Changeset 31431 in webkit for trunk/JavaScriptCore/kjs/nodes.cpp


Ignore:
Timestamp:
Mar 29, 2008, 12:25:34 AM (17 years ago)
Author:
[email protected]
Message:

Bug 17924: Crash in KJS::ConstDeclNode::evaluate with |with| and |const|
<http://bugs.webkit.org/show_bug.cgi?id=17924>
<rdar://problem/5806933>

Reviewed by Geoff.

It turns out this is trivially avoidable if we just match firefox's
semantics and ensure that an assignment in a const declaration always
writes to the variable object.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/kjs/nodes.cpp

    r31119 r31431  
    38373837    ASSERT(iter != end);
    38383838
    3839     PropertySlot slot;
    38403839    JSObject* base;
    38413840
    38423841    do {
    38433842        base = *iter;
    3844         if (base->getPropertySlot(exec, m_ident, slot))
     3843        if (base->isVariableObject())
    38453844            break;
    38463845        ++iter;
    38473846    } while (iter != end);
    38483847
    3849     ASSERT(base->isActivationObject() || base->isGlobalObject());
     3848    ASSERT(base && base->isVariableObject());
    38503849
    38513850    static_cast<JSVariableObject*>(base)->initializeVariable(exec, m_ident, val, ReadOnly);
Note: See TracChangeset for help on using the changeset viewer.