<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197071] releases/WebKitGTK/webkit-2.12</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197071">197071</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-02-25 01:40:22 -0800 (Thu, 25 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/196849">r196849</a> - JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
https://bugs.webkit.org/show_bug.cgi?id=154416
Reviewed by Geoff Garen.
Source/JavaScriptCore:
Here's the bug. Suppose you call JSObject::getOwnProperty and -
- PropertyName contains an index,
- An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
- The base of the access (or another object on the prototype chain) shadows that property.
JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
index, and as such walks up the prototype chain looking for non-index properties before it
tries calling parseIndex.
At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
would potentially return the property) we may have already skipped over non-overriding
objects that contain the property in index storage.
* runtime/JSObject.h:
(JSC::JSObject::getOwnNonIndexPropertySlot):
- renamed from inlineGetOwnPropertySlot to better describe behaviour;
added ASSERT guarding that this method never returns index properties -
if it ever does, this is unsafe for getPropertySlot.
(JSC::JSObject::getOwnPropertySlot):
- inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
(JSC::JSObject::getPropertySlot):
- In case of object overriding getOwnPropertySlot check if propertyName is an index.
(JSC::JSObject::getNonIndexPropertySlot):
- called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
in order to avoid repeated calls to parseIndex.
(JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
- this was renamed to getOwnNonIndexPropertySlot.
(JSC::JSObject::fastGetOwnPropertySlot): Deleted.
- this was folded back in to getPropertySlot.
Source/WebCore:
* testing/Internals.cpp:
(WebCore::Internals::isReadableStreamDisturbed):
- fastGetOwnPropertySlot -> getOwnPropertySlot
(internal method removed; test shouldn't really have been using this anyway)
LayoutTests:
* js/index-property-shadows-overriden-get-own-property-slot-expected.txt: Added.
* js/index-property-shadows-overriden-get-own-property-slot.html: Added.
* js/script-tests/index-property-shadows-overriden-get-own-property-slot.js: Added.
(test):
- added test case.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSObjecth">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoretestingInternalscpp">releases/WebKitGTK/webkit-2.12/Source/WebCore/testing/Internals.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsjsindexpropertyshadowsoverridengetownpropertyslotexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/js/index-property-shadows-overriden-get-own-property-slot-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsjsindexpropertyshadowsoverridengetownpropertyslothtml">releases/WebKitGTK/webkit-2.12/LayoutTests/js/index-property-shadows-overriden-get-own-property-slot.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsjsscripttestsindexpropertyshadowsoverridengetownpropertyslotjs">releases/WebKitGTK/webkit-2.12/LayoutTests/js/script-tests/index-property-shadows-overriden-get-own-property-slot.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit212LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197070 => 197071)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 09:16:07 UTC (rev 197070)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 09:40:22 UTC (rev 197071)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-02-18 Gavin Barraclough <barraclough@apple.com>
+
+ JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
+ https://bugs.webkit.org/show_bug.cgi?id=154416
+
+ Reviewed by Geoff Garen.
+
+ * js/index-property-shadows-overriden-get-own-property-slot-expected.txt: Added.
+ * js/index-property-shadows-overriden-get-own-property-slot.html: Added.
+ * js/script-tests/index-property-shadows-overriden-get-own-property-slot.js: Added.
+ (test):
+ - added test case.
+
</ins><span class="cx"> 2016-02-18 Andy Estes <aestes@apple.com>
</span><span class="cx">
</span><span class="cx"> Revert to dispatching the popstate event synchronously
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsjsindexpropertyshadowsoverridengetownpropertyslotexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/js/index-property-shadows-overriden-get-own-property-slot-expected.txt (0 => 197071)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/js/index-property-shadows-overriden-get-own-property-slot-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/js/index-property-shadows-overriden-get-own-property-slot-expected.txt 2016-02-25 09:40:22 UTC (rev 197071)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+If an object has an indexed property shadowing a property of the same name on the prototype, the correct shadowing property should be returned - even if teh property from the prototype comes from an overriden implementation of getOwPropertySlot.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS test("0") is "success"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsjsindexpropertyshadowsoverridengetownpropertyslothtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/js/index-property-shadows-overriden-get-own-property-slot.html (0 => 197071)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/js/index-property-shadows-overriden-get-own-property-slot.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/js/index-property-shadows-overriden-get-own-property-slot.html 2016-02-25 09:40:22 UTC (rev 197071)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/index-property-shadows-overriden-get-own-property-slot.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsjsscripttestsindexpropertyshadowsoverridengetownpropertyslotjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/js/script-tests/index-property-shadows-overriden-get-own-property-slot.js (0 => 197071)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/js/script-tests/index-property-shadows-overriden-get-own-property-slot.js (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/js/script-tests/index-property-shadows-overriden-get-own-property-slot.js 2016-02-25 09:40:22 UTC (rev 197071)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+description(
+'If an object has an indexed property shadowing a property of the same name on the prototype, the correct shadowing property should be returned - even if teh property from the prototype comes from an overriden implementation of getOwPropertySlot.'
+);
+
+function test(x) {
+ var testObject = {
+ __proto__: new String("X"),
+ "0": "success"
+ };
+ return testObject[x];
+}
+
+shouldBe('test("0")', '"success"');
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog (197070 => 197071)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog 2016-02-25 09:16:07 UTC (rev 197070)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog 2016-02-25 09:40:22 UTC (rev 197071)
</span><span class="lines">@@ -1,3 +1,40 @@
</span><ins>+2016-02-18 Gavin Barraclough <barraclough@apple.com>
+
+ JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
+ https://bugs.webkit.org/show_bug.cgi?id=154416
+
+ Reviewed by Geoff Garen.
+
+ Here's the bug. Suppose you call JSObject::getOwnProperty and -
+ - PropertyName contains an index,
+ - An object on the prototype chain overrides getOwnPropertySlot, and has that index property,
+ - The base of the access (or another object on the prototype chain) shadows that property.
+
+ JSObject::getPropertySlot is written assuming the common case is that propertyName is not an
+ index, and as such walks up the prototype chain looking for non-index properties before it
+ tries calling parseIndex.
+
+ At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which
+ would potentially return the property) we may have already skipped over non-overriding
+ objects that contain the property in index storage.
+
+ * runtime/JSObject.h:
+ (JSC::JSObject::getOwnNonIndexPropertySlot):
+ - renamed from inlineGetOwnPropertySlot to better describe behaviour;
+ added ASSERT guarding that this method never returns index properties -
+ if it ever does, this is unsafe for getPropertySlot.
+ (JSC::JSObject::getOwnPropertySlot):
+ - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot.
+ (JSC::JSObject::getPropertySlot):
+ - In case of object overriding getOwnPropertySlot check if propertyName is an index.
+ (JSC::JSObject::getNonIndexPropertySlot):
+ - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot,
+ in order to avoid repeated calls to parseIndex.
+ (JSC::JSObject::inlineGetOwnPropertySlot): Deleted.
+ - this was renamed to getOwnNonIndexPropertySlot.
+ (JSC::JSObject::fastGetOwnPropertySlot): Deleted.
+ - this was folded back in to getPropertySlot.
+
</ins><span class="cx"> 2016-02-19 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Add isJSString(JSCell*) variant to avoid Cell->JSValue->Cell conversion
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSObject.h (197070 => 197071)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSObject.h 2016-02-25 09:16:07 UTC (rev 197070)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/runtime/JSObject.h 2016-02-25 09:40:22 UTC (rev 197071)
</span><span class="lines">@@ -113,7 +113,6 @@
</span><span class="cx"> JSValue get(ExecState*, PropertyName) const;
</span><span class="cx"> JSValue get(ExecState*, unsigned propertyName) const;
</span><span class="cx">
</span><del>- bool fastGetOwnPropertySlot(ExecState*, VM&, Structure&, PropertyName, PropertySlot&);
</del><span class="cx"> bool getPropertySlot(ExecState*, PropertyName, PropertySlot&);
</span><span class="cx"> bool getPropertySlot(ExecState*, unsigned propertyName, PropertySlot&);
</span><span class="cx">
</span><span class="lines">@@ -859,7 +858,8 @@
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE NEVER_INLINE void putInlineSlow(ExecState*, PropertyName, JSValue, PutPropertySlot&);
</span><span class="cx">
</span><del>- bool inlineGetOwnPropertySlot(VM&, Structure&, PropertyName, PropertySlot&);
</del><ins>+ bool getNonIndexPropertySlot(ExecState*, PropertyName, PropertySlot&);
+ bool getOwnNonIndexPropertySlot(VM&, Structure&, PropertyName, PropertySlot&);
</ins><span class="cx"> JS_EXPORT_PRIVATE void fillGetterPropertySlot(PropertySlot&, JSValue, unsigned, PropertyOffset);
</span><span class="cx"> void fillCustomGetterPropertySlot(PropertySlot&, JSValue, unsigned, Structure&);
</span><span class="cx">
</span><span class="lines">@@ -1094,13 +1094,18 @@
</span><span class="cx"> return structure()->storedPrototype();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-ALWAYS_INLINE bool JSObject::inlineGetOwnPropertySlot(VM& vm, Structure& structure, PropertyName propertyName, PropertySlot& slot)
</del><ins>+// It is safe to call this method with a PropertyName that is actually an index,
+// but if so will always return false (doesn't search index storage).
+ALWAYS_INLINE bool JSObject::getOwnNonIndexPropertySlot(VM& vm, Structure& structure, PropertyName propertyName, PropertySlot& slot)
</ins><span class="cx"> {
</span><span class="cx"> unsigned attributes;
</span><span class="cx"> PropertyOffset offset = structure.get(vm, propertyName, attributes);
</span><span class="cx"> if (!isValidOffset(offset))
</span><span class="cx"> return false;
</span><span class="cx">
</span><ins>+ // getPropertySlot relies on this method never returning index properties!
+ ASSERT(!parseIndex(propertyName));
+
</ins><span class="cx"> JSValue value = getDirect(offset);
</span><span class="cx"> if (value.isCell()) {
</span><span class="cx"> ASSERT(value);
</span><span class="lines">@@ -1138,20 +1143,13 @@
</span><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> Structure& structure = *object->structure(vm);
</span><del>- if (object->inlineGetOwnPropertySlot(vm, structure, propertyName, slot))
</del><ins>+ if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
</ins><span class="cx"> return true;
</span><span class="cx"> if (Optional<uint32_t> index = parseIndex(propertyName))
</span><span class="cx"> return getOwnPropertySlotByIndex(object, exec, index.value(), slot);
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-ALWAYS_INLINE bool JSObject::fastGetOwnPropertySlot(ExecState* exec, VM& vm, Structure& structure, PropertyName propertyName, PropertySlot& slot)
-{
- if (LIKELY(!TypeInfo::overridesGetOwnPropertySlot(inlineTypeFlags())))
- return inlineGetOwnPropertySlot(vm, structure, propertyName, slot);
- return structure.classInfo()->methodTable.getOwnPropertySlot(this, exec, propertyName, slot);
-}
-
</del><span class="cx"> // It may seem crazy to inline a function this large but it makes a big difference
</span><span class="cx"> // since this is function very hot in variable lookup
</span><span class="cx"> ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
</span><span class="lines">@@ -1160,8 +1158,19 @@
</span><span class="cx"> auto& structureIDTable = vm.heap.structureIDTable();
</span><span class="cx"> JSObject* object = this;
</span><span class="cx"> while (true) {
</span><ins>+ if (UNLIKELY(TypeInfo::overridesGetOwnPropertySlot(object->inlineTypeFlags()))) {
+ // If propertyName is an index then we may have missed it (as this loop is using
+ // getOwnNonIndexPropertySlot), so we cannot safely call the overridden getOwnPropertySlot
+ // (lest we return a property from a prototype that is shadowed). Check now for an index,
+ // if so we need to start afresh from this object.
+ if (Optional<uint32_t> index = parseIndex(propertyName))
+ return getPropertySlot(exec, index.value(), slot);
+ // Safe to continue searching from current position; call getNonIndexPropertySlot to avoid
+ // parsing the int again.
+ return object->getNonIndexPropertySlot(exec, propertyName, slot);
+ }
</ins><span class="cx"> Structure& structure = *structureIDTable.get(object->structureID());
</span><del>- if (object->fastGetOwnPropertySlot(exec, vm, structure, propertyName, slot))
</del><ins>+ if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
</ins><span class="cx"> return true;
</span><span class="cx"> JSValue prototype = structure.storedPrototype();
</span><span class="cx"> if (!prototype.isObject())
</span><span class="lines">@@ -1190,6 +1199,28 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ALWAYS_INLINE bool JSObject::getNonIndexPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot)
+{
+ // This method only supports non-index PropertyNames.
+ ASSERT(!parseIndex(propertyName));
+
+ VM& vm = exec->vm();
+ auto& structureIDTable = vm.heap.structureIDTable();
+ JSObject* object = this;
+ while (true) {
+ Structure& structure = *structureIDTable.get(object->structureID());
+ if (LIKELY(!TypeInfo::overridesGetOwnPropertySlot(object->inlineTypeFlags()))) {
+ if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
+ return true;
+ } else if (structure.classInfo()->methodTable.getOwnPropertySlot(object, exec, propertyName, slot))
+ return true;
+ JSValue prototype = structure.storedPrototype();
+ if (!prototype.isObject())
+ return false;
+ object = asObject(prototype);
+ }
+}
+
</ins><span class="cx"> inline JSValue JSObject::get(ExecState* exec, PropertyName propertyName) const
</span><span class="cx"> {
</span><span class="cx"> PropertySlot slot(this, PropertySlot::InternalMethodType::Get);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (197070 => 197071)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 09:16:07 UTC (rev 197070)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 09:40:22 UTC (rev 197071)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2016-02-18 Gavin Barraclough <barraclough@apple.com>
+
+ JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow
+ https://bugs.webkit.org/show_bug.cgi?id=154416
+
+ Reviewed by Geoff Garen.
+
+ * testing/Internals.cpp:
+ (WebCore::Internals::isReadableStreamDisturbed):
+ - fastGetOwnPropertySlot -> getOwnPropertySlot
+ (internal method removed; test shouldn't really have been using this anyway)
+
</ins><span class="cx"> 2016-02-19 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> Blocked plug-in placeholder is sometimes not shown.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCoretestingInternalscpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/testing/Internals.cpp (197070 => 197071)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/testing/Internals.cpp 2016-02-25 09:16:07 UTC (rev 197070)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/testing/Internals.cpp 2016-02-25 09:40:22 UTC (rev 197071)
</span><span class="lines">@@ -3460,7 +3460,7 @@
</span><span class="cx"> const Identifier& privateName = clientData->builtinFunctions().readableStreamInternalsBuiltins().isReadableStreamDisturbedPrivateName();
</span><span class="cx"> JSValue value;
</span><span class="cx"> PropertySlot propertySlot(value, PropertySlot::InternalMethodType::Get);
</span><del>- globalObject->fastGetOwnPropertySlot(&state, state.vm(), *globalObject->structure(), privateName, propertySlot);
</del><ins>+ globalObject->methodTable()->getOwnPropertySlot(globalObject, &state, privateName, propertySlot);
</ins><span class="cx"> value = propertySlot.getValue(&state, privateName);
</span><span class="cx"> ASSERT(value.isFunction());
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>