diff options
| author | Frederik Gladhorn <frederik.gladhorn@digia.com> | 2013-03-27 14:30:38 +0100 |
|---|---|---|
| committer | Frederik Gladhorn <frederik.gladhorn@digia.com> | 2013-03-27 14:30:38 +0100 |
| commit | 37f074e127ba1df465b79664fd4d487fad91a2ce (patch) | |
| tree | 5819feae97bbc1684fc70d867b843bd04ac8f411 /Source/JavaScriptCore/runtime | |
| parent | 99783e2c7e917224da401ddbd33354c131b3a377 (diff) | |
| parent | 909c9942ce927c3dac5f850d9bc110a66a72d397 (diff) | |
| download | qtwebkit-37f074e127ba1df465b79664fd4d487fad91a2ce.tar.gz | |
Merge remote-tracking branch 'origin/stable' into dev
Change-Id: I7f624a8e4ba9491c3ec635ffcb66a16c69bf8188
Diffstat (limited to 'Source/JavaScriptCore/runtime')
| -rw-r--r-- | Source/JavaScriptCore/runtime/JSTypeInfo.h | 3 | ||||
| -rw-r--r-- | Source/JavaScriptCore/runtime/Operations.h | 9 |
2 files changed, 8 insertions, 4 deletions
diff --git a/Source/JavaScriptCore/runtime/JSTypeInfo.h b/Source/JavaScriptCore/runtime/JSTypeInfo.h index 6f63260fe..97fc64c1c 100644 --- a/Source/JavaScriptCore/runtime/JSTypeInfo.h +++ b/Source/JavaScriptCore/runtime/JSTypeInfo.h @@ -46,6 +46,7 @@ namespace JSC { static const unsigned OverridesVisitChildren = 1 << 7; static const unsigned OverridesGetPropertyNames = 1 << 8; static const unsigned ProhibitsPropertyCaching = 1 << 9; + static const unsigned HasImpureGetOwnPropertySlot = 1 << 10; class TypeInfo { public: @@ -54,7 +55,6 @@ namespace JSC { , m_flags(flags & 0xff) , m_flags2(flags >> 8) { - ASSERT(flags <= 0x3ff); ASSERT(static_cast<int>(type) <= 0xff); ASSERT(type >= CompoundType || !(flags & OverridesVisitChildren)); // No object that doesn't ImplementsHasInstance should override it! @@ -80,6 +80,7 @@ namespace JSC { bool overridesVisitChildren() const { return isSetOnFlags1(OverridesVisitChildren); } bool overridesGetPropertyNames() const { return isSetOnFlags2(OverridesGetPropertyNames); } bool prohibitsPropertyCaching() const { return isSetOnFlags2(ProhibitsPropertyCaching); } + bool hasImpureGetOwnPropertySlot() const { return isSetOnFlags2(HasImpureGetOwnPropertySlot); } static ptrdiff_t flagsOffset() { diff --git a/Source/JavaScriptCore/runtime/Operations.h b/Source/JavaScriptCore/runtime/Operations.h index 7301bf6ec..8e0a0a393 100644 --- a/Source/JavaScriptCore/runtime/Operations.h +++ b/Source/JavaScriptCore/runtime/Operations.h @@ -302,15 +302,18 @@ namespace JSC { #define InvalidPrototypeChain (std::numeric_limits<size_t>::max()) - inline size_t normalizePrototypeChain(CallFrame* callFrame, JSValue base, JSValue slotBase, const Identifier& propertyName, PropertyOffset& slotOffset) + inline size_t normalizePrototypeChainForChainAccess(CallFrame* callFrame, JSValue base, JSValue slotBase, const Identifier& propertyName, PropertyOffset& slotOffset) { JSCell* cell = base.asCell(); size_t count = 0; - + while (slotBase != cell) { if (cell->isProxy()) return InvalidPrototypeChain; + if (cell->structure()->typeInfo().hasImpureGetOwnPropertySlot()) + return InvalidPrototypeChain; + JSValue v = cell->structure()->prototypeForLookup(callFrame); // If we didn't find slotBase in base's prototype chain, then base @@ -328,7 +331,7 @@ namespace JSC { if (slotBase == cell) slotOffset = cell->structure()->get(callFrame->globalData(), propertyName); } - + ++count; } |