Commit a14090f7 authored by barraclough@apple.com's avatar barraclough@apple.com

https://bugs.webkit.org/show_bug.cgi?id=76141

defineSetter/defineGetter may fail to update Accessor attribute

Reviewed by Oliver Hunt.

* runtime/JSObject.cpp:
(JSC::JSObject::defineGetter):
(JSC::JSObject::initializeGetterSetterProperty):
(JSC::JSObject::defineSetter):
* runtime/Structure.cpp:
(JSC::Structure::attributeChangeTransition):
* runtime/Structure.h:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104871 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent a68f6b5a
2012-01-12 Gavin Barraclough <barraclough@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=76141
defineSetter/defineGetter may fail to update Accessor attribute
Reviewed by Oliver Hunt.
* runtime/JSObject.cpp:
(JSC::JSObject::defineGetter):
(JSC::JSObject::initializeGetterSetterProperty):
(JSC::JSObject::defineSetter):
* runtime/Structure.cpp:
(JSC::Structure::attributeChangeTransition):
* runtime/Structure.h:
2012-01-12 David Levin <levin@chromium.org>
[chromium] Fix DC leak in WebScreenInfoFactory.
......@@ -366,10 +366,8 @@ void JSObject::defineGetter(JSObject* thisObject, ExecState* exec, const Identif
// putDirect will change our Structure if we add a new property. For
// getters and setters, though, we also need to change our Structure
// if we override an existing non-getter or non-setter.
if (slot.type() != PutPropertySlot::NewProperty) {
if (!thisObject->structure()->isDictionary())
thisObject->setStructure(exec->globalData(), Structure::getterSetterTransition(globalData, thisObject->structure()));
}
if (slot.type() != PutPropertySlot::NewProperty)
thisObject->setStructure(exec->globalData(), Structure::attributeChangeTransition(globalData, thisObject->structure(), propertyName, attributes | Accessor));
thisObject->structure()->setHasGetterSetterProperties(true);
getterSetter->setGetter(globalData, getterFunction);
......@@ -388,10 +386,8 @@ void JSObject::initializeGetterSetterProperty(ExecState* exec, const Identifier&
// putDirect will change our Structure if we add a new property. For
// getters and setters, though, we also need to change our Structure
// if we override an existing non-getter or non-setter.
if (slot.type() != PutPropertySlot::NewProperty) {
if (!structure()->isDictionary())
setStructure(exec->globalData(), Structure::getterSetterTransition(globalData, structure()));
}
if (slot.type() != PutPropertySlot::NewProperty)
setStructure(exec->globalData(), Structure::attributeChangeTransition(globalData, structure(), propertyName, attributes));
structure()->setHasGetterSetterProperties(true);
}
......@@ -417,10 +413,8 @@ void JSObject::defineSetter(JSObject* thisObject, ExecState* exec, const Identif
// putDirect will change our Structure if we add a new property. For
// getters and setters, though, we also need to change our Structure
// if we override an existing non-getter or non-setter.
if (slot.type() != PutPropertySlot::NewProperty) {
if (!thisObject->structure()->isDictionary())
thisObject->setStructure(exec->globalData(), Structure::getterSetterTransition(exec->globalData(), thisObject->structure()));
}
if (slot.type() != PutPropertySlot::NewProperty)
thisObject->setStructure(exec->globalData(), Structure::attributeChangeTransition(exec->globalData(), thisObject->structure(), propertyName, attributes | Accessor));
thisObject->structure()->setHasGetterSetterProperties(true);
getterSetter->setSetter(exec->globalData(), setterFunction);
......
......@@ -401,17 +401,26 @@ Structure* Structure::despecifyFunctionTransition(JSGlobalData& globalData, Stru
return transition;
}
Structure* Structure::getterSetterTransition(JSGlobalData& globalData, Structure* structure)
Structure* Structure::attributeChangeTransition(JSGlobalData& globalData, Structure* structure, const Identifier& propertyName, unsigned attributes)
{
Structure* transition = create(globalData, structure);
if (!structure->isUncacheableDictionary()) {
Structure* transition = create(globalData, structure);
// Don't set m_offset, as one can not transition to this.
// Don't set m_offset, as one can not transition to this.
structure->materializePropertyMapIfNecessary(globalData);
transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->pin();
structure->materializePropertyMapIfNecessary(globalData);
transition->m_propertyTable = structure->copyPropertyTableForPinning(globalData, transition);
transition->pin();
structure = transition;
}
return transition;
ASSERT(structure->m_propertyTable);
PropertyMapEntry* entry = structure->m_propertyTable->find(propertyName.impl()).first;
ASSERT(entry);
entry->attributes = attributes;
return structure;
}
Structure* Structure::toDictionaryTransition(JSGlobalData& globalData, Structure* structure, DictionaryKind kind)
......
......@@ -89,7 +89,7 @@ namespace JSC {
static Structure* removePropertyTransition(JSGlobalData&, Structure*, const Identifier& propertyName, size_t& offset);
static Structure* changePrototypeTransition(JSGlobalData&, Structure*, JSValue prototype);
static Structure* despecifyFunctionTransition(JSGlobalData&, Structure*, const Identifier&);
static Structure* getterSetterTransition(JSGlobalData&, Structure*);
static Structure* attributeChangeTransition(JSGlobalData&, Structure*, const Identifier& propertyName, unsigned attributes);
static Structure* toCacheableDictionaryTransition(JSGlobalData&, Structure*);
static Structure* toUncacheableDictionaryTransition(JSGlobalData&, Structure*);
static Structure* sealTransition(JSGlobalData&, Structure*);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment