Diff
Modified: releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog (195193 => 195194)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog 2016-01-18 10:42:17 UTC (rev 195193)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/ChangeLog 2016-01-18 10:57:12 UTC (rev 195194)
@@ -1,3 +1,14 @@
+2015-12-23 Pranjal Jumde <[email protected]>
+
+ Test to check for stack recursion when indexed propertyNames defined using Object.defineProperty are deleted.
+ https://bugs.webkit.org/show_bug.cgi?id=149179
+ <rdar://problem/22708019>.
+
+ Reviewed by Filip Pizlo.
+
+ * storage/domstorage/localstorage/delete-defineproperty-removal-expected.txt: Added.
+ * storage/domstorage/localstorage/delete-defineproperty-removal.html: Added.
+
2016-01-04 Sergio Villar Senin <[email protected]>
REGRESSION(r194143): Float width incorrectly calculated on Wikipedia
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/storage/domstorage/localstorage/delete-defineproperty-removal-expected.txt (0 => 195194)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/storage/domstorage/localstorage/delete-defineproperty-removal-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/storage/domstorage/localstorage/delete-defineproperty-removal-expected.txt 2016-01-18 10:57:12 UTC (rev 195194)
@@ -0,0 +1,9 @@
+CONSOLE MESSAGE: line 12: constructor,length
+CONSOLE MESSAGE: line 15: 1,constructor,length
+CONSOLE MESSAGE: line 18: 1,constructor,length
+CONSOLE MESSAGE: line 21: 1,2,constructor,length
+CONSOLE MESSAGE: line 24: 1,constructor,length
+CONSOLE MESSAGE: line 27: 1,constructor,length,Test
+CONSOLE MESSAGE: line 30: 1,constructor,length
+CONSOLE MESSAGE: line 33: 1,constructor,length,Test1
+CONSOLE MESSAGE: line 36: 1,constructor,length,Test1
Added: releases/WebKitGTK/webkit-2.10/LayoutTests/storage/domstorage/localstorage/delete-defineproperty-removal.html (0 => 195194)
--- releases/WebKitGTK/webkit-2.10/LayoutTests/storage/domstorage/localstorage/delete-defineproperty-removal.html (rev 0)
+++ releases/WebKitGTK/webkit-2.10/LayoutTests/storage/domstorage/localstorage/delete-defineproperty-removal.html 2016-01-18 10:57:12 UTC (rev 195194)
@@ -0,0 +1,41 @@
+<script>
+function runTest() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ if (!window.localStorage) {
+ console.log("window.localStorage DOES NOT exist");
+ return;
+ }
+
+ localStorage.clear();
+ console.log(Object.getOwnPropertyNames(localStorage));
+
+ Object.defineProperty(localStorage, "1", {value: "present"});
+ console.log(Object.getOwnPropertyNames(localStorage));
+
+ delete localStorage[1];
+ console.log(Object.getOwnPropertyNames(localStorage));
+
+ Object.defineProperty(localStorage, "2", {value: "present", configurable: true});
+ console.log(Object.getOwnPropertyNames(localStorage));
+
+ delete localStorage[2];
+ console.log(Object.getOwnPropertyNames(localStorage));
+
+ Object.defineProperty(localStorage, "Test", {value: "present", configurable: true});
+ console.log(Object.getOwnPropertyNames(localStorage));
+
+ delete localStorage["Test"];
+ console.log(Object.getOwnPropertyNames(localStorage));
+
+ Object.defineProperty(localStorage, "Test1", {value: "present"});
+ console.log(Object.getOwnPropertyNames(localStorage));
+
+ delete localStorage["Test1"];
+ console.log(Object.getOwnPropertyNames(localStorage));
+
+}
+</script>
+<body _onload_="runTest();">
+</body>
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog (195193 => 195194)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2016-01-18 10:42:17 UTC (rev 195193)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/ChangeLog 2016-01-18 10:57:12 UTC (rev 195194)
@@ -1,3 +1,14 @@
+2015-12-23 Pranjal Jumde <[email protected]>
+
+ Avoids stack recursion when indexed propertyNames defined using Object.defineProperty are deleted.
+ https://bugs.webkit.org/show_bug.cgi?id=149179
+ <rdar://problem/22708019>.
+
+ Reviewed by Filip Pizlo.
+
+ * runtime/JSObject.cpp:
+ (JSStorage::deletePropertyByIndex was invoking Base::deleteProperty for indexed propertyNames instead of Base::deletePropertyByIndex leading to a stack recursion)
+
2015-12-20 Michael Catanzaro <[email protected]>
[SOUP] Performs DNS prefetch when a proxy is configured (information leak)
Modified: releases/WebKitGTK/webkit-2.10/Source/WebCore/bindings/js/JSStorageCustom.cpp (195193 => 195194)
--- releases/WebKitGTK/webkit-2.10/Source/WebCore/bindings/js/JSStorageCustom.cpp 2016-01-18 10:42:17 UTC (rev 195193)
+++ releases/WebKitGTK/webkit-2.10/Source/WebCore/bindings/js/JSStorageCustom.cpp 2016-01-18 10:57:12 UTC (rev 195194)
@@ -70,9 +70,11 @@
// Since hasProperty() would end up calling canGetItemsForName() and be fooled, we need to check
// the native property slots manually.
PropertySlot slot(thisObject);
- if (getStaticValueSlot<JSStorage, Base>(exec, *s_info.staticPropHashTable, thisObject, propertyName, slot))
+ if (getStaticValueSlot<JSStorage, Base>(exec, *s_info.staticPropHashTable, thisObject, propertyName, slot)) {
+ if (Optional<uint32_t> index = parseIndex(propertyName))
+ return Base::deletePropertyByIndex(thisObject, exec, index.value());
return Base::deleteProperty(thisObject, exec, propertyName);
-
+ }
JSValue prototype = thisObject->prototype();
if (prototype.isObject() && asObject(prototype)->getPropertySlot(exec, propertyName, slot))
return Base::deleteProperty(thisObject, exec, propertyName);
@@ -88,6 +90,10 @@
bool JSStorage::deletePropertyByIndex(JSCell* cell, ExecState* exec, unsigned propertyName)
{
+ JSStorage* thisObject = jsCast<JSStorage*>(cell);
+ PropertySlot slot(thisObject);
+ if (getStaticValueSlot<JSStorage, Base>(exec, *s_info.staticPropHashTable, thisObject, Identifier::from(exec, propertyName), slot))
+ return Base::deletePropertyByIndex(thisObject, exec, propertyName);
return deleteProperty(cell, exec, Identifier::from(exec, propertyName));
}
