Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0a1e72158c24c5ab5212961e2e4115f57c26b9c5
https://github.com/WebKit/WebKit/commit/0a1e72158c24c5ab5212961e2e4115f57c26b9c5
Author: Yijia Huang <[email protected]>
Date: 2025-05-23 (Fri, 23 May 2025)
Changed paths:
A
JSTests/stress/property-enumeration-object-with-indexed-property-and-string-prototype.js
M Source/JavaScriptCore/runtime/StringObjectInlines.h
Log Message:
-----------
For-In can return duplicate keys in JSC
https://bugs.webkit.org/show_bug.cgi?id=291997
rdar://150420842
Reviewed by Yusuke Suzuki.
When an object has a StringObject as its prototype, indexed properties may
be intercepted dynamically via string index behavior. However, the
StringObject's
structure was not marked with MayHaveIndexedAccessors, allowing fast indexed
enumeration to proceed incorrectly.
This caused JSPropertyNameEnumerator to enter IndexedMode and emit indexed
property names (e.g., "0") without considering that the prototype also exposes
them. As a result, duplicate property names could appear during for...in
enumeration.
To fix this, we mark the StringObject's structure with MayHaveIndexedAccessors.
This ensures holesMustForwardToPrototype() returns true, which disables fast
indexed enumeration and prevents duplicate keys.
*
JSTests/stress/property-enumeration-object-with-indexed-property-and-string-prototype.js:
Added.
(assert):
(opt.B):
(opt):
* Source/JavaScriptCore/runtime/StringObjectInlines.h:
(JSC::StringObject::createStructure):
Canonical link: https://commits.webkit.org/295350@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
