)]}' { "commit": "edf247c81f20089de52cb2decac360f8a7393c57", "tree": "e6b75b8761214674ca470b294e191a4a724cb4b4", "parents": [ "3364844792ee6e1362c963e2a047c7fec6a2e4d4" ], "author": { "name": "sbarati@apple.com", "email": "sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc", "time": "Tue Dec 03 07:55:25 2019 +0000" }, "committer": { "name": "sbarati@apple.com", "email": "sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc", "time": "Tue Dec 03 07:55:25 2019 +0000" }, "message": "PropertySlot should not have Customs have a PropertyOffset of zero\nhttps://bugs.webkit.org/show_bug.cgi?id\u003d204566\n\u003crdar://problem/57466781\u003e\n\nReviewed by Keith Miller.\n\nJSTests:\n\n* stress/cacheable-custom-accessor-should-not-have-property-offset.js: Added.\n\nSource/JavaScriptCore:\n\nWe used to say that PropertyOffset of a cacheable custom was always zero. We\ndid this because we were using \"invalidOffset\" to indicate things aren\u0027t\ncacheable. This patch refactors PropertySlot to not look at PropertyOffset\nfor cacheability, but instead just uses the cacheability bit. With that\nchange, we now say that customs always have the invalid PropertyOffset. This\nfixes a bug where we used to watch for property changes at the offset inside\nan AccessCase. We were doing this for the zero property offset for all\ncustoms. This could trigger a crash inside startWatchingPropertyForReplacements\nbecause the prototype Structure was a dictionary. We allow dictionaries to\nbe property holders of customs as long as the property is a custom and has\nDontDelete property attribute, since DontDelete proves the custom will never\nchange.\n\n* llint/LLIntSlowPaths.cpp:\n(JSC::LLInt::LLINT_SLOW_PATH_DECL):\n* runtime/PropertySlot.h:\n(JSC::PropertySlot::PropertySlot):\n(JSC::PropertySlot::isCacheable const):\n(JSC::PropertySlot::setValue):\n(JSC::PropertySlot::setCustom):\n(JSC::PropertySlot::setCacheableCustom):\n(JSC::PropertySlot::setCustomGetterSetter):\n(JSC::PropertySlot::setGetterSlot):\n(JSC::PropertySlot::setCacheableGetterSlot):\n(JSC::PropertySlot::setUndefined):\n\n\n\ngit-svn-id: http://svn.webkit.org/repository/webkit/trunk@253026 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n", "tree_diff": [ { "type": "modify", "old_id": "6c63af8e10f29396fe9d7f40b7e5a3a68cf26e8a", "old_mode": 33188, "old_path": "JSTests/ChangeLog", "new_id": "068673da4bec891680f6ba939ca508ba1fe53559", "new_mode": 33188, "new_path": "JSTests/ChangeLog" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "c4cae2e9f180c798b440d733182659f6f35e52f9", "new_mode": 33188, "new_path": "JSTests/stress/cacheable-custom-accessor-should-not-have-property-offset.js" }, { "type": "modify", "old_id": "b65e340cc896ed1091c913469b6bd094dd5f7d01", "old_mode": 33188, "old_path": "Source/JavaScriptCore/ChangeLog", "new_id": "3466f5eb29113c3280f8d66320d10445103b027f", "new_mode": 33188, "new_path": "Source/JavaScriptCore/ChangeLog" }, { "type": "modify", "old_id": "7316e95bd0ab57b9f45884ecdc3bffddc4f6d351", "old_mode": 33188, "old_path": "Source/JavaScriptCore/llint/LLIntSlowPaths.cpp", "new_id": "357a46e8e57897f2785cd339fcbe2bc0c90cedb2", "new_mode": 33188, "new_path": "Source/JavaScriptCore/llint/LLIntSlowPaths.cpp" }, { "type": "modify", "old_id": "b21de3e79423bedccb53f738e40fae9477218639", "old_mode": 33188, "old_path": "Source/JavaScriptCore/runtime/PropertySlot.h", "new_id": "f776c62a052e3a212fac228db96eeec14cc2904f", "new_mode": 33188, "new_path": "Source/JavaScriptCore/runtime/PropertySlot.h" } ] }