[webkit-changes] [198080] trunk/Source/JavaScriptCore

Sun, 13 Mar 2016 08:46:55 -0700

Title: [198080] trunk/Source/_javascript_Core
Revision
198080
Author
[email protected]
Date
2016-03-13 08:46:50 -0700 (Sun, 13 Mar 2016)

Log Message

http://kangax.github.io/compat-table/esnext/ crashes reliably.
https://bugs.webkit.org/show_bug.cgi?id=155404

Reviewed by Yusuke Suzuki.

constructObjectFromPropertyDescriptor() was incorrectly assuming that either
both getter and setter will be set or unset.  It did not consider that only one
of the getter or setter may be set.  This patch fixes that.

* runtime/ObjectConstructor.h:
(JSC::constructObjectFromPropertyDescriptor):
* tests/stress/proxy-with-unbalanced-getter-setter.js: Added.
(assert):
(let.handler.defineProperty):
(i.):
(i.assert):
(i.get assert):
(set assert):

Modified Paths

Added Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (198079 => 198080)


--- trunk/Source/_javascript_Core/ChangeLog	2016-03-13 14:46:35 UTC (rev 198079)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-03-13 15:46:50 UTC (rev 198080)
@@ -1,3 +1,24 @@
+2016-03-12  Mark Lam  <[email protected]>
+
+        http://kangax.github.io/compat-table/esnext/ crashes reliably.
+        https://bugs.webkit.org/show_bug.cgi?id=155404
+
+        Reviewed by Yusuke Suzuki.
+
+        constructObjectFromPropertyDescriptor() was incorrectly assuming that either
+        both getter and setter will be set or unset.  It did not consider that only one
+        of the getter or setter may be set.  This patch fixes that.
+
+        * runtime/ObjectConstructor.h:
+        (JSC::constructObjectFromPropertyDescriptor):
+        * tests/stress/proxy-with-unbalanced-getter-setter.js: Added.
+        (assert):
+        (let.handler.defineProperty):
+        (i.):
+        (i.assert):
+        (i.get assert):
+        (set assert):
+
 2016-03-12  Brian Burg  <[email protected]>
 
         When generating Objective-C protocol types, getters for objects need to synthesize a new object instance

Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.h (198079 => 198080)


--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.h	2016-03-13 14:46:35 UTC (rev 198079)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.h	2016-03-13 15:46:50 UTC (rev 198080)
@@ -104,10 +104,11 @@
         description->putDirect(vm, vm.propertyNames->value, descriptor.value() ? descriptor.value() : jsUndefined(), 0);
         description->putDirect(vm, vm.propertyNames->writable, jsBoolean(descriptor.writable()), 0);
     } else {
-        ASSERT(descriptor.getter());
-        ASSERT(descriptor.setter());
-        description->putDirect(vm, vm.propertyNames->get, descriptor.getter(), 0);
-        description->putDirect(vm, vm.propertyNames->set, descriptor.setter(), 0);
+        ASSERT(descriptor.getter() || descriptor.setter());
+        if (descriptor.getter())
+            description->putDirect(vm, vm.propertyNames->get, descriptor.getter(), 0);
+        if (descriptor.setter())
+            description->putDirect(vm, vm.propertyNames->set, descriptor.setter(), 0);
     }
     
     description->putDirect(vm, vm.propertyNames->enumerable, jsBoolean(descriptor.enumerable()), 0);

Added: trunk/Source/_javascript_Core/tests/stress/proxy-with-unbalanced-getter-setter.js (0 => 198080)


--- trunk/Source/_javascript_Core/tests/stress/proxy-with-unbalanced-getter-setter.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/proxy-with-unbalanced-getter-setter.js	2016-03-13 15:46:50 UTC (rev 198080)
@@ -0,0 +1,70 @@
+function assert(b) {
+    if (!b)
+        throw new Error("Bad assertion.");
+}
+
+// Setting the getter only.  
+(function () {
+    let target = {};
+    let called = false;
+    let handler = {
+        defineProperty: function(theTarget, propName, descriptor) {
+            called = true;
+            return Reflect.defineProperty(theTarget, propName, descriptor);
+        }
+    };
+
+    let proxy = new Proxy(target, handler);
+    for (let i = 0; i < 500; i++) {
+        let result = Reflect.defineProperty(proxy, "x", {
+            enumerable: true,
+            configurable: true,
+            get: function(){},
+        });
+        assert(result);
+        assert(called);
+        called = false;
+
+        for (let obj of [target, proxy]) {
+            let pDesc = Object.getOwnPropertyDescriptor(obj, "x");
+            assert(typeof pDesc.get === "function");
+            assert(typeof pDesc.set === "undefined");
+            assert(pDesc.get.toString() === (function(){}).toString());
+            assert(pDesc.configurable === true);
+            assert(pDesc.enumerable === true);
+        }
+    }
+})();
+
+// Setting the setter only.  
+(function () {
+    let target = {};
+    let called = false;
+    let handler = {
+        defineProperty: function(theTarget, propName, descriptor) {
+            called = true;
+            return Reflect.defineProperty(theTarget, propName, descriptor);
+        }
+    };
+
+    let proxy = new Proxy(target, handler);
+    for (let i = 0; i < 500; i++) {
+        let result = Reflect.defineProperty(proxy, "x", {
+            enumerable: true,
+            configurable: true,
+            set: function(x){},
+        });
+        assert(result);
+        assert(called);
+        called = false;
+
+        for (let obj of [target, proxy]) {
+            let pDesc = Object.getOwnPropertyDescriptor(obj, "x");
+            assert(typeof pDesc.get === "undefined");
+            assert(typeof pDesc.set === "function");
+            assert(pDesc.set.toString() === (function(x){}).toString());
+            assert(pDesc.configurable === true);
+            assert(pDesc.enumerable === true);
+        }
+    }
+})();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to