JSObject::getOwnNonIndexPropertyNames calculates numCacheableSlots incorrectly (2/2)

https://bugs.webkit.org/show_bug.cgi?id=114235

Reviewed by Filip Pizlo.

If the object doesn't have any properties but the prototype does, we'll assume those prototype properties are
accessible in the base object's backing store, which is bad.

Source/JavaScriptCore:

* runtime/JSObject.cpp:
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
* runtime/PropertyNameArray.h:
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::setNumCacheableSlotsForObject):
(JSC::PropertyNameArray::setBaseObject):
(PropertyNameArray):

Change-Id: If61b609438fa1d62364bac556af635413198d8ad
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148142 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

2 files changed, 17 insertions, 2 deletions

diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp
index 290a3ab16..e6f95bdfa 100644
--- a/Source/JavaScriptCore/runtime/JSObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSObject.cpp
@@ -1423,6 +1423,7 @@ bool JSObject::getPropertySpecificValue(ExecState* exec, PropertyName propertyNa
 
 void JSObject::getPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
 {
+    propertyNames.setBaseObject(object);
     object->methodTable()->getOwnPropertyNames(object, exec, propertyNames, mode);
 
     if (object->prototype().isNull())
@@ -1518,7 +1519,7 @@ void JSObject::getOwnNonIndexPropertyNames(JSObject* object, ExecState* exec, Pr
     object->structure()->getPropertyNamesFromStructure(exec->globalData(), propertyNames, mode);
 
     if (canCachePropertiesFromStructure)
-        propertyNames.setNumCacheableSlots(propertyNames.size());
+        propertyNames.setNumCacheableSlotsForObject(object, propertyNames.size());
 }
 
 double JSObject::toNumber(ExecState* exec) const
diff --git a/Source/JavaScriptCore/runtime/PropertyNameArray.h b/Source/JavaScriptCore/runtime/PropertyNameArray.h
index 30f439bb2..1cdac0049 100644
--- a/Source/JavaScriptCore/runtime/PropertyNameArray.h
+++ b/Source/JavaScriptCore/runtime/PropertyNameArray.h
@@ -56,6 +56,7 @@ namespace JSC {
             : m_data(PropertyNameArrayData::create())
             , m_globalData(globalData)
             , m_numCacheableSlots(0)
+            , m_baseObject(0)
         {
         }
 
@@ -63,6 +64,7 @@ namespace JSC {
             : m_data(PropertyNameArrayData::create())
             , m_globalData(&exec->globalData())
             , m_numCacheableSlots(0)
+            , m_baseObject(0)
         {
         }
 
@@ -86,7 +88,18 @@ namespace JSC {
         const_iterator end() const { return m_data->propertyNameVector().end(); }
 
         size_t numCacheableSlots() const { return m_numCacheableSlots; }
-        void setNumCacheableSlots(size_t numCacheableSlots) { m_numCacheableSlots = numCacheableSlots; }
+        void setNumCacheableSlotsForObject(JSObject* object, size_t numCacheableSlots)
+        {
+            if (object != m_baseObject)
+                return;
+            m_numCacheableSlots = numCacheableSlots;
+        }
+        void setBaseObject(JSObject* object)
+        {
+            if (m_baseObject)
+                return;
+            m_baseObject = object;
+        }
 
     private:
         typedef HashSet<StringImpl*, PtrHash<StringImpl*> > IdentifierSet;
@@ -95,6 +108,7 @@ namespace JSC {
         IdentifierSet m_set;
         JSGlobalData* m_globalData;
         size_t m_numCacheableSlots;
+        JSObject* m_baseObject;
     };
 
 } // namespace JSC