Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cherry-pick 265870.535@safari-7616-branch (049d074). https://bugs.web…
…kit.org/show_bug.cgi?id=261287 JSObject::anyObjectInChainMayInterceptIndexedAccesses and JSObject::didBecomePrototype need to account for JSGlobalProxy https://bugs.webkit.org/show_bug.cgi?id=261287 rdar://114860483 Reviewed by Yusuke Suzuki. Since JSObject::anyObjectInChainMayInterceptIndexedAccesses() walks up the [[Prototype]] chain, whenever an indexed property is defined on a JSGlobalObject, we should add MayHaveIndexedAccessors flag to JSGlobalProxy instead. Currently, mayInterceptIndexedAccesses() is never queried on JSGlobalObject instances. This change also fixes mayBePrototype() to be queried from JSGlobalProxy rather than JSGlobalObject, which is correct given setPrototypeDirect() used to call didBecomePrototype() only on the proxy. However, for extra robustness, this we propagate didBecomePrototype() to the global object as well. * JSTests/stress/regress-114860483.js: Added. * Source/JavaScriptCore/runtime/JSObjectInlines.h: (JSC::JSObject::didBecomePrototype): * Source/JavaScriptCore/runtime/JSObject.cpp: (JSC::JSObject::notifyPresenceOfIndexedAccessors): Canonical link: https://commits.webkit.org/265870.535@safari-7616-branch
- Loading branch information