Changeset 154630 in webkit for trunk/Source/JavaScriptCore


Ignore:
Timestamp:
Aug 26, 2013, 1:01:55 PM (12 years ago)
Author:
[email protected]
Message:

Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
https://bugs.webkit.org/show_bug.cgi?id=120314

Reviewed by Darin Adler.

Currently with the way that defineProperty works, we leave a stray low bit set in
PropertyDescriptor::m_attributes in the following code:

var o = {};
Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});

This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1
instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF,
but only the top three bits mean anything. Even in the case above, the top three bits are set
to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.

Since some of these attributes and their corresponding values are exposed in the JavaScriptCore
framework's public C API, it's safer to just change how we calculate the default value, which is
where the weirdness was originating from in the first place.

  • runtime/PropertyDescriptor.cpp:
Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r154629 r154630  
     12013-08-26  Mark Hahnenberg  <[email protected]>
     2
     3        Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
     4        https://bugs.webkit.org/show_bug.cgi?id=120314
     5
     6        Reviewed by Darin Adler.
     7
     8        Currently with the way that defineProperty works, we leave a stray low bit set in
     9        PropertyDescriptor::m_attributes in the following code:
     10
     11        var o = {};
     12        Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
     13       
     14        This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1
     15        instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF,
     16        but only the top three bits mean anything. Even in the case above, the top three bits are set
     17        to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
     18
     19        Since some of these attributes and their corresponding values are exposed in the JavaScriptCore
     20        framework's public C API, it's safer to just change how we calculate the default value, which is
     21        where the weirdness was originating from in the first place.
     22
     23        * runtime/PropertyDescriptor.cpp:
     24
    1252013-08-24  Sam Weinig  <[email protected]>
    226

  • trunk/Source/JavaScriptCore/runtime/PropertyDescriptor.cpp

    r142810 r154630  
    3434
    3535namespace JSC {
    36 unsigned PropertyDescriptor::defaultAttributes = (DontDelete << 1) - 1;
     36unsigned PropertyDescriptor::defaultAttributes = DontDelete | DontEnum | ReadOnly;
    3737
    3838bool PropertyDescriptor::writable() const
Note: See TracChangeset for help on using the changeset viewer.