WebKit Bugzilla
Attachment 369178 Details for
Bug 197631
: [JSC] Strict, Sloppy and Arrow functions should have different classInfo
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
patch197631 (text/plain), 2.54 KB, created by
Robin Morisset
on 2019-05-06 15:21:36 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Robin Morisset
Created:
2019-05-06 15:21:36 PDT
Size:
2.54 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 244979) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2019-05-06 Robin Morisset <rmorisset@apple.com> >+ >+ Don't cache HasOwnProperty on 'arguments' >+ https://bugs.webkit.org/show_bug.cgi?id=197631 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/has-own-property-arguments.js: Added. >+ (A): >+ > 2019-05-06 Yusuke Suzuki <ysuzuki@apple.com> > > TemplateObject passed to template literal tags are not always identical for the same source location. >Index: JSTests/stress/has-own-property-arguments.js >=================================================================== >--- JSTests/stress/has-own-property-arguments.js (nonexistent) >+++ JSTests/stress/has-own-property-arguments.js (working copy) >@@ -0,0 +1,3 @@ >+class A extends Function {} >+new A("'use strict';").hasOwnProperty('arguments'); >+new A().hasOwnProperty('arguments'); >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 244979) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,15 @@ >+2019-05-06 Robin Morisset <rmorisset@apple.com> >+ >+ Don't cache HasOwnProperty on 'arguments' >+ https://bugs.webkit.org/show_bug.cgi?id=197631 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ 'arguments' behave differently in sloppy and strict mode. So if we cache HasOwnProperty('arguments') in strict mode, then try to call it again in sloppy mode (or vice-versa) the result will be wrong. >+ >+ * runtime/HasOwnPropertyCache.h: >+ (JSC::HasOwnPropertyCache::tryAdd): >+ > 2019-05-06 Yusuke Suzuki <ysuzuki@apple.com> > > TemplateObject passed to template literal tags are not always identical for the same source location. >Index: Source/JavaScriptCore/runtime/HasOwnPropertyCache.h >=================================================================== >--- Source/JavaScriptCore/runtime/HasOwnPropertyCache.h (revision 244918) >+++ Source/JavaScriptCore/runtime/HasOwnPropertyCache.h (working copy) >@@ -89,6 +89,10 @@ > > if (object->type() == PureForwardingProxyType || object->type() == ImpureProxyType) > return; >+ >+ // We don't cache accesses to arguments, because it depends on whether we are in strict or sloppy mode. >+ if (propName == "arguments") >+ return; > > Structure* structure = object->structure(vm); > if (!structure->typeInfo().prohibitsPropertyCaching()
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=369178">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197631
:
369178
|
372671
|
372672