haikuwebkit/LayoutTests/js/index-property-shadows-over...

If an object has an indexed property shadowing a property of the same name on the prototype, the correct shadowing property should be returned - even if teh property from the prototype comes from an overriden implementation of getOwPropertySlot.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".


PASS test("0") is "success"
PASS successfullyParsed is true

TEST COMPLETE
JSObject::getPropertySlot - index-as-propertyname, override on prototype, & shadow https://bugs.webkit.org/show_bug.cgi?id=154416 Reviewed by Geoff Garen. Source/JavaScriptCore: Here's the bug. Suppose you call JSObject::getOwnProperty and - - PropertyName contains an index, - An object on the prototype chain overrides getOwnPropertySlot, and has that index property, - The base of the access (or another object on the prototype chain) shadows that property. JSObject::getPropertySlot is written assuming the common case is that propertyName is not an index, and as such walks up the prototype chain looking for non-index properties before it tries calling parseIndex. At the point we reach an object on the prototype chain overriding getOwnPropertySlot (which would potentially return the property) we may have already skipped over non-overriding objects that contain the property in index storage. * runtime/JSObject.h: (JSC::JSObject::getOwnNonIndexPropertySlot): - renamed from inlineGetOwnPropertySlot to better describe behaviour; added ASSERT guarding that this method never returns index properties - if it ever does, this is unsafe for getPropertySlot. (JSC::JSObject::getOwnPropertySlot): - inlineGetOwnPropertySlot -> getOwnNonIndexPropertySlot. (JSC::JSObject::getPropertySlot): - In case of object overriding getOwnPropertySlot check if propertyName is an index. (JSC::JSObject::getNonIndexPropertySlot): - called by getPropertySlot if we encounter an object that overrides getOwnPropertySlot, in order to avoid repeated calls to parseIndex. (JSC::JSObject::inlineGetOwnPropertySlot): Deleted. - this was renamed to getOwnNonIndexPropertySlot. (JSC::JSObject::fastGetOwnPropertySlot): Deleted. - this was folded back in to getPropertySlot. Source/WebCore: * testing/Internals.cpp: (WebCore::Internals::isReadableStreamDisturbed): - fastGetOwnPropertySlot -> getOwnPropertySlot (internal method removed; test shouldn't really have been using this anyway) LayoutTests: * js/index-property-shadows-overriden-get-own-property-slot-expected.txt: Added. * js/index-property-shadows-overriden-get-own-property-slot.html: Added. * js/script-tests/index-property-shadows-overriden-get-own-property-slot.js: Added. (test): - added test case. Canonical link: https://commits.webkit.org/172591@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196849 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2016-02-20 01:51:48 +00:00			`If an object has an indexed property shadowing a property of the same name on the prototype, the correct shadowing property should be returned - even if teh property from the prototype comes from an overriden implementation of getOwPropertySlot.`

			`On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".`


			`PASS test("0") is "success"`
			`PASS successfullyParsed is true`

			`TEST COMPLETE`