Title: [233114] trunk
- Revision
- 233114
- Author
- [email protected]
- Date
- 2018-06-22 17:45:06 -0700 (Fri, 22 Jun 2018)
Log Message
PropertyCondition::isValidValueForAttributes() should also consider deleted values.
https://bugs.webkit.org/show_bug.cgi?id=186943
<rdar://problem/41370337>
Reviewed by Saam Barati.
JSTests:
* stress/regress-186943.js: Added.
Source/_javascript_Core:
PropertyCondition::isValidValueForAttributes() should check if the passed in value
is a deleted one before it does a jsDynamicCast on it.
* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isValidValueForAttributes):
* runtime/JSCJSValueInlines.h:
- removed an unnecessary #if.
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (233113 => 233114)
--- trunk/JSTests/ChangeLog 2018-06-23 00:34:48 UTC (rev 233113)
+++ trunk/JSTests/ChangeLog 2018-06-23 00:45:06 UTC (rev 233114)
@@ -1,3 +1,13 @@
+2018-06-22 Mark Lam <[email protected]>
+
+ PropertyCondition::isValidValueForAttributes() should also consider deleted values.
+ https://bugs.webkit.org/show_bug.cgi?id=186943
+ <rdar://problem/41370337>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-186943.js: Added.
+
2018-06-22 Keith Miller <[email protected]>
performProxyCall should toThis the value passed to its handler
Added: trunk/JSTests/stress/regress-186943.js (0 => 233114)
--- trunk/JSTests/stress/regress-186943.js (rev 0)
+++ trunk/JSTests/stress/regress-186943.js 2018-06-23 00:45:06 UTC (rev 233114)
@@ -0,0 +1,5 @@
+// This test should not crash.
+x = Reflect;
+delete this.Reflect;
+
+for (var i = 0; i < 10000; ++i) { }
Modified: trunk/Source/_javascript_Core/ChangeLog (233113 => 233114)
--- trunk/Source/_javascript_Core/ChangeLog 2018-06-23 00:34:48 UTC (rev 233113)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-06-23 00:45:06 UTC (rev 233114)
@@ -1,3 +1,19 @@
+2018-06-22 Mark Lam <[email protected]>
+
+ PropertyCondition::isValidValueForAttributes() should also consider deleted values.
+ https://bugs.webkit.org/show_bug.cgi?id=186943
+ <rdar://problem/41370337>
+
+ Reviewed by Saam Barati.
+
+ PropertyCondition::isValidValueForAttributes() should check if the passed in value
+ is a deleted one before it does a jsDynamicCast on it.
+
+ * bytecode/PropertyCondition.cpp:
+ (JSC::PropertyCondition::isValidValueForAttributes):
+ * runtime/JSCJSValueInlines.h:
+ - removed an unnecessary #if.
+
2018-06-22 Keith Miller <[email protected]>
performProxyCall should toThis the value passed to its handler
Modified: trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp (233113 => 233114)
--- trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp 2018-06-23 00:34:48 UTC (rev 233113)
+++ trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp 2018-06-23 00:45:06 UTC (rev 233114)
@@ -377,6 +377,8 @@
bool PropertyCondition::isValidValueForAttributes(VM& vm, JSValue value, unsigned attributes)
{
+ if (!value)
+ return false;
bool attributesClaimAccessor = !!(attributes & PropertyAttribute::Accessor);
bool valueClaimsAccessor = !!jsDynamicCast<GetterSetter*>(vm, value);
return attributesClaimAccessor == valueClaimsAccessor;
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h (233113 => 233114)
--- trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h 2018-06-23 00:34:48 UTC (rev 233113)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValueInlines.h 2018-06-23 00:45:06 UTC (rev 233114)
@@ -344,13 +344,11 @@
u.asBits.payload = i;
}
-#if USE(JSVALUE32_64)
inline JSValue::JSValue(int32_t tag, int32_t payload)
{
u.asBits.tag = tag;
u.asBits.payload = payload;
}
-#endif
inline bool JSValue::isNumber() const
{
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
