[webkit-changes] [271144] trunk/Source/JavaScriptCore

Mon, 04 Jan 2021 23:24:10 -0800

Title: [271144] trunk/Source/_javascript_Core
Revision
271144
Author
tzaga...@apple.com
Date
2021-01-04 23:23:31 -0800 (Mon, 04 Jan 2021)

Log Message

propertyNameEnumerator must check it can still take the fast path after getGenericPropertyNames
https://bugs.webkit.org/show_bug.cgi?id=219957
<rdar://71156284>

Reviewed by Yusuke Suzuki.

We need to check if we still `canAccessPropertiesQuicklyForEnumeration` on
`structureAfterGettingPropertyNames`, since we might call out out to a proxy's
`getPrototypeOf` callback through `getGenericPropertyNames`.

* runtime/JSPropertyNameEnumerator.h:
(JSC::propertyNameEnumerator):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (271143 => 271144)


--- trunk/Source/_javascript_Core/ChangeLog	2021-01-05 07:19:24 UTC (rev 271143)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-01-05 07:23:31 UTC (rev 271144)
@@ -1,3 +1,18 @@
+2020-12-16  Tadeu Zagallo  <tzaga...@apple.com>
+
+        propertyNameEnumerator must check it can still take the fast path after getGenericPropertyNames
+        https://bugs.webkit.org/show_bug.cgi?id=219957
+        <rdar://71156284>
+
+        Reviewed by Yusuke Suzuki.
+
+        We need to check if we still `canAccessPropertiesQuicklyForEnumeration` on
+        `structureAfterGettingPropertyNames`, since we might call out out to a proxy's
+        `getPrototypeOf` callback through `getGenericPropertyNames`.
+
+        * runtime/JSPropertyNameEnumerator.h:
+        (JSC::propertyNameEnumerator):
+
 2020-11-17  Tadeu Zagallo  <tzaga...@apple.com>
 
         Validate every instruction in AssemblerBuffer

Modified: trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h (271143 => 271144)


--- trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h	2021-01-05 07:19:24 UTC (rev 271143)
+++ trunk/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.h	2021-01-05 07:23:31 UTC (rev 271144)
@@ -141,6 +141,11 @@
     bool successfullyNormalizedChain = normalizePrototypeChain(globalObject, base, sawPolyProto) != InvalidPrototypeChain;
 
     Structure* structureAfterGettingPropertyNames = base->structure(vm);
+    if (!structureAfterGettingPropertyNames->canAccessPropertiesQuicklyForEnumeration()) {
+        indexedLength = 0;
+        numberStructureProperties = 0;
+    }
+
     enumerator = JSPropertyNameEnumerator::create(vm, structureAfterGettingPropertyNames, indexedLength, numberStructureProperties, WTFMove(propertyNames));
     if (!indexedLength && successfullyNormalizedChain && structureAfterGettingPropertyNames == structure) {
         enumerator->setCachedPrototypeChain(vm, structure->prototypeChain(globalObject, base));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to