- Date
- 2017-05-05 22:19:39 -0700 (Fri, 05 May 2017)
Log Message
Put does not properly consult the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=171754
Reviewed by Saam Barati.
We should do a follow up that cleans up the rest of put. See:
https://bugs.webkit.org/show_bug.cgi?id=171759
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
* runtime/JSObjectInlines.h:
(JSC::JSObject::canPerformFastPutInline):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (216308 => 216309)
--- trunk/Source/_javascript_Core/ChangeLog 2017-05-06 04:55:04 UTC (rev 216308)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-05-06 05:19:39 UTC (rev 216309)
@@ -1,3 +1,20 @@
+2017-05-05 Keith Miller <[email protected]>
+
+ Put does not properly consult the prototype chain
+ https://bugs.webkit.org/show_bug.cgi?id=171754
+
+ Reviewed by Saam Barati.
+
+ We should do a follow up that cleans up the rest of put. See:
+ https://bugs.webkit.org/show_bug.cgi?id=171759
+
+ * runtime/JSCJSValue.cpp:
+ (JSC::JSValue::putToPrimitive):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::putInlineSlow):
+ * runtime/JSObjectInlines.h:
+ (JSC::JSObject::canPerformFastPutInline):
+
2017-05-05 JF Bastien <[email protected]>
WebAssembly: Air::Inst::generate crashes on large binary on A64
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp (216308 => 216309)
--- trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2017-05-06 04:55:04 UTC (rev 216308)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp 2017-05-06 05:19:39 UTC (rev 216309)
@@ -160,7 +160,9 @@
JSValue prototype;
if (propertyName != vm.propertyNames->underscoreProto) {
for (; !obj->structure()->hasReadOnlyOrGetterSetterPropertiesExcludingProto(); obj = asObject(prototype)) {
- prototype = obj->getPrototypeDirect();
+ prototype = obj->getPrototype(vm, exec);
+ RETURN_IF_EXCEPTION(scope, false);
+
if (prototype.isNull())
return typeError(exec, scope, slot.isStrictMode(), ASCIILiteral(ReadonlyPropertyWriteError));
}
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (216308 => 216309)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2017-05-06 04:55:04 UTC (rev 216308)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2017-05-06 05:19:39 UTC (rev 216309)
@@ -802,13 +802,13 @@
ProxyObject* proxy = jsCast<ProxyObject*>(obj);
return proxy->ProxyObject::put(proxy, exec, propertyName, value, slot);
}
- JSValue prototype = obj->getPrototypeDirect();
+ JSValue prototype = obj->getPrototype(vm, exec);
+ RETURN_IF_EXCEPTION(scope, false);
if (prototype.isNull())
break;
obj = asObject(prototype);
}
- ASSERT(!structure(vm)->prototypeChainMayInterceptStoreTo(vm, propertyName) || obj == this);
if (!putDirectInternal<PutModePut>(vm, propertyName, value, 0, slot))
return typeError(exec, scope, slot.isStrictMode(), ASCIILiteral(ReadonlyPropertyWriteError));
return true;
Modified: trunk/Source/_javascript_Core/runtime/JSObjectInlines.h (216308 => 216309)
--- trunk/Source/_javascript_Core/runtime/JSObjectInlines.h 2017-05-06 04:55:04 UTC (rev 216308)
+++ trunk/Source/_javascript_Core/runtime/JSObjectInlines.h 2017-05-06 05:19:39 UTC (rev 216309)
@@ -69,7 +69,8 @@
JSValue prototype;
JSObject* obj = this;
while (true) {
- if (obj->structure(vm)->hasReadOnlyOrGetterSetterPropertiesExcludingProto() || obj->type() == ProxyObjectType)
+ MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
+ if (obj->structure(vm)->hasReadOnlyOrGetterSetterPropertiesExcludingProto() || obj->methodTable(vm)->getPrototype != defaultGetPrototype)
return false;
prototype = obj->getPrototypeDirect();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
