Changeset 185904 in webkit


Ignore:
Timestamp:
Jun 24, 2015, 1:14:14 AM (10 years ago)
Author:
Darin Adler
Message:

2015-06-24 Darin Adler <Darin Adler>

Fix Array.concat with RuntimeArray (regression from my last patch)

  • runtime/ArrayPrototype.cpp: (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length.
  • runtime/JSArray.cpp: (JSC::JSArray::defineOwnProperty): Added comment about use of JSArray::length here that is incorrect (in a really non-obvious way). (JSC::JSArray::fillArgList): Ditto. (JSC::JSArray::copyToArguments): Ditto.
  • runtime/JSArray.h: Added a comment explaining that it is not always safe to use JSArray::length.
Location:
trunk/Source/JavaScriptCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r185902 r185904  
     12015-06-24  Darin Adler  <darin@apple.com>
     2
     3        Fix Array.concat with RuntimeArray (regression from my last patch)
     4
     5        * runtime/ArrayPrototype.cpp:
     6        (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length.
     7
     8        * runtime/JSArray.cpp:
     9        (JSC::JSArray::defineOwnProperty): Added comment about use of
     10        JSArray::length here that is incorrect (in a really non-obvious way).
     11        (JSC::JSArray::fillArgList): Ditto.
     12        (JSC::JSArray::copyToArguments): Ditto.
     13
     14        * runtime/JSArray.h: Added a comment explaining that it is not always
     15        safe to use JSArray::length.
     16
    1172015-06-23  Mark Lam  <mark.lam@apple.com>
    218

  • trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

    r185899 r185904  
    202202    if (isJSArray(thisObj)) {
    203203        JSArray* array = asArray(thisObj);
    204         if (array->length() == length && asArray(thisObj)->shiftCount<shiftCountMode>(exec, header, count))
     204        if (array->length() == length && array->shiftCount<shiftCountMode>(exec, header, count))
    205205            return;
    206206    }
     
    291291    ASSERT(isJSArray(thisValue));
    292292    JSArray* thisArray = asArray(thisValue);
    293    
     293
    294294    unsigned length = thisArray->length();
    295295
     
    415415
    416416    for (unsigned i = 0; ; ++i) {
    417         if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg))
    418             finalArraySize += currentArray->length();
    419         else
     417        if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg)) {
     418            // Can't use JSArray::length here because this might be a RuntimeArray!
     419            finalArraySize += getLength(exec, currentArray);
     420            if (exec->hadException())
     421                return JSValue::encode(jsUndefined());
     422        } else
    420423            ++finalArraySize;
    421424        if (i == argCount)
     
    435438    for (unsigned i = 0; ; ++i) {
    436439        if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg)) {
    437             unsigned length = currentArray->length();
     440            // Can't use JSArray::length here because this might be a RuntimeArray!
     441            unsigned length = getLength(exec, currentArray);
    438442            if (exec->hadException())
    439443                return JSValue::encode(jsUndefined());

  • trunk/Source/JavaScriptCore/runtime/JSArray.cpp

    r185773 r185904  
    112112
    113113        // Based on SameValue check in 8.12.9, this is always okay.
     114        // FIXME: Nothing prevents this from being called on a RuntimeArray, and the length function will always return 0 in that case.
    114115        if (newLen == array->length()) {
    115116            if (descriptor.writablePresent())
     
    161162        // b. Reject if index >= oldLen and oldLenDesc.[[Writable]] is false.
    162163        uint32_t index = optionalIndex.value();
     164        // FIXME: Nothing prevents this from being called on a RuntimeArray, and the length function will always return 0 in that case.
    163165        if (index >= array->length() && !array->isLengthWritable())
    164166            return reject(exec, throwException, "Attempting to define numeric property on array with non-writable length property.");
     
    10911093        args.append(v.get());
    10921094    }
    1093    
     1095
     1096    // FIXME: What prevents this from being called with a RuntimeArray? The length function will always return 0 in that case.
    10941097    for (; i < length(); ++i)
    10951098        args.append(get(exec, i));
     
    11021105    unsigned vectorEnd;
    11031106    length += offset; // We like to think of the length as being our length, rather than the output length.
     1107
     1108    // FIXME: What prevents this from being called with a RuntimeArray? The length function will always return 0 in that case.
    11041109    ASSERT(length == this->length());
     1110
    11051111    switch (indexingType()) {
    11061112    case ArrayClass:

  • trunk/Source/JavaScriptCore/runtime/JSArray.h

    r185597 r185904  
    6767
    6868    DECLARE_EXPORT_INFO;
    69        
     69
     70    // OK if we know this is a JSArray, but not if it could be an object of a derived class; for RuntimeArray this always returns 0.
    7071    unsigned length() const { return getArrayLength(); }
    71     // OK to use on new arrays, but not if it might be a RegExpMatchArray.
     72
     73    // OK to use on new arrays, but not if it might be a RegExpMatchArray or RuntimeArray.
    7274    JS_EXPORT_PRIVATE bool setLength(ExecState*, unsigned, bool throwException = false);
    7375
Note: See TracChangeset for help on using the changeset viewer.