From ad2752807b14cf3602367b56494870a4801ba5da Mon Sep 17 00:00:00 2001
From: Mark Hahnenberg <mhahnenberg@apple.com>
Date: Wed, 19 Jun 2013 11:43:08 +0200
Subject: get_by_pname can become confused when iterating over objects with
 static properties

https://bugs.webkit.org/show_bug.cgi?id=113831

Reviewed by Geoffrey Garen.

get_by_pname doesn't take static properties into account when using a JSPropertyNameIterator to directly
access an object's backing store. One way to fix this is to not cache any properties when iterating over
objects with static properties. This patch fixes the bug that was originally reported on swisscom.ch.

Source/JavaScriptCore:

* runtime/JSObject.cpp:
(JSC::JSObject::getOwnNonIndexPropertyNames):
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::create):
* runtime/PropertyNameArray.h:
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::numCacheableSlots):
(JSC::PropertyNameArray::setNumCacheableSlots):
(PropertyNameArray):

Change-Id: I7ae9c48eea3c5300c4825a10a660b0e2210c8862
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147570 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
---
 Source/JavaScriptCore/runtime/PropertyNameArray.h | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'Source/JavaScriptCore/runtime/PropertyNameArray.h')

diff --git a/Source/JavaScriptCore/runtime/PropertyNameArray.h b/Source/JavaScriptCore/runtime/PropertyNameArray.h
index 89b1af00b..30f439bb2 100644
--- a/Source/JavaScriptCore/runtime/PropertyNameArray.h
+++ b/Source/JavaScriptCore/runtime/PropertyNameArray.h
@@ -55,12 +55,14 @@ namespace JSC {
         PropertyNameArray(JSGlobalData* globalData)
             : m_data(PropertyNameArrayData::create())
             , m_globalData(globalData)
+            , m_numCacheableSlots(0)
         {
         }
 
         PropertyNameArray(ExecState* exec)
             : m_data(PropertyNameArrayData::create())
             , m_globalData(&exec->globalData())
+            , m_numCacheableSlots(0)
         {
         }
 
@@ -83,12 +85,16 @@ namespace JSC {
         const_iterator begin() const { return m_data->propertyNameVector().begin(); }
         const_iterator end() const { return m_data->propertyNameVector().end(); }
 
+        size_t numCacheableSlots() const { return m_numCacheableSlots; }
+        void setNumCacheableSlots(size_t numCacheableSlots) { m_numCacheableSlots = numCacheableSlots; }
+
     private:
         typedef HashSet<StringImpl*, PtrHash<StringImpl*> > IdentifierSet;
 
         RefPtr<PropertyNameArrayData> m_data;
         IdentifierSet m_set;
         JSGlobalData* m_globalData;
+        size_t m_numCacheableSlots;
     };
 
 } // namespace JSC
-- 
cgit v1.2.1


From 86a59036393fb081f094325518205e6c6067b05e Mon Sep 17 00:00:00 2001
From: Mark Hahnenberg <mhahnenberg@apple.com>
Date: Mon, 1 Jul 2013 15:46:30 +0200
Subject: JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots
 incorrectly (2/2)

https://bugs.webkit.org/show_bug.cgi?id=114235

Reviewed by Filip Pizlo.

If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are
accessible in the base object's backing store, which is bad.

Source/JavaScriptCore:

* runtime/JSObject.cpp:
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
* runtime/PropertyNameArray.h:
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::setNumCacheableSlotsForObject):
(JSC::PropertyNameArray::setBaseObject):
(PropertyNameArray):

Change-Id: If61b609438fa1d62364bac556af635413198d8ad
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148142 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
---
 Source/JavaScriptCore/runtime/PropertyNameArray.h | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'Source/JavaScriptCore/runtime/PropertyNameArray.h')

diff --git a/Source/JavaScriptCore/runtime/PropertyNameArray.h b/Source/JavaScriptCore/runtime/PropertyNameArray.h
index 30f439bb2..1cdac0049 100644
--- a/Source/JavaScriptCore/runtime/PropertyNameArray.h
+++ b/Source/JavaScriptCore/runtime/PropertyNameArray.h
@@ -56,6 +56,7 @@ namespace JSC {
             : m_data(PropertyNameArrayData::create())
             , m_globalData(globalData)
             , m_numCacheableSlots(0)
+            , m_baseObject(0)
         {
         }
 
@@ -63,6 +64,7 @@ namespace JSC {
             : m_data(PropertyNameArrayData::create())
             , m_globalData(&exec->globalData())
             , m_numCacheableSlots(0)
+            , m_baseObject(0)
         {
         }
 
@@ -86,7 +88,18 @@ namespace JSC {
         const_iterator end() const { return m_data->propertyNameVector().end(); }
 
         size_t numCacheableSlots() const { return m_numCacheableSlots; }
-        void setNumCacheableSlots(size_t numCacheableSlots) { m_numCacheableSlots = numCacheableSlots; }
+        void setNumCacheableSlotsForObject(JSObject* object, size_t numCacheableSlots)
+        {
+            if (object != m_baseObject)
+                return;
+            m_numCacheableSlots = numCacheableSlots;
+        }
+        void setBaseObject(JSObject* object)
+        {
+            if (m_baseObject)
+                return;
+            m_baseObject = object;
+        }
 
     private:
         typedef HashSet<StringImpl*, PtrHash<StringImpl*> > IdentifierSet;
@@ -95,6 +108,7 @@ namespace JSC {
         IdentifierSet m_set;
         JSGlobalData* m_globalData;
         size_t m_numCacheableSlots;
+        JSObject* m_baseObject;
     };
 
 } // namespace JSC
-- 
cgit v1.2.1