PropertyCondition::isValidValueForAttributes() should also consider deleted values.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 23 Jun 2018 00:45:06 +0000 (00:45 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 23 Jun 2018 00:45:06 +0000 (00:45 +0000)
https://bugs.webkit.org/show_bug.cgi?id=186943
<rdar://problem/41370337>

Reviewed by Saam Barati.

JSTests:

* stress/regress-186943.js: Added.

Source/JavaScriptCore:

PropertyCondition::isValidValueForAttributes() should check if the passed in value
is a deleted one before it does a jsDynamicCast on it.

* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isValidValueForAttributes):
* runtime/JSCJSValueInlines.h:
- removed an unnecessary #if.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233114 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-186943.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/PropertyCondition.cpp
Source/JavaScriptCore/runtime/JSCJSValueInlines.h

index 2197c3c..e3f4da7 100644 (file)
@@ -1,3 +1,13 @@
+2018-06-22  Mark Lam  <mark.lam@apple.com>
+
+        PropertyCondition::isValidValueForAttributes() should also consider deleted values.
+        https://bugs.webkit.org/show_bug.cgi?id=186943
+        <rdar://problem/41370337>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-186943.js: Added.
+
 2018-06-22  Keith Miller  <keith_miller@apple.com>
 
         performProxyCall should toThis the value passed to its handler
diff --git a/JSTests/stress/regress-186943.js b/JSTests/stress/regress-186943.js
new file mode 100644 (file)
index 0000000..353841d
--- /dev/null
@@ -0,0 +1,5 @@
+// This test should not crash.
+x = Reflect;
+delete this.Reflect;
+
+for (var i = 0; i < 10000; ++i) { }
index f143143..aad4308 100644 (file)
@@ -1,3 +1,19 @@
+2018-06-22  Mark Lam  <mark.lam@apple.com>
+
+        PropertyCondition::isValidValueForAttributes() should also consider deleted values.
+        https://bugs.webkit.org/show_bug.cgi?id=186943
+        <rdar://problem/41370337>
+
+        Reviewed by Saam Barati.
+
+        PropertyCondition::isValidValueForAttributes() should check if the passed in value
+        is a deleted one before it does a jsDynamicCast on it.
+
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::isValidValueForAttributes):
+        * runtime/JSCJSValueInlines.h:
+        - removed an unnecessary #if.
+
 2018-06-22  Keith Miller  <keith_miller@apple.com>
 
         performProxyCall should toThis the value passed to its handler
index 51d61c2..4203a16 100644 (file)
@@ -377,6 +377,8 @@ void PropertyCondition::validateReferences(const TrackedReferences& tracked) con
 
 bool PropertyCondition::isValidValueForAttributes(VM& vm, JSValue value, unsigned attributes)
 {
+    if (!value)
+        return false;
     bool attributesClaimAccessor = !!(attributes & PropertyAttribute::Accessor);
     bool valueClaimsAccessor = !!jsDynamicCast<GetterSetter*>(vm, value);
     return attributesClaimAccessor == valueClaimsAccessor;
index 4ba9d50..dcba382 100644 (file)
@@ -344,13 +344,11 @@ inline JSValue::JSValue(int i)
     u.asBits.payload = i;
 }
 
-#if USE(JSVALUE32_64)
 inline JSValue::JSValue(int32_t tag, int32_t payload)
 {
     u.asBits.tag = tag;
     u.asBits.payload = payload;
 }
-#endif
 
 inline bool JSValue::isNumber() const
 {