Navigation Menu

Skip to content

Commit

Permalink
propertyNameEnumerator must check it can still take the fast path aft…
Browse files Browse the repository at this point in the history 
…er getGenericPropertyNames

https://bugs.webkit.org/show_bug.cgi?id=219957
<rdar://71156284>

Reviewed by Yusuke Suzuki.

We need to check if we still `canAccessPropertiesQuicklyForEnumeration` on
`structureAfterGettingPropertyNames`, since we might call out out to a proxy's
`getPrototypeOf` callback through `getGenericPropertyNames`.

* runtime/JSPropertyNameEnumerator.h:
(JSC::propertyNameEnumerator):

Canonical link: https://commits.webkit.org/232741@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271144 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
@tadeuzagallo
tadeuzagallo committed Jan 5, 2021
1 parent 3453222 commit f4e35a4
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
15 changes: 15 additions & 0 deletions Source/JavaScriptCore/ChangeLog
View file
@@ -1,3 +1,18 @@
2020-12-16 Tadeu Zagallo <tzagallo@apple.com>

propertyNameEnumerator must check it can still take the fast path after getGenericPropertyNames
https://bugs.webkit.org/show_bug.cgi?id=219957
<rdar://71156284>

Reviewed by Yusuke Suzuki.

We need to check if we still `canAccessPropertiesQuicklyForEnumeration` on
`structureAfterGettingPropertyNames`, since we might call out out to a proxy's
`getPrototypeOf` callback through `getGenericPropertyNames`.

* runtime/JSPropertyNameEnumerator.h:
(JSC::propertyNameEnumerator):

2020-11-17 Tadeu Zagallo <tzagallo@apple.com>

Validate every instruction in AssemblerBuffer
Expand Down
5 changes: 5 additions & 0 deletions Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h
View file
Expand Up @@ -141,6 +141,11 @@ inline JSPropertyNameEnumerator* propertyNameEnumerator(JSGlobalObject* globalOb
bool successfullyNormalizedChain = normalizePrototypeChain(globalObject, base, sawPolyProto) != InvalidPrototypeChain;

Structure* structureAfterGettingPropertyNames = base->structure(vm);
if (!structureAfterGettingPropertyNames->canAccessPropertiesQuicklyForEnumeration()) {
indexedLength = 0;
numberStructureProperties = 0;
}

enumerator = JSPropertyNameEnumerator::create(vm, structureAfterGettingPropertyNames, indexedLength, numberStructureProperties, WTFMove(propertyNames));
if (!indexedLength && successfullyNormalizedChain && structureAfterGettingPropertyNames == structure) {
enumerator->setCachedPrototypeChain(vm, structure->prototypeChain(globalObject, base));
Expand Down

0 comments on commit f4e35a4

Please sign in to comment.