Title: [196051] trunk/Source/_javascript_Core
- Revision
- 196051
- Author
- [email protected]
- Date
- 2016-02-02 22:34:06 -0800 (Tue, 02 Feb 2016)
Log Message
JSSymbolTableObject::deleteProperty() crashes deleting Symbols
https://bugs.webkit.org/show_bug.cgi?id=153816
Patch by Caitlin Potter <[email protected]> on 2016-02-02
Reviewed by Darin Adler.
Changes JSSymbolTableObject::deleteProperty() to check if its
symbolTable() contains the property's uid() rather than publicName().
This ensures that it will not crash in the case of Symbols.
* runtime/JSSymbolTableObject.cpp:
(JSC::JSSymbolTableObject::deleteProperty):
* tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js:
(testGlobalProxy):
* tests/stress/regress-153816.js: Added.
(deleteSymbolFromJSSymbolTableObject):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (196050 => 196051)
--- trunk/Source/_javascript_Core/ChangeLog 2016-02-03 06:31:02 UTC (rev 196050)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-02-03 06:34:06 UTC (rev 196051)
@@ -1,3 +1,21 @@
+2016-02-02 Caitlin Potter <[email protected]>
+
+ JSSymbolTableObject::deleteProperty() crashes deleting Symbols
+ https://bugs.webkit.org/show_bug.cgi?id=153816
+
+ Reviewed by Darin Adler.
+
+ Changes JSSymbolTableObject::deleteProperty() to check if its
+ symbolTable() contains the property's uid() rather than publicName().
+ This ensures that it will not crash in the case of Symbols.
+
+ * runtime/JSSymbolTableObject.cpp:
+ (JSC::JSSymbolTableObject::deleteProperty):
+ * tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js:
+ (testGlobalProxy):
+ * tests/stress/regress-153816.js: Added.
+ (deleteSymbolFromJSSymbolTableObject):
+
2016-02-02 Benjamin Poulain <[email protected]>
[JSC] Do not copy FP when lowering FramePointer
Modified: trunk/Source/_javascript_Core/runtime/JSSymbolTableObject.cpp (196050 => 196051)
--- trunk/Source/_javascript_Core/runtime/JSSymbolTableObject.cpp 2016-02-03 06:31:02 UTC (rev 196050)
+++ trunk/Source/_javascript_Core/runtime/JSSymbolTableObject.cpp 2016-02-03 06:34:06 UTC (rev 196051)
@@ -47,7 +47,7 @@
bool JSSymbolTableObject::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
{
JSSymbolTableObject* thisObject = jsCast<JSSymbolTableObject*>(cell);
- if (thisObject->symbolTable()->contains(propertyName.publicName()))
+ if (thisObject->symbolTable()->contains(propertyName.uid()))
return false;
return JSObject::deleteProperty(thisObject, exec, propertyName);
Modified: trunk/Source/_javascript_Core/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js (196050 => 196051)
--- trunk/Source/_javascript_Core/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js 2016-02-03 06:31:02 UTC (rev 196050)
+++ trunk/Source/_javascript_Core/tests/es6/Object_static_methods_Object.getOwnPropertyDescriptors.js 2016-02-03 06:34:06 UTC (rev 196051)
@@ -89,6 +89,5 @@
var result = Object.getOwnPropertyDescriptors(global);
shouldBeDataProperty(result[symbol], 'Symbol(test)', 'global[Symbol(test)]');
- // FIXME: Can't delete Symbol properties from a JSSymbolTableObject.
- // delete global[symbol];
+ delete global[symbol];
})(this);
Added: trunk/Source/_javascript_Core/tests/stress/regress-153816.js (0 => 196051)
--- trunk/Source/_javascript_Core/tests/stress/regress-153816.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/regress-153816.js 2016-02-03 06:34:06 UTC (rev 196051)
@@ -0,0 +1,11 @@
+(function deleteSymbolFromJSSymbolTableObject(globalProxy) {
+ var symbolProperty = Symbol("test");
+
+ globalProxy[symbolProperty] = symbolProperty;
+ if (globalProxy[symbolProperty] !== symbolProperty)
+ throw new Error("bad value: " + String(globalProxy[symbolProperty]));
+
+ delete globalProxy[symbolProperty];
+ if (symbolProperty in globalProxy)
+ throw new Error("bad value: " + String(globalProxy[symbolProperty]));
+})(this);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
