Changeset 196490 in webkit for trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp

Timestamp:

Feb 12, 2016, 11:50:49 AM (10 years ago)

Author:

[email protected]

Message:

Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn't have a value
​https://bugs.webkit.org/show_bug.cgi?id=154175
rdar://problem/24291497

Reviewed by Geoffrey Garen.

• runtime/JSObject.cpp:

(JSC::JSObject::defineOwnIndexedProperty): Fix the bug.

• runtime/SparseArrayValueMap.cpp:

(JSC::SparseArrayValueMap::putEntry): Catch the bug sooner in debug.
(JSC::SparseArrayValueMap::putDirect):

• tests/stress/sparse-define-empty-descriptor.js: Added. This used to crash in release.

File:

• trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp (modified) (3 diffs)

trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2011, 2012, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -91 +91 @@
 void SparseArrayValueMap::putEntry(ExecState* exec, JSObject* array, unsigned i, JSValue value, bool shouldThrow)
 {
+    ASSERT(value);
+    
     AddResult result = add(array, i);
     SparseArrayEntry& entry = result.iterator->value;
@@ -109 +111 @@
 bool SparseArrayValueMap::putDirect(ExecState* exec, JSObject* array, unsigned i, JSValue value, unsigned attributes, PutDirectIndexMode mode)
 {
+    ASSERT(value);
+    
     AddResult result = add(array, i);
     SparseArrayEntry& entry = result.iterator->value;