Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (153672 => 153673)
--- trunk/Source/_javascript_Core/ChangeLog 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-08-02 22:30:48 UTC (rev 153673)
@@ -1,3 +1,43 @@
+2013-08-02 Gavin Barraclough <barraclo...@apple.com>
+
+ Remove no-arguments constructor to PropertySlot
+ https://bugs.webkit.org/show_bug.cgi?id=119460
+
+ Reviewed by Geoff Garen.
+
+ This constructor was unsafe if getValue is subsequently called,
+ and the property is a getter. Simplest to just remove it.
+
+ * runtime/Arguments.cpp:
+ (JSC::Arguments::defineOwnProperty):
+ * runtime/JSActivation.cpp:
+ (JSC::JSActivation::getOwnPropertyDescriptor):
+ * runtime/JSFunction.cpp:
+ (JSC::JSFunction::getOwnPropertyDescriptor):
+ (JSC::JSFunction::getOwnNonIndexPropertyNames):
+ (JSC::JSFunction::put):
+ (JSC::JSFunction::defineOwnProperty):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::defineOwnProperty):
+ * runtime/JSGlobalObject.h:
+ (JSC::JSGlobalObject::hasOwnPropertyForWrite):
+ * runtime/JSNameScope.cpp:
+ (JSC::JSNameScope::put):
+ * runtime/JSONObject.cpp:
+ (JSC::Stringifier::Holder::appendNextProperty):
+ (JSC::Walker::walk):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::hasProperty):
+ (JSC::JSObject::hasOwnProperty):
+ (JSC::JSObject::reifyStaticFunctionsForDelete):
+ * runtime/Lookup.h:
+ (JSC::getStaticPropertyDescriptor):
+ (JSC::getStaticFunctionDescriptor):
+ (JSC::getStaticValueDescriptor):
+ * runtime/ObjectConstructor.cpp:
+ (JSC::defineProperties):
+ * runtime/PropertySlot.h:
+
2013-08-02 Mark Hahnenberg <mhahnenb...@apple.com>
DFG validation can cause assertion failures due to dumping
Modified: trunk/Source/_javascript_Core/runtime/Arguments.cpp (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/Arguments.cpp 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/Arguments.cpp 2013-08-02 22:30:48 UTC (rev 153673)
@@ -287,7 +287,7 @@
if (i < thisObject->m_numArguments) {
RELEASE_ASSERT(i < PropertyName::NotAnIndex);
// If the property is not yet present on the object, and is not yet marked as deleted, then add it now.
- PropertySlot slot;
+ PropertySlot slot(thisObject);
if (!thisObject->isDeletedArgument(i) && !JSObject::getOwnPropertySlot(thisObject, exec, propertyName, slot)) {
JSValue value = thisObject->tryGetArgument(i);
ASSERT(value);
Modified: trunk/Source/_javascript_Core/runtime/JSActivation.cpp (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/JSActivation.cpp 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/JSActivation.cpp 2013-08-02 22:30:48 UTC (rev 153673)
@@ -184,7 +184,7 @@
if (propertyName == exec->propertyNames().arguments) {
// Defend against the inspector asking for the arguments object after it has been optimized out.
if (!thisObject->isTornOff()) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
JSActivation::getOwnPropertySlot(thisObject, exec, propertyName, slot);
descriptor.setDescriptor(slot.getValue(exec, propertyName), DontEnum);
return true;
Modified: trunk/Source/_javascript_Core/runtime/JSFunction.cpp (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/JSFunction.cpp 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.cpp 2013-08-02 22:30:48 UTC (rev 153673)
@@ -308,7 +308,7 @@
return Base::getOwnPropertyDescriptor(thisObject, exec, propertyName, descriptor);
if (propertyName == exec->propertyNames().prototype) {
- PropertySlot slot;
+ PropertySlot slot(thisObject);
thisObject->methodTable()->getOwnPropertySlot(thisObject, exec, propertyName, slot);
return Base::getOwnPropertyDescriptor(thisObject, exec, propertyName, descriptor);
}
@@ -359,7 +359,7 @@
JSFunction* thisObject = jsCast<JSFunction*>(object);
if (!thisObject->isHostFunction() && (mode == IncludeDontEnumProperties)) {
// Make sure prototype has been reified.
- PropertySlot slot;
+ PropertySlot slot(thisObject);
thisObject->methodTable()->getOwnPropertySlot(thisObject, exec, exec->propertyNames().prototype, slot);
propertyNames.add(exec->propertyNames().arguments);
@@ -380,7 +380,7 @@
if (propertyName == exec->propertyNames().prototype) {
// Make sure prototype has been reified, such that it can only be overwritten
// following the rules set out in ECMA-262 8.12.9.
- PropertySlot slot;
+ PropertySlot slot(thisObject);
thisObject->methodTable()->getOwnPropertySlot(thisObject, exec, propertyName, slot);
thisObject->m_allocationProfile.clear();
thisObject->m_allocationProfileWatchpoint.notifyWrite();
@@ -427,7 +427,7 @@
if (propertyName == exec->propertyNames().prototype) {
// Make sure prototype has been reified, such that it can only be overwritten
// following the rules set out in ECMA-262 8.12.9.
- PropertySlot slot;
+ PropertySlot slot(thisObject);
thisObject->methodTable()->getOwnPropertySlot(thisObject, exec, propertyName, slot);
thisObject->m_allocationProfile.clear();
thisObject->m_allocationProfileWatchpoint.notifyWrite();
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2013-08-02 22:30:48 UTC (rev 153673)
@@ -178,7 +178,7 @@
bool JSGlobalObject::defineOwnProperty(JSObject* object, ExecState* exec, PropertyName propertyName, PropertyDescriptor& descriptor, bool shouldThrow)
{
JSGlobalObject* thisObject = jsCast<JSGlobalObject*>(object);
- PropertySlot slot;
+ PropertySlot slot(thisObject);
// silently ignore attempts to add accessors aliasing vars.
if (descriptor.isAccessorDescriptor() && symbolTableGet(thisObject, propertyName, slot))
return false;
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2013-08-02 22:30:48 UTC (rev 153673)
@@ -459,7 +459,7 @@
inline bool JSGlobalObject::hasOwnPropertyForWrite(ExecState* exec, PropertyName propertyName)
{
- PropertySlot slot;
+ PropertySlot slot(this);
if (Base::getOwnPropertySlot(this, exec, propertyName, slot))
return true;
bool slotIsWriteable;
Modified: trunk/Source/_javascript_Core/runtime/JSNameScope.cpp (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/JSNameScope.cpp 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/JSNameScope.cpp 2013-08-02 22:30:48 UTC (rev 153673)
@@ -61,7 +61,7 @@
// (a) is unlikely, and (b) is an error.
// Also with a single entry the symbol table lookup should simply be
// a pointer compare.
- PropertySlot slot;
+ PropertySlot slot(thisObject);
bool isWritable = true;
symbolTableGet(thisObject, propertyName, slot, isWritable);
if (!isWritable) {
Modified: trunk/Source/_javascript_Core/runtime/JSONObject.cpp (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/JSONObject.cpp 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/JSONObject.cpp 2013-08-02 22:30:48 UTC (rev 153673)
@@ -515,11 +515,12 @@
value = asArray(m_object.get())->getIndexQuickly(index);
else {
PropertySlot slot(m_object.get());
- if (!m_object->methodTable()->getOwnPropertySlotByIndex(m_object.get(), exec, index, slot))
- slot.setUndefined();
- if (exec->hadException())
- return false;
- value = slot.getValue(exec, index);
+ if (m_object->methodTable()->getOwnPropertySlotByIndex(m_object.get(), exec, index, slot)) {
+ value = slot.getValue(exec, index);
+ if (exec->hadException())
+ return false;
+ } else
+ value = jsUndefined();
}
// Append the separator string.
@@ -670,7 +671,7 @@
if (isJSArray(array) && array->canGetIndexQuickly(index))
inValue = array->getIndexQuickly(index);
else {
- PropertySlot slot;
+ PropertySlot slot(array);
if (array->methodTable()->getOwnPropertySlotByIndex(array, m_exec, index, slot))
inValue = slot.getValue(m_exec, index);
else
@@ -722,7 +723,7 @@
propertyStack.removeLast();
break;
}
- PropertySlot slot;
+ PropertySlot slot(object);
if (object->methodTable()->getOwnPropertySlot(object, m_exec, properties[index], slot))
inValue = slot.getValue(m_exec, properties[index]);
else
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2013-08-02 22:30:48 UTC (rev 153673)
@@ -1203,13 +1203,13 @@
bool JSObject::hasProperty(ExecState* exec, PropertyName propertyName) const
{
- PropertySlot slot;
+ PropertySlot slot(this);
return const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
}
bool JSObject::hasProperty(ExecState* exec, unsigned propertyName) const
{
- PropertySlot slot;
+ PropertySlot slot(this);
return const_cast<JSObject*>(this)->getPropertySlot(exec, propertyName, slot);
}
@@ -1248,7 +1248,7 @@
bool JSObject::hasOwnProperty(ExecState* exec, PropertyName propertyName) const
{
- PropertySlot slot;
+ PropertySlot slot(this);
return const_cast<JSObject*>(this)->methodTable()->getOwnPropertySlot(const_cast<JSObject*>(this), exec, propertyName, slot);
}
@@ -1589,7 +1589,7 @@
const HashTable* hashTable = info->propHashTable(globalObject()->globalExec());
if (!hashTable)
continue;
- PropertySlot slot;
+ PropertySlot slot(this);
for (HashTable::ConstIterator iter = hashTable->begin(vm); iter != hashTable->end(vm); ++iter) {
if (iter->attributes() & Function)
setUpStaticFunctionSlot(globalObject()->globalExec(), *iter, this, Identifier(&vm, iter->key()), slot);
Modified: trunk/Source/_javascript_Core/runtime/Lookup.h (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/Lookup.h 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/Lookup.h 2013-08-02 22:30:48 UTC (rev 153673)
@@ -263,7 +263,7 @@
if (!entry) // not found, forward to parent
return ParentImp::getOwnPropertyDescriptor(thisObj, exec, propertyName, descriptor);
- PropertySlot slot;
+ PropertySlot slot(thisObj);
if (entry->attributes() & Function) {
bool present = setUpStaticFunctionSlot(exec, entry, thisObj, propertyName, slot);
if (present)
@@ -309,7 +309,7 @@
if (!entry)
return false;
- PropertySlot slot;
+ PropertySlot slot(thisObj);
bool present = setUpStaticFunctionSlot(exec, entry, thisObj, propertyName, slot);
if (present)
descriptor.setDescriptor(slot.getValue(exec, propertyName), entry->attributes());
@@ -347,7 +347,7 @@
return ParentImp::getOwnPropertyDescriptor(thisObj, exec, propertyName, descriptor);
ASSERT(!(entry->attributes() & Function));
- PropertySlot slot;
+ PropertySlot slot(thisObj);
slot.setCustom(thisObj, entry->propertyGetter());
descriptor.setDescriptor(slot.getValue(exec, propertyName), entry->attributes());
return true;
Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2013-08-02 22:30:48 UTC (rev 153673)
@@ -315,7 +315,6 @@
Vector<PropertyDescriptor> descriptors;
MarkedArgumentBuffer markBuffer;
for (size_t i = 0; i < numProperties; i++) {
- PropertySlot slot;
JSValue prop = properties->get(exec, propertyNames[i]);
if (exec->hadException())
return jsNull();
Modified: trunk/Source/_javascript_Core/runtime/PropertySlot.h (153672 => 153673)
--- trunk/Source/_javascript_Core/runtime/PropertySlot.h 2013-08-02 22:11:07 UTC (rev 153672)
+++ trunk/Source/_javascript_Core/runtime/PropertySlot.h 2013-08-02 22:30:48 UTC (rev 153673)
@@ -43,12 +43,6 @@
};
public:
- PropertySlot()
- : m_propertyType(TypeUnset)
- , m_offset(invalidOffset)
- {
- }
-
explicit PropertySlot(const JSValue thisValue)
: m_propertyType(TypeUnset)
, m_offset(invalidOffset)
