[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

oliver at apple.com oliver at apple.com
Wed Apr 7 23:16:01 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit ba939ce20a2b14570b91fd5d1c08f164b0e08b38
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Oct 30 08:13:38 2009 +0000

    Regression: crash enumerating properties of an object with getters or setters
    https://bugs.webkit.org/show_bug.cgi?id=30948
    
    Reviewed by Gavin Barraclough
    
    Add a guard to prevent us trying to cache property enumeration on
    objects with getters or setters.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50323 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 59cc37e..6b98495 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2009-10-30  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Regression: crash enumerating properties of an object with getters or setters
+        https://bugs.webkit.org/show_bug.cgi?id=30948
+
+        Add a guard to prevent us trying to cache property enumeration on
+        objects with getters or setters.
+
+        * runtime/JSPropertyNameIterator.cpp:
+        (JSC::JSPropertyNameIterator::create):
+
 2009-10-30  Roland Steiner  <rolandsteiner at chromium.org>
 
         Reviewed by Eric Seidel.
diff --git a/JavaScriptCore/runtime/JSPropertyNameIterator.cpp b/JavaScriptCore/runtime/JSPropertyNameIterator.cpp
index 6fd0344..e20087f 100644
--- a/JavaScriptCore/runtime/JSPropertyNameIterator.cpp
+++ b/JavaScriptCore/runtime/JSPropertyNameIterator.cpp
@@ -45,7 +45,8 @@ JSPropertyNameIterator* JSPropertyNameIterator::create(ExecState* exec, JSObject
     o->getPropertyNames(exec, propertyNames);
     size_t numCacheableSlots = 0;
     if (!o->structure()->hasNonEnumerableProperties() && !o->structure()->hasAnonymousSlots() &&
-        !o->structure()->isUncacheableDictionary() && !o->structure()->typeInfo().overridesGetPropertyNames())
+        !o->structure()->hasGetterSetterProperties() && !o->structure()->isUncacheableDictionary() &&
+        !o->structure()->typeInfo().overridesGetPropertyNames())
         numCacheableSlots = o->structure()->propertyStorageSize();
 
     JSPropertyNameIterator* jsPropertyNameIterator = new (exec) JSPropertyNameIterator(exec, propertyNames.data(), numCacheableSlots);
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3aec027..46f8ed1 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2009-10-30  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Regression: crash enumerating properties of an object with getters or setters
+        https://bugs.webkit.org/show_bug.cgi?id=30948
+
+        Add test for enumerating getters and setters.
+
+        * fast/js/for-in-cached-expected.txt:
+        * fast/js/script-tests/for-in-cached.js:
+        (forIn5):
+
 2009-10-29  Erik Arvidsson  <arv at chromium.org>
 
         Reviewed by Eric Seidel.
diff --git a/LayoutTests/fast/js/for-in-cached-expected.txt b/LayoutTests/fast/js/for-in-cached-expected.txt
index f722751..baf0e81 100644
--- a/LayoutTests/fast/js/for-in-cached-expected.txt
+++ b/LayoutTests/fast/js/for-in-cached-expected.txt
@@ -10,6 +10,9 @@ PASS forIn3({ y2 : 2, __proto__: null }) is ['x', 'y2']
 PASS forIn3({ __proto__: { __proto__: { y3 : 2 } } }) is ['x', 'y3']
 PASS forIn4(objectWithArrayAsProto) is []
 PASS forIn4(objectWithArrayAsProto) is ['0']
+PASS forIn5({get foo() { return 'called getter'} }) is ['foo', 'called getter']
+PASS forIn5({set foo() { } }) is ['foo', undefined]
+PASS forIn5({get foo() { return 'called getter'}, set foo() { }}) is ['foo', 'called getter']
 PASS successfullyParsed is true
 
 TEST COMPLETE
diff --git a/LayoutTests/fast/js/script-tests/for-in-cached.js b/LayoutTests/fast/js/script-tests/for-in-cached.js
index 258b24d..c86d62c 100644
--- a/LayoutTests/fast/js/script-tests/for-in-cached.js
+++ b/LayoutTests/fast/js/script-tests/for-in-cached.js
@@ -55,4 +55,14 @@ shouldBe("forIn4(objectWithArrayAsProto)", "[]");
 objectWithArrayAsProto.__proto__[0]=1;
 shouldBe("forIn4(objectWithArrayAsProto)", "['0']");
 
+function forIn5(o) {
+    for (var i in o)
+        return [i, o[i]];
+}
+
+shouldBe("forIn5({get foo() { return 'called getter'} })", "['foo', 'called getter']");
+shouldBe("forIn5({set foo() { } })", "['foo', undefined]");
+shouldBe("forIn5({get foo() { return 'called getter'}, set foo() { }})", "['foo', 'called getter']");
+
+
 var successfullyParsed = true;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list