[webkit-changes] [115679] trunk

[barraclough]

Title: [115679] trunk

Revision

115679

Author

barraclo...@apple.com

Date

2012-04-30 15:29:10 -0700 (Mon, 30 Apr 2012)

Log Message

Arguments object resets attributes on redefinition of a parameter
https://bugs.webkit.org/show_bug.cgi?id=84994

Rubber stamped by Oliver Hunt.

Source/_javascript_Core: 

There is a bug that we always re-add the original property before
redefinition, doing so in a way that will reset the attributes
without checking configurability.

* runtime/Arguments.cpp:
(JSC::Arguments::defineOwnProperty):
    - Only instantiate the property once - do not re-add if
      it has already been added, or if it has been deleted.

LayoutTests: 

* fast/js/arguments-expected.txt:
* fast/js/script-tests/arguments.js:
    - Added test cases.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/js/arguments-expected.txt
• trunk/LayoutTests/fast/js/script-tests/arguments.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/Arguments.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (115678 => 115679)

--- trunk/LayoutTests/ChangeLog	2012-04-30 22:21:56 UTC (rev 115678)
+++ trunk/LayoutTests/ChangeLog	2012-04-30 22:29:10 UTC (rev 115679)
@@ -1,3 +1,14 @@
+2012-04-30  Gavin Barraclough  <barraclo...@apple.com>
+
+        Arguments object resets attributes on redefinition of a parameter
+        https://bugs.webkit.org/show_bug.cgi?id=84994
+
+        Rubber stamped by Oliver Hunt.
+
+        * fast/js/arguments-expected.txt:
+        * fast/js/script-tests/arguments.js:
+            - Added test cases.
+
 2012-04-30  Kentaro Hara  <hara...@chromium.org>
 
         WebGLRenderingContext methods should throw TypeError for not enough arguments

Modified: trunk/LayoutTests/fast/js/arguments-expected.txt (115678 => 115679)

--- trunk/LayoutTests/fast/js/arguments-expected.txt	2012-04-30 22:21:56 UTC (rev 115678)
+++ trunk/LayoutTests/fast/js/arguments-expected.txt	2012-04-30 22:29:10 UTC (rev 115679)
@@ -169,6 +169,15 @@
 PASS true is true
 PASS true is true
 PASS true is true
+PASS true is true
+PASS true is true
+PASS false is false
+PASS true is true
+PASS false is false
+PASS false is false
+PASS undefined is undefined.
+PASS true is true
+PASS false is false
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/fast/js/script-tests/arguments.js (115678 => 115679)

--- trunk/LayoutTests/fast/js/script-tests/arguments.js	2012-04-30 22:21:56 UTC (rev 115678)
+++ trunk/LayoutTests/fast/js/script-tests/arguments.js	2012-04-30 22:29:10 UTC (rev 115679)
@@ -646,3 +646,21 @@
     shouldBeTrue(String( arguments[3] === 103 ));
 
 })(100,101,102,103);
+
+// Test cases for [[DefineOwnProperty]] applied to the arguments object.
+(function(arg){
+    shouldBeTrue(String( Object.getOwnPropertyDescriptor(arguments, 0).writable ));
+    shouldBeTrue(String( Object.getOwnPropertyDescriptor(arguments, 0).enumerable ));
+    Object.defineProperty(arguments, 0, { writable: false });
+    shouldBeFalse(String( Object.getOwnPropertyDescriptor(arguments, 0).writable ));
+    shouldBeTrue(String( Object.getOwnPropertyDescriptor(arguments, 0).enumerable ));
+    Object.defineProperty(arguments, 0, { enumerable: false });
+    shouldBeFalse(String( Object.getOwnPropertyDescriptor(arguments, 0).writable ));
+    shouldBeFalse(String( Object.getOwnPropertyDescriptor(arguments, 0).enumerable ));
+
+    delete arguments[1];
+    shouldBeUndefined(String( Object.getOwnPropertyDescriptor(arguments, 1) ));
+    Object.defineProperty(arguments, 1, { writable: true });
+    shouldBeTrue(String( Object.getOwnPropertyDescriptor(arguments, 1).writable ));
+    shouldBeFalse(String( Object.getOwnPropertyDescriptor(arguments, 1).enumerable ));
+})(0,1);

Modified: trunk/Source/_javascript_Core/ChangeLog (115678 => 115679)

--- trunk/Source/_javascript_Core/ChangeLog	2012-04-30 22:21:56 UTC (rev 115678)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-04-30 22:29:10 UTC (rev 115679)
@@ -1,3 +1,19 @@
+2012-04-26  Gavin Barraclough  <barraclo...@apple.com>
+
+        Arguments object resets attributes on redefinition of a parameter
+        https://bugs.webkit.org/show_bug.cgi?id=84994
+
+        Rubber stamped by Oliver Hunt.
+
+        There is a bug that we always re-add the original property before
+        redefinition, doing so in a way that will reset the attributes
+        without checking configurability.
+
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::defineOwnProperty):
+            - Only instantiate the property once - do not re-add if
+              it has already been added, or if it has been deleted.
+
 2012-04-30  Ryosuke Niwa  <rn...@webkit.org>
 
         Remove an erroneous assertion after r115655.

Modified: trunk/Source/_javascript_Core/runtime/Arguments.cpp (115678 => 115679)

--- trunk/Source/_javascript_Core/runtime/Arguments.cpp	2012-04-30 22:21:56 UTC (rev 115678)
+++ trunk/Source/_javascript_Core/runtime/Arguments.cpp	2012-04-30 22:29:10 UTC (rev 115679)
@@ -306,7 +306,10 @@
     bool isArrayIndex;
     unsigned i = propertyName.toArrayIndex(isArrayIndex);
     if (isArrayIndex && i < thisObject->d->numArguments) {
-        object->putDirect(exec->globalData(), propertyName, thisObject->argument(i).get(), 0);
+        // If the property is not yet present on the object, and is not yet marked as deleted, then add it now.
+        PropertySlot slot;
+        if ((!thisObject->d->deletedArguments || !thisObject->d->deletedArguments[i]) && !JSObject::getOwnPropertySlot(thisObject, exec, propertyName, slot))
+            object->putDirect(exec->globalData(), propertyName, thisObject->argument(i).get(), 0);
         if (!Base::defineOwnProperty(object, exec, propertyName, descriptor, shouldThrow))
             return false;
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes