[webkit-reviews] review granted: [Bug 61758] Freezing a function and its prototype causes browser to crash. : [Attachment 95527] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 1 11:05:10 PDT 2011
Geoffrey Garen <ggaren at apple.com> has granted Oliver Hunt <oliver at apple.com>'s
request for review:
Bug 61758: Freezing a function and its prototype causes browser to crash.
https://bugs.webkit.org/show_bug.cgi?id=61758
Attachment 95527: Patch
https://bugs.webkit.org/attachment.cgi?id=95527&action=review
------- Additional Comments from Geoffrey Garen <ggaren at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=95527&action=review
r=me
> Source/JavaScriptCore/runtime/JSFunction.cpp:193
> + createPrototypeProperty(globalData, scope()->globalObject.get(), this);
It's kind of a shame that "no new properties" actually means "create a lot of
properties right now, and none later". In the future, I think it would be nice
to still allow host objects to lazily instantiate their properties, even though
we forbid user extension of the object.
> Source/JavaScriptCore/runtime/JSObject.cpp:520
> + if (isExtensible())
> + preventExtensions(globalData);
> setStructure(globalData, Structure::sealTransition(globalData,
m_structure.get()));
> }
>
> void JSObject::freeze(JSGlobalData& globalData)
> {
> + if (isExtensible())
> + preventExtensions(globalData);
Instead of checking isExtensible() (which preventExtensions already does for
us), I think we should check isSealed() and isFrozen() in each function,
respectively, and skip the whole operation if it's been done already.
More information about the webkit-reviews
mailing list