From: fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed, 4 May 2016 05:01:08 +0000 (+0000)
Subject: REGRESSION(r200383): Setting lazily initialized properties across frame boundaries... 
X-Git-Url: http://git.webkit.org/?p=WebKit-https.git;a=commitdiff_plain;h=72f16e4c8609294d0820bbdd2741281aedafdc1d

REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes
https://bugs.webkit.org/show_bug.cgi?id=157333

Reviewed by Benjamin Poulain.

Source/JavaScriptCore:

I forgot to add logic for lazy properties in putEntry(). It turns out that it's easy to
add.

* runtime/Lookup.h:
(JSC::putEntry):
* runtime/PropertySlot.h:

LayoutTests:

This is JoePeck's original test case. It used to crash and now it doesn't crash anymore.

* js/dom/cross-window-put-math-expected.txt: Added.
* js/dom/cross-window-put-math.html: Added.


git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200406 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f3cf28a..741e8ee 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2016-05-03  Filip Pizlo  <fpizlo@apple.com>
+
+        REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes
+        https://bugs.webkit.org/show_bug.cgi?id=157333
+
+        Reviewed by Benjamin Poulain.
+        
+        This is JoePeck's original test case. It used to crash and now it doesn't crash anymore.
+
+        * js/dom/cross-window-put-math-expected.txt: Added.
+        * js/dom/cross-window-put-math.html: Added.
+
 2016-05-03  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         Improve Symbol() to string coercion error message
diff --git a/LayoutTests/js/dom/cross-window-put-math-expected.txt b/LayoutTests/js/dom/cross-window-put-math-expected.txt
new file mode 100644
index 0000000..b0b92d8
--- /dev/null
+++ b/LayoutTests/js/dom/cross-window-put-math-expected.txt
@@ -0,0 +1,9 @@
+
+Test storing to a lazy global property.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/js/dom/cross-window-put-math.html b/LayoutTests/js/dom/cross-window-put-math.html
new file mode 100644
index 0000000..a35a6b73
--- /dev/null
+++ b/LayoutTests/js/dom/cross-window-put-math.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<iframe id="x" src="data:text/html,<p>Hello</p>"></iframe>
+<div id="description"></div>
+<div id="console"></div>
+<script>
+description('Test storing to a lazy global property.');
+window.frames[0].Math = window.Math;
+</script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index e9c4591..d3121a3 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,5 +1,19 @@
 2016-05-03  Filip Pizlo  <fpizlo@apple.com>
 
+        REGRESSION(r200383): Setting lazily initialized properties across frame boundaries crashes
+        https://bugs.webkit.org/show_bug.cgi?id=157333
+
+        Reviewed by Benjamin Poulain.
+        
+        I forgot to add logic for lazy properties in putEntry(). It turns out that it's easy to
+        add.
+
+        * runtime/Lookup.h:
+        (JSC::putEntry):
+        * runtime/PropertySlot.h:
+
+2016-05-03  Filip Pizlo  <fpizlo@apple.com>
+
         References from code to Structures should be stronger than weak
         https://bugs.webkit.org/show_bug.cgi?id=157324
 
diff --git a/Source/JavaScriptCore/runtime/Lookup.h b/Source/JavaScriptCore/runtime/Lookup.h
index c7d4ced..af78abe 100644
--- a/Source/JavaScriptCore/runtime/Lookup.h
+++ b/Source/JavaScriptCore/runtime/Lookup.h
@@ -293,9 +293,10 @@ inline bool getStaticValueSlot(ExecState* exec, const HashTable& table, ThisImp*
 // 'slot.thisValue()' is the object the put was originally performed on (in the case of a proxy, the proxy itself).
 inline bool putEntry(ExecState* exec, const HashTableValue* entry, JSObject* base, JSObject* thisValue, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
 {
-    if (entry->attributes() & BuiltinOrFunction) {
+    if (entry->attributes() & BuiltinOrFunctionOrLazyProperty) {
         if (!(entry->attributes() & ReadOnly)) {
-            // If this is a function put it as an override property.
+            // If this is a function or lazy property put then we just do the put because
+            // logically the object already had the property, so this is just a replace.
             if (JSObject* thisObject = jsDynamicCast<JSObject*>(thisValue))
                 thisObject->putDirect(exec->vm(), propertyName, value);
             return true;
diff --git a/Source/JavaScriptCore/runtime/PropertySlot.h b/Source/JavaScriptCore/runtime/PropertySlot.h
index 74e7d8c..15403cd 100644
--- a/Source/JavaScriptCore/runtime/PropertySlot.h
+++ b/Source/JavaScriptCore/runtime/PropertySlot.h
@@ -50,6 +50,7 @@ enum Attribute {
     ClassStructure    = 1 << 12, // property is a lazy class structure - only used by static hashtables
     PropertyCallback  = 1 << 13, // property that is a lazy property callback - only used by static hashtables
     BuiltinOrFunction = Builtin | Function, // helper only used by static hashtables
+    BuiltinOrFunctionOrLazyProperty = Builtin | Function | CellProperty | ClassStructure | PropertyCallback, // helper only used by static hashtables
     BuiltinOrFunctionOrAccessorOrLazyProperty = Builtin | Function | Accessor | CellProperty | ClassStructure | PropertyCallback, // helper only used by static hashtables
     BuiltinOrFunctionOrAccessorOrLazyPropertyOrConstant = Builtin | Function | Accessor | CellProperty | ClassStructure | PropertyCallback | ConstantInteger // helper only used by static hashtables
 };