get_by_pname can become confused when iterating over objects with static properties

https://bugs.webkit.org/show_bug.cgi?id=113831 Reviewed by Geoffrey Garen. get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly access an object's backing store. One way to fix this is to not cache any properties when iterating over objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch. Source/JavaScriptCore: * runtime/JSObject.cpp: (JSC::JSObject::getOwnNonIndexPropertyNames): * runtime/JSPropertyNameIterator.cpp: (JSC::JSPropertyNameIterator::create): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::numCacheableSlots): (JSC::PropertyNameArray::setNumCacheableSlots): (PropertyNameArray): Change-Id: I7ae9c48eea3c5300c4825a10a660b0e2210c8862 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147570 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
author: Mark Hahnenberg <mhahnenberg@apple.com> 2013-06-19 11:43:08 +0200
committer: The Qt Project <gerrit-noreply@qt-project.org> 2013-07-01 16:22:27 +0200
commit: ad2752807b14cf3602367b56494870a4801ba5da (patch)
tree: 11e05d21121e2fae104c32145df5750d8f9da83a /Source/JavaScriptCore/runtime/PropertyNameArray.h
parent: d37f7df3c6153b8984b17ecf0265d5d54b0ab180 (diff)
download: qtwebkit-ad2752807b14cf3602367b56494870a4801ba5da.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/Source/JavaScriptCore/runtime/PropertyNameArray.h b/Source/JavaScriptCore/runtime/PropertyNameArray.h
index 89b1af00b..30f439bb2 100644
--- a/Source/JavaScriptCore/runtime/PropertyNameArray.h
+++ b/Source/JavaScriptCore/runtime/PropertyNameArray.h
@@ -55,12 +55,14 @@ namespace JSC {
         PropertyNameArray(JSGlobalData* globalData)
             : m_data(PropertyNameArrayData::create())
             , m_globalData(globalData)
+            , m_numCacheableSlots(0)
         {
         }
 
         PropertyNameArray(ExecState* exec)
             : m_data(PropertyNameArrayData::create())
             , m_globalData(&exec->globalData())
+            , m_numCacheableSlots(0)
         {
         }
 
@@ -83,12 +85,16 @@ namespace JSC {
         const_iterator begin() const { return m_data->propertyNameVector().begin(); }
         const_iterator end() const { return m_data->propertyNameVector().end(); }
 
+        size_t numCacheableSlots() const { return m_numCacheableSlots; }
+        void setNumCacheableSlots(size_t numCacheableSlots) { m_numCacheableSlots = numCacheableSlots; }
+
     private:
         typedef HashSet<StringImpl*, PtrHash<StringImpl*> > IdentifierSet;
 
         RefPtr<PropertyNameArrayData> m_data;
         IdentifierSet m_set;
         JSGlobalData* m_globalData;
+        size_t m_numCacheableSlots;
     };
 
 } // namespace JSC
author	Mark Hahnenberg <mhahnenberg@apple.com>	2013-06-19 11:43:08 +0200
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-07-01 16:22:27 +0200
commit	ad2752807b14cf3602367b56494870a4801ba5da (patch)
tree	11e05d21121e2fae104c32145df5750d8f9da83a /Source/JavaScriptCore/runtime/PropertyNameArray.h
parent	d37f7df3c6153b8984b17ecf0265d5d54b0ab180 (diff)
download	qtwebkit-ad2752807b14cf3602367b56494870a4801ba5da.tar.gz