JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly (2/2)

https://bugs.webkit.org/show_bug.cgi?id=114235

Reviewed by Filip Pizlo.

If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are
accessible in the base object's backing store, which is bad.

Source/JavaScriptCore:

* runtime/JSObject.cpp:
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
* runtime/PropertyNameArray.h:
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::setNumCacheableSlotsForObject):
(JSC::PropertyNameArray::setBaseObject):
(PropertyNameArray):

Change-Id: If61b609438fa1d62364bac556af635413198d8ad
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148142 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

1 files changed, 2 insertions, 1 deletions

diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp
index 290a3ab16..e6f95bdfa 100644
--- a/Source/JavaScriptCore/runtime/JSObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSObject.cpp
@@ -1423,6 +1423,7 @@ bool JSObject::getPropertySpecificValue(ExecState* exec, PropertyName propertyNa
 
 void JSObject::getPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
 {
+    propertyNames.setBaseObject(object);
     object->methodTable()->getOwnPropertyNames(object, exec, propertyNames, mode);
 
     if (object->prototype().isNull())
@@ -1518,7 +1519,7 @@ void JSObject::getOwnNonIndexPropertyNames(JSObject* object, ExecState* exec, Pr
     object->structure()->getPropertyNamesFromStructure(exec->globalData(), propertyNames, mode);
 
     if (canCachePropertiesFromStructure)
-        propertyNames.setNumCacheableSlots(propertyNames.size());
+        propertyNames.setNumCacheableSlotsForObject(object, propertyNames.size());
 }
 
 double JSObject::toNumber(ExecState* exec) const