-
mhahnenberg@apple.com authored
https://bugs.webkit.org/show_bug.cgi?id=114235 Reviewed by Filip Pizlo. If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are accessible in the base object's backing store, which is bad. Source/JavaScriptCore: * runtime/JSObject.cpp: (JSC::JSObject::getPropertyNames): (JSC::JSObject::getOwnNonIndexPropertyNames): * runtime/PropertyNameArray.h: (JSC::PropertyNameArray::PropertyNameArray): (JSC::PropertyNameArray::setNumCacheableSlotsForObject): (JSC::PropertyNameArray::setBaseObject): (PropertyNameArray): LayoutTests: * fast/js/get-by-pname-only-prototype-properties-expected.txt: Added. * fast/js/get-by-pname-only-prototype-properties.html: Added. * fast/js/script-tests/get-by-pname-only-prototype-properties.js: Added. (foo): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148142 268f45cc-cd09-0410-ab3c-d52691b4dbfc
05cc4d0d
