From 36516a4c47325bf2f5ea45f40412559fd72b02d6 Mon Sep 17 00:00:00 2001 From: Ali Mohammad Pur Date: Fri, 1 Oct 2021 08:03:39 +0330 Subject: [PATCH] LibJS: Take a pointer in get_or_prune_cached_prototype_transition() Prototypes can be set to null, and while the previous version also kinda allowed null (by not reading through the null reference), it was making UBSAN very sad. --- Userland/Libraries/LibJS/Runtime/Shape.cpp | 6 +++--- Userland/Libraries/LibJS/Runtime/Shape.h | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Userland/Libraries/LibJS/Runtime/Shape.cpp b/Userland/Libraries/LibJS/Runtime/Shape.cpp index 16c345609c..a8f41db40f 100644 --- a/Userland/Libraries/LibJS/Runtime/Shape.cpp +++ b/Userland/Libraries/LibJS/Runtime/Shape.cpp @@ -36,9 +36,9 @@ Shape* Shape::get_or_prune_cached_forward_transition(TransitionKey const& key) return it->value; } -Shape* Shape::get_or_prune_cached_prototype_transition(Object& prototype) +Shape* Shape::get_or_prune_cached_prototype_transition(Object* prototype) { - auto it = m_prototype_transitions.find(&prototype); + auto it = m_prototype_transitions.find(prototype); if (it == m_prototype_transitions.end()) return nullptr; if (!it->value) { @@ -71,7 +71,7 @@ Shape* Shape::create_configure_transition(const StringOrSymbol& property_name, P Shape* Shape::create_prototype_transition(Object* new_prototype) { - if (auto* existing_shape = get_or_prune_cached_prototype_transition(*new_prototype)) + if (auto* existing_shape = get_or_prune_cached_prototype_transition(new_prototype)) return existing_shape; auto* new_shape = heap().allocate_without_global_object(*this, new_prototype); m_prototype_transitions.set(new_prototype, new_shape); diff --git a/Userland/Libraries/LibJS/Runtime/Shape.h b/Userland/Libraries/LibJS/Runtime/Shape.h index a7b8f4bca5..89d29394f9 100644 --- a/Userland/Libraries/LibJS/Runtime/Shape.h +++ b/Userland/Libraries/LibJS/Runtime/Shape.h @@ -91,7 +91,7 @@ private: virtual void did_become_zombie() override; Shape* get_or_prune_cached_forward_transition(TransitionKey const&); - Shape* get_or_prune_cached_prototype_transition(Object& prototype); + Shape* get_or_prune_cached_prototype_transition(Object* prototype); void ensure_property_table() const;