Changeset 207226 in webkit
- Timestamp:
- Oct 12, 2016 11:27:50 AM (8 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r207178 r207226 1 2016-10-12 Mark Lam <mark.lam@apple.com> 2 3 Array.prototype.slice should not modify frozen objects. 4 https://bugs.webkit.org/show_bug.cgi?id=163338 5 6 Reviewed by Filip Pizlo. 7 8 * stress/array-slice-on-frozen-object.js: Added. 9 1 10 2016-10-11 Mark Lam <mark.lam@apple.com> 2 11 -
trunk/Source/JavaScriptCore/ChangeLog
r207222 r207226 1 2016-10-12 Mark Lam <mark.lam@apple.com> 2 3 Array.prototype.slice should not modify frozen objects. 4 https://bugs.webkit.org/show_bug.cgi?id=163338 5 6 Reviewed by Filip Pizlo. 7 8 1. The ES6 spec for Array.prototype.slice 9 (https://tc39.github.io/ecma262/#sec-array.prototype.slice) states that it uses 10 the CreateDataPropertyOrThrow() 11 (https://tc39.github.io/ecma262/#sec-createdatapropertyorthrow) to add items to 12 the result array. The spec for CreateDataPropertyOrThrow states: 13 14 "This abstract operation creates a property whose attributes are set to the 15 same defaults used for properties created by the ECMAScript language assignment 16 operator. Normally, the property will not already exist. If it does exist and 17 is not configurable or if O is not extensible, [[DefineOwnProperty]] will 18 return false causing this operation to throw a TypeError exception." 19 20 2. Array.prototype.slice also uses a Set function 21 (https://tc39.github.io/ecma262/#sec-set-o-p-v-throw) to set the "length" 22 property and passes true for the Throw argument. Ultimately, it ends up 23 calling the OrdinarySet function 24 (https://tc39.github.io/ecma262/#sec-ordinaryset) that will fail if the 25 property is not writable. This failure should result in a TypeError being 26 thrown in Set. 27 28 Since the properties of frozen objects are not extensible, not configurable, 29 and not writeable, Array.prototype.slice should fail to write to the result 30 array if it is frozen. 31 32 If the source array being sliced has 1 or more elements, (1) will take effect 33 when we try to set the element in the non-writeable result obj. 34 If the source array being sliced has 0 elements, we will not set any elements and 35 (1) will not trigger. Subsequently, (2) will take effect when we will try to 36 set the length of the result obj. 37 38 * runtime/ArrayPrototype.cpp: 39 (JSC::putLength): 40 (JSC::setLength): 41 (JSC::arrayProtoFuncSlice): 42 (JSC::arrayProtoFuncSplice): 43 1 44 2016-10-12 Filip Pizlo <fpizlo@apple.com> 2 45 -
trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp
r207178 r207226 164 164 } 165 165 166 static ALWAYS_INLINE voidputLength(ExecState* exec, VM& vm, JSObject* obj, JSValue value)166 static ALWAYS_INLINE bool putLength(ExecState* exec, VM& vm, JSObject* obj, JSValue value) 167 167 { 168 168 PutPropertySlot slot(obj); 169 obj->methodTable()->put(obj, exec, vm.propertyNames->length, value, slot);169 return obj->methodTable()->put(obj, exec, vm.propertyNames->length, value, slot); 170 170 } 171 171 172 172 static ALWAYS_INLINE void setLength(ExecState* exec, VM& vm, JSObject* obj, unsigned value) 173 173 { 174 if (isJSArray(obj)) 175 jsCast<JSArray*>(obj)->setLength(exec, value); 176 putLength(exec, vm, obj, jsNumber(value)); 174 auto scope = DECLARE_THROW_SCOPE(vm); 175 static const bool throwException = true; 176 if (isJSArray(obj)) { 177 jsCast<JSArray*>(obj)->setLength(exec, value, throwException); 178 RETURN_IF_EXCEPTION(scope, void()); 179 } 180 bool success = putLength(exec, vm, obj, jsNumber(value)); 181 RETURN_IF_EXCEPTION(scope, void()); 182 if (UNLIKELY(!success)) 183 throwTypeError(exec, scope, ASCIILiteral(ReadonlyPropertyWriteError)); 177 184 } 178 185 … … 875 882 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 876 883 if (v) 877 result->putDirectIndex(exec, n, v); 878 } 884 result->putDirectIndex(exec, n, v, 0, PutDirectIndexShouldThrow); 885 } 886 scope.release(); 879 887 setLength(exec, vm, result, n); 880 888 return JSValue::encode(result); … … 908 916 909 917 setLength(exec, vm, result, 0); 918 RETURN_IF_EXCEPTION(scope, encodedJSValue()); 919 scope.release(); 910 920 setLength(exec, vm, thisObj, length); 911 921 return JSValue::encode(result); … … 973 983 } 974 984 985 scope.release(); 975 986 setLength(exec, vm, thisObj, length - deleteCount + additionalArgs); 976 987 return JSValue::encode(result);
Note: See TracChangeset
for help on using the changeset viewer.