Changeset 109866 in webkit

Timestamp:

Mar 5, 2012 11:23:21 PM (12 years ago)

Author:

barraclough@apple.com

Message:

putByIndex should throw in strict mode
​https://bugs.webkit.org/show_bug.cgi?id=80335

Reviewed by Filip Pizlo.

Make the MethodTable PutByIndex trap take a boolean 'shouldThrow' parameter.

Source/JavaScriptCore:

This is a largely mechanical change, simply adding an extra parameter to a number
of functions. Some call sites need perform additional exception checks, and
operationPutByValBeyondArrayBounds needs to know whether it is strict or not.

This patch doesn't fix a missing throw from some cases of shift/unshift (this is
an existing bug), I'll follow up with a third patch to handle that.

• API/JSObjectRef.cpp:

(JSObjectSetPropertyAtIndex):

• JSCTypedArrayStubs.h:

(JSC):

• dfg/DFGOperations.cpp:

(JSC::DFG::putByVal):

• dfg/DFGOperations.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::privateExecute):

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• jsc.cpp:

(GlobalObject::finishCreation):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/Arguments.cpp:

(JSC::Arguments::putByIndex):

• runtime/Arguments.h:

(Arguments):

• runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):

• runtime/ClassInfo.h:

(MethodTable):

• runtime/JSArray.cpp:

(JSC::SparseArrayValueMap::put):
(JSC::JSArray::put):
(JSC::JSArray::putByIndex):
(JSC::JSArray::putByIndexBeyondVectorLength):
(JSC::JSArray::push):
(JSC::JSArray::shiftCount):
(JSC::JSArray::unshiftCount):

• runtime/JSArray.h:

(SparseArrayValueMap):
(JSArray):

• runtime/JSByteArray.cpp:

(JSC::JSByteArray::putByIndex):

• runtime/JSByteArray.h:

(JSByteArray):

• runtime/JSCell.cpp:

(JSC::JSCell::putByIndex):

• runtime/JSCell.h:

(JSCell):

• runtime/JSNotAnObject.cpp:

(JSC::JSNotAnObject::putByIndex):

• runtime/JSNotAnObject.h:

(JSNotAnObject):

• runtime/JSONObject.cpp:

(JSC::Walker::walk):

• runtime/JSObject.cpp:

(JSC::JSObject::putByIndex):

• runtime/JSObject.h:

(JSC::JSValue::putByIndex):

• runtime/RegExpConstructor.cpp:

(JSC::RegExpMatchesArray::fillArrayInstance):

• runtime/RegExpMatchesArray.h:

(JSC::RegExpMatchesArray::putByIndex):

• runtime/StringPrototype.cpp:

(JSC::stringProtoFuncSplit):

Source/WebCore:

• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneDeserializer::putProperty):

• bindings/objc/WebScriptObject.mm:

(-[WebScriptObject setWebScriptValueAtIndex:value:]):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):
(GenerateImplementation):

• bridge/NP_jsobject.cpp:

(_NPN_SetProperty):

• bridge/jni/jni_jsobject.mm:

(JavaJSObject::setSlot):

• bridge/runtime_array.cpp:

(JSC::RuntimeArray::putByIndex):

• bridge/runtime_array.h:

(RuntimeArray):

Source/WebKit/mac:

• Plugins/Hosted/NetscapePluginInstanceProxy.mm:

(WebKit::NetscapePluginInstanceProxy::setProperty):

Source/WebKit2:

• WebProcess/Plugins/Netscape/NPJSObject.cpp:

(WebKit::NPJSObject::setProperty):

LayoutTests:

• fast/js/Object-defineProperty-expected.txt:
• fast/js/mozilla/strict/15.4.4.12-expected.txt:
• fast/js/mozilla/strict/15.4.4.13-expected.txt:
• fast/js/mozilla/strict/15.4.4.8-expected.txt:
• fast/js/mozilla/strict/15.4.4.9-expected.txt:
• fast/js/mozilla/strict/15.5.5.2-expected.txt:
• fast/js/mozilla/strict/8.12.5-expected.txt:
• fast/js/preventExtensions-expected.txt:
• fast/js/primitive-property-access-edge-cases-expected.txt:
  • Checking in passing test results.
• fast/js/script-tests/Object-defineProperty.js:
  • Added test cases for putting to numeric properties where property is read-only, length is read-only, or property is accessor with missing set function.
• fast/js/script-tests/preventExtensions.js:
  • Added test case, putting numeric property to non-extensible array.
• fast/js/script-tests/primitive-property-access-edge-cases.js:
  • Enabled test cases for putting numeric properties to primitive strings.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/Object-defineProperty-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/mozilla/strict/15.4.4.12-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/mozilla/strict/15.4.4.13-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/mozilla/strict/15.4.4.8-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/mozilla/strict/15.4.4.9-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/mozilla/strict/15.5.5.2-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/mozilla/strict/8.12.5-expected.txt (modified) (2 diffs)
• LayoutTests/fast/js/preventExtensions-expected.txt (modified) (1 diff)
• LayoutTests/fast/js/primitive-property-access-edge-cases-expected.txt (modified) (2 diffs)
• LayoutTests/fast/js/script-tests/Object-defineProperty.js (modified) (1 diff)
• LayoutTests/fast/js/script-tests/preventExtensions.js (modified) (1 diff)
• LayoutTests/fast/js/script-tests/primitive-property-access-edge-cases.js (modified) (2 diffs)
• Source/JavaScriptCore/API/JSObjectRef.cpp (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JSCTypedArrayStubs.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITStubs.cpp (modified) (1 diff)
• Source/JavaScriptCore/jsc.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Arguments.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Arguments.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (8 diffs)
• Source/JavaScriptCore/runtime/ClassInfo.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArray.cpp (modified) (14 diffs)
• Source/JavaScriptCore/runtime/JSArray.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSByteArray.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSByteArray.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCell.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCell.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSNotAnObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSNotAnObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSONObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/RegExpConstructor.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/RegExpMatchesArray.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StringPrototype.cpp (modified) (9 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/SerializedScriptValue.cpp (modified) (1 diff)
• Source/WebCore/bindings/objc/WebScriptObject.mm (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (2 diffs)
• Source/WebCore/bindings/scripts/test/JS/JSFloat64Array.cpp (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSFloat64Array.h (modified) (1 diff)
• Source/WebCore/bridge/NP_jsobject.cpp (modified) (1 diff)
• Source/WebCore/bridge/jni/jni_jsobject.mm (modified) (1 diff)
• Source/WebCore/bridge/runtime_array.cpp (modified) (1 diff)
• Source/WebCore/bridge/runtime_array.h (modified) (1 diff)
• Source/WebKit/mac/ChangeLog (modified) (1 diff)
• Source/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm (modified) (1 diff)
• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-03-05  Gavin Barraclough  <barraclough@apple.com>
+
+        putByIndex should throw in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=80335
+
+        Reviewed by Filip Pizlo.
+
+        Make the MethodTable PutByIndex trap take a boolean 'shouldThrow' parameter.
+
+        * fast/js/Object-defineProperty-expected.txt:
+        * fast/js/mozilla/strict/15.4.4.12-expected.txt:
+        * fast/js/mozilla/strict/15.4.4.13-expected.txt:
+        * fast/js/mozilla/strict/15.4.4.8-expected.txt:
+        * fast/js/mozilla/strict/15.4.4.9-expected.txt:
+        * fast/js/mozilla/strict/15.5.5.2-expected.txt:
+        * fast/js/mozilla/strict/8.12.5-expected.txt:
+        * fast/js/preventExtensions-expected.txt:
+        * fast/js/primitive-property-access-edge-cases-expected.txt:
+            - Checking in passing test results.
+        * fast/js/script-tests/Object-defineProperty.js:
+            - Added test cases for putting to numeric properties where property is read-only,
+              length is read-only, or property is accessor with missing set function.
+        * fast/js/script-tests/preventExtensions.js:
+            - Added test case, putting numeric property to non-extensible array.
+        * fast/js/script-tests/primitive-property-access-edge-cases.js:
+            - Enabled test cases for putting numeric properties to primitive strings.
+
 2012-03-05  Adrienne Walker  <enne@google.com>
 

trunk/LayoutTests/fast/js/Object-defineProperty-expected.txt

@@ -120 +120 @@
 PASS Object.getOwnPropertyDescriptor(Object.defineProperty(Object.defineProperty({}, 'foo', {get: function() { return false; }, configurable: true}), 'foo', {value:false, writable: false}), 'foo').writable is false
 PASS Object.getOwnPropertyDescriptor(Object.defineProperty(Object.defineProperty({}, 'foo', {get: function() { return false; }, configurable: true}), 'foo', {value:false, writable: true}), 'foo').writable is true
+PASS var a = Object.defineProperty([], 'length', {writable: false}); a[0] = 42; 0 in a; is false
+PASS 'use strict'; var a = Object.defineProperty([], 'length', {writable: false}); a[0] = 42; 0 in a; threw exception TypeError: Attempted to assign to readonly property..
+PASS var a = Object.defineProperty([42], '0', {writable: false}); a[0] = false; a[0]; is 42
+PASS 'use strict'; var a = Object.defineProperty([42], '0', {writable: false}); a[0] = false; a[0]; threw exception TypeError: Attempted to assign to readonly property..
+PASS var a = Object.defineProperty([], '0', {set: undefined}); a[0] = 42; a[0]; is undefined.
+PASS 'use strict'; var a = Object.defineProperty([], '0', {set: undefined}); a[0] = 42; a[0]; threw exception TypeError: Attempted to assign to readonly property..
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/js/mozilla/strict/15.4.4.12-expected.txt

@@ -2 +2 @@
 FAIL var a = arr(); [a.splice(0, 1), a] should throw an instance of TypeError
 PASS true === true
-FAIL 'use strict'; var o = obj(); [Array.prototype.splice.call(o, 0, 1), o] should throw an instance of TypeError
-FAIL var o = obj(); [Array.prototype.splice.call(o, 0, 1), o] should throw an instance of TypeError
+PASS 'use strict'; var o = obj(); [Array.prototype.splice.call(o, 0, 1), o] threw exception of type TypeError.
+PASS var o = obj(); [Array.prototype.splice.call(o, 0, 1), o] threw exception of type TypeError.
 PASS true === true
 FAIL 'use strict'; var a = agap(); [a.splice(0, 1), a] should throw an instance of TypeError

trunk/LayoutTests/fast/js/mozilla/strict/15.4.4.13-expected.txt

@@ -2 +2 @@
 FAIL var a = arr(); [a.unshift(40, 50), a] should throw an instance of TypeError
 PASS true === true
-FAIL 'use strict'; var o = obj(); [Array.prototype.unshift.call(o, 40, 50), o] should throw an instance of TypeError
-FAIL var o = obj(); [Array.prototype.unshift.call(o, 40, 50), o] should throw an instance of TypeError
+PASS 'use strict'; var o = obj(); [Array.prototype.unshift.call(o, 40, 50), o] threw exception of type TypeError.
+PASS var o = obj(); [Array.prototype.unshift.call(o, 40, 50), o] threw exception of type TypeError.
 PASS true === true
 FAIL 'use strict'; var a = agap(); [a.unshift(9), a] should throw an instance of TypeError

trunk/LayoutTests/fast/js/mozilla/strict/15.4.4.8-expected.txt

@@ -1 @@
-FAIL 'use strict'; var a = arr(); a.reverse() should throw an instance of TypeError
-FAIL var a = arr(); a.reverse() should throw an instance of TypeError
+PASS 'use strict'; var a = arr(); a.reverse() threw exception of type TypeError.
+PASS var a = arr(); a.reverse() threw exception of type TypeError.
 PASS true === true
-FAIL 'use strict'; var o = obj(); Array.prototype.reverse.call(o) should throw an instance of TypeError
-FAIL var o = obj(); Array.prototype.reverse.call(o) should throw an instance of TypeError
+PASS 'use strict'; var o = obj(); Array.prototype.reverse.call(o) threw exception of type TypeError.
+PASS var o = obj(); Array.prototype.reverse.call(o) threw exception of type TypeError.
 PASS true === true
 FAIL 'use strict'; var a = agap(); a.reverse() should throw an instance of TypeError

trunk/LayoutTests/fast/js/mozilla/strict/15.4.4.9-expected.txt

@@ -2 +2 @@
 FAIL var a = arr(); [a.shift(), a] should throw an instance of TypeError
 PASS true === true
-FAIL 'use strict'; var o = obj(); [Array.prototype.shift.call(o), o] should throw an instance of TypeError
-FAIL var o = obj(); [Array.prototype.shift.call(o), o] should throw an instance of TypeError
+PASS 'use strict'; var o = obj(); [Array.prototype.shift.call(o), o] threw exception of type TypeError.
+PASS var o = obj(); [Array.prototype.shift.call(o), o] threw exception of type TypeError.
 PASS true === true
 FAIL 'use strict'; var a = agap(); [a.shift(), a] should throw an instance of TypeError

trunk/LayoutTests/fast/js/mozilla/strict/15.5.5.2-expected.txt

@@ -1 @@
-FAIL 'use strict'; "foo"[0] = 1 should throw an instance of TypeError
+PASS 'use strict'; "foo"[0] = 1 threw exception of type TypeError.
 PASS "foo"[0] = 1 is 1
 PASS true === true

trunk/LayoutTests/fast/js/mozilla/strict/8.12.5-expected.txt

@@ -26 +26 @@
 PASS var a = arr(); a[0] = 2; a[0] is 2
 PASS true === true
-FAIL 'use strict'; var a = arr(); a[1] = 2; a[1] should throw an instance of TypeError
+PASS 'use strict'; var a = arr(); a[1] = 2; a[1] threw exception of type TypeError.
 PASS var a = arr(); a[1] = 2; a[1] is 1
 PASS true === true
@@ -32 +32 @@
 PASS var a = arr(); a[2] = 2; a[2] is 2
 PASS true === true
-FAIL 'use strict'; var a = arr(); a[3] = 2; a[3] should throw an instance of TypeError
+PASS 'use strict'; var a = arr(); a[3] = 2; a[3] threw exception of type TypeError.
 PASS var a = arr(); a[3] = 2; a[3] is 1
 PASS true === true
-FAIL 'use strict'; arr()[1]++ should throw an instance of TypeError
+PASS 'use strict'; arr()[1]++ threw exception of type TypeError.
 PASS arr()[1]++ is 1
 PASS true === true
-FAIL 'use strict'; ++arr()[1] should throw an instance of TypeError
+PASS 'use strict'; ++arr()[1] threw exception of type TypeError.
 PASS ++arr()[1] is 2
 PASS true === true
-FAIL 'use strict'; arr()[1]-- should throw an instance of TypeError
+PASS 'use strict'; arr()[1]-- threw exception of type TypeError.
 PASS arr()[1]-- is 1
 PASS true === true
-FAIL 'use strict'; --arr()[1] should throw an instance of TypeError
+PASS 'use strict'; --arr()[1] threw exception of type TypeError.
 PASS --arr()[1] is 0
 PASS true === true

trunk/LayoutTests/fast/js/preventExtensions-expected.txt

@@ -17 +17 @@
 PASS var arr = Object.preventExtensions([]); arr[0] = 42; arr[0] is undefined.
 PASS var arr = Object.preventExtensions([]); arr[0] = 42; arr.length is 0
+PASS "use strict"; var arr = Object.preventExtensions([]); arr[0] = 42; arr[0] threw exception TypeError: Attempted to assign to readonly property..
 PASS obj.foo is 1
 PASS array[0] is 0

trunk/LayoutTests/fast/js/primitive-property-access-edge-cases-expected.txt

@@ -38 +38 @@
 PASS checkNumericGetStrict(true, Boolean) is true
 PASS checkNumericSetStrict(1, Number) is true
+PASS checkNumericSetStrict('hello', String) is true
 PASS checkNumericSetStrict(true, Boolean) is true
 PASS checkNumericRead(1, Number) is true
@@ -49 +50 @@
 PASS checkNumericReadStrict(true, Boolean) is true
 PASS checkNumericWriteStrict(1, Number) threw exception TypeError: Attempted to assign to readonly property..
+PASS checkNumericWriteStrict('hello', String) threw exception TypeError: Attempted to assign to readonly property..
 PASS checkNumericWriteStrict(true, Boolean) threw exception TypeError: Attempted to assign to readonly property..
 PASS didNotCrash is true

trunk/LayoutTests/fast/js/script-tests/Object-defineProperty.js

@@ -172 +172 @@
 shouldBeFalse("Object.getOwnPropertyDescriptor(Object.defineProperty(Object.defineProperty({}, 'foo', {get: function() { return false; }, configurable: true}), 'foo', {value:false, writable: false}), 'foo').writable");
 shouldBeTrue("Object.getOwnPropertyDescriptor(Object.defineProperty(Object.defineProperty({}, 'foo', {get: function() { return false; }, configurable: true}), 'foo', {value:false, writable: true}), 'foo').writable");
+
+// If array length is read-only, [[Put]] should fail.
+shouldBeFalse("var a = Object.defineProperty([], 'length', {writable: false}); a[0] = 42; 0 in a;");
+shouldThrow("'use strict'; var a = Object.defineProperty([], 'length', {writable: false}); a[0] = 42; 0 in a;");
+
+// If array property is read-only, [[Put]] should fail.
+shouldBe("var a = Object.defineProperty([42], '0', {writable: false}); a[0] = false; a[0];", '42');
+shouldThrow("'use strict'; var a = Object.defineProperty([42], '0', {writable: false}); a[0] = false; a[0];");
+
+// If array property is an undefined setter, [[Put]] should fail.
+shouldBeUndefined("var a = Object.defineProperty([], '0', {set: undefined}); a[0] = 42; a[0];");
+shouldThrow("'use strict'; var a = Object.defineProperty([], '0', {set: undefined}); a[0] = 42; a[0];");

trunk/LayoutTests/fast/js/script-tests/preventExtensions.js

@@ -79 +79 @@
 shouldBeUndefined('var arr = Object.preventExtensions([]); arr[0] = 42; arr[0]');
 shouldBe('var arr = Object.preventExtensions([]); arr[0] = 42; arr.length', '0');
+// In strict mode, this throws.
+shouldThrow('"use strict"; var arr = Object.preventExtensions([]); arr[0] = 42; arr[0]');
 
 // A read-only property on the prototype should prevent a [[Put]] .

trunk/LayoutTests/fast/js/script-tests/primitive-property-access-edge-cases.js

@@ -173 +173 @@
 shouldBeTrue("checkNumericGetStrict(true, Boolean)");
 shouldBeTrue("checkNumericSetStrict(1, Number)");
-//shouldBeTrue("checkNumericSetStrict('hello', String)"); // FIXME: https://bugs.webkit.org/show_bug.cgi?id=80335
+shouldBeTrue("checkNumericSetStrict('hello', String)");
 shouldBeTrue("checkNumericSetStrict(true, Boolean)");
 
@@ -210 +210 @@
 shouldBeTrue("checkNumericReadStrict(true, Boolean)");
 shouldThrow("checkNumericWriteStrict(1, Number)");
-//shouldThrow("checkNumericWriteStrict('hello', String)"); // FIXME: https://bugs.webkit.org/show_bug.cgi?id=80335
+shouldThrow("checkNumericWriteStrict('hello', String)");
 shouldThrow("checkNumericWriteStrict(true, Boolean)");
 

trunk/Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -313 +313 @@
     JSValue jsValue = toJS(exec, value);
     
-    jsObject->methodTable()->putByIndex(jsObject, exec, propertyIndex, jsValue);
+    jsObject->methodTable()->putByIndex(jsObject, exec, propertyIndex, jsValue, false);
     if (exec->hadException()) {
         if (exception)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-03-05  Gavin Barraclough  <barraclough@apple.com>
+
+        putByIndex should throw in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=80335
+
+        Reviewed by Filip Pizlo.
+
+        Make the MethodTable PutByIndex trap take a boolean 'shouldThrow' parameter.
+
+        This is a largely mechanical change, simply adding an extra parameter to a number
+        of functions. Some call sites need perform additional exception checks, and
+        operationPutByValBeyondArrayBounds needs to know whether it is strict or not.
+
+        This patch doesn't fix a missing throw from some cases of shift/unshift (this is
+        an existing bug), I'll follow up with a third patch to handle that.
+
+        * API/JSObjectRef.cpp:
+        (JSObjectSetPropertyAtIndex):
+        * JSCTypedArrayStubs.h:
+        (JSC):
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::putByVal):
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::privateExecute):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::putByIndex):
+        * runtime/Arguments.h:
+        (Arguments):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncPush):
+        (JSC::arrayProtoFuncReverse):
+        (JSC::arrayProtoFuncShift):
+        (JSC::arrayProtoFuncSort):
+        (JSC::arrayProtoFuncSplice):
+        (JSC::arrayProtoFuncUnShift):
+        * runtime/ClassInfo.h:
+        (MethodTable):
+        * runtime/JSArray.cpp:
+        (JSC::SparseArrayValueMap::put):
+        (JSC::JSArray::put):
+        (JSC::JSArray::putByIndex):
+        (JSC::JSArray::putByIndexBeyondVectorLength):
+        (JSC::JSArray::push):
+        (JSC::JSArray::shiftCount):
+        (JSC::JSArray::unshiftCount):
+        * runtime/JSArray.h:
+        (SparseArrayValueMap):
+        (JSArray):
+        * runtime/JSByteArray.cpp:
+        (JSC::JSByteArray::putByIndex):
+        * runtime/JSByteArray.h:
+        (JSByteArray):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::putByIndex):
+        * runtime/JSCell.h:
+        (JSCell):
+        * runtime/JSNotAnObject.cpp:
+        (JSC::JSNotAnObject::putByIndex):
+        * runtime/JSNotAnObject.h:
+        (JSNotAnObject):
+        * runtime/JSONObject.cpp:
+        (JSC::Walker::walk):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putByIndex):
+        * runtime/JSObject.h:
+        (JSC::JSValue::putByIndex):
+        * runtime/RegExpConstructor.cpp:
+        (JSC::RegExpMatchesArray::fillArrayInstance):
+        * runtime/RegExpMatchesArray.h:
+        (JSC::RegExpMatchesArray::putByIndex):
+        * runtime/StringPrototype.cpp:
+        (JSC::stringProtoFuncSplit):
+
 2012-03-05  Yuqiang Xian  <yuqiang.xian@intel.com>
 

trunk/Source/JavaScriptCore/JSCTypedArrayStubs.h

@@ -152 +152 @@
 }\
 \
-void JS##name##Array::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value)\
+void JS##name##Array::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool)\
 {\
     JS##name##Array* thisObject = jsCast<JS##name##Array*>(cell);\

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -159 +159 @@
         }
 
-        JSArray::putByIndex(array, exec, index, value);
+        JSArray::putByIndex(array, exec, index, value, strict);
         return;
     }
@@ -475 +475 @@
 }
 
-void DFG_OPERATION operationPutByValBeyondArrayBounds(ExecState* exec, JSArray* array, int32_t index, EncodedJSValue encodedValue)
+void DFG_OPERATION operationPutByValBeyondArrayBoundsStrict(ExecState* exec, JSArray* array, int32_t index, EncodedJSValue encodedValue)
 {
     JSGlobalData* globalData = &exec->globalData();
@@ -482 +482 @@
     // We should only get here if index is outside the existing vector.
     ASSERT(!array->canSetIndex(index));
-    JSArray::putByIndex(array, exec, index, JSValue::decode(encodedValue));
+    JSArray::putByIndex(array, exec, index, JSValue::decode(encodedValue), true);
+}
+
+void DFG_OPERATION operationPutByValBeyondArrayBoundsNonStrict(ExecState* exec, JSArray* array, int32_t index, EncodedJSValue encodedValue)
+{
+    JSGlobalData* globalData = &exec->globalData();
+    NativeCallFrameTracer tracer(globalData, exec);
+    
+    // We should only get here if index is outside the existing vector.
+    ASSERT(!array->canSetIndex(index));
+    JSArray::putByIndex(array, exec, index, JSValue::decode(encodedValue), false);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -120 +120 @@
 void DFG_OPERATION operationPutByValCellStrict(ExecState*, JSCell*, EncodedJSValue encodedProperty, EncodedJSValue encodedValue);
 void DFG_OPERATION operationPutByValCellNonStrict(ExecState*, JSCell*, EncodedJSValue encodedProperty, EncodedJSValue encodedValue);
-void DFG_OPERATION operationPutByValBeyondArrayBounds(ExecState*, JSArray*, int32_t index, EncodedJSValue encodedValue);
+void DFG_OPERATION operationPutByValBeyondArrayBoundsStrict(ExecState*, JSArray*, int32_t index, EncodedJSValue encodedValue);
+void DFG_OPERATION operationPutByValBeyondArrayBoundsNonStrict(ExecState*, JSArray*, int32_t index, EncodedJSValue encodedValue);
 EncodedJSValue DFG_OPERATION operationArrayPush(ExecState*, EncodedJSValue encodedValue, JSArray*);
 EncodedJSValue DFG_OPERATION operationArrayPop(ExecState*, JSArray*);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -2380 +2380 @@
         // Code to handle put beyond array bounds.
         silentSpillAllRegisters(scratchReg);
-        callOperation(operationPutByValBeyondArrayBounds, baseReg, propertyReg, valueTagReg, valuePayloadReg);
+        callOperation(m_jit.codeBlock()->isStrictMode() ? operationPutByValBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsNonStrict, baseReg, propertyReg, valueTagReg, valuePayloadReg);
         silentFillAllRegisters(scratchReg);
         JITCompiler::Jump wasBeyondArrayBounds = m_jit.jump();

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -2426 +2426 @@
         // Code to handle put beyond array bounds.
         silentSpillAllRegisters(scratchReg);
-        callOperation(operationPutByValBeyondArrayBounds, baseReg, propertyReg, valueReg);
+        callOperation(m_jit.codeBlock()->isStrictMode() ? operationPutByValBeyondArrayBoundsStrict : operationPutByValBeyondArrayBoundsNonStrict, baseReg, propertyReg, valueReg);
         silentFillAllRegisters(scratchReg);
         JITCompiler::Jump wasBeyondArrayBounds = m_jit.jump();

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -3778 +3778 @@
                     jsArray->setIndex(*globalData, i, callFrame->r(value).jsValue());
                 else
-                    jsArray->JSArray::putByIndex(jsArray, callFrame, i, callFrame->r(value).jsValue());
+                    jsArray->JSArray::putByIndex(jsArray, callFrame, i, callFrame->r(value).jsValue(), codeBlock->isStrictMode());
             } else if (isJSByteArray(baseValue) && asByteArray(baseValue)->canAccessIndex(i)) {
                 JSByteArray* jsByteArray = asByteArray(baseValue);

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -2554 +2554 @@
                 jsArray->setIndex(*globalData, i, value);
             else
-                JSArray::putByIndex(jsArray, callFrame, i, value);
+                JSArray::putByIndex(jsArray, callFrame, i, value, callFrame->codeBlock()->isStrictMode());
         } else if (isJSByteArray(baseValue) && asByteArray(baseValue)->canAccessIndex(i)) {
             JSByteArray* jsByteArray = asByteArray(baseValue);

trunk/Source/JavaScriptCore/jsc.cpp

@@ -207 +207 @@
 #endif
 
-        JSObject* array = constructEmptyArray(globalExec());
+        JSArray* array = constructEmptyArray(globalExec());
         for (size_t i = 0; i < arguments.size(); ++i)
-            array->methodTable()->putByIndex(array, globalExec(), i, jsString(globalExec(), arguments[i]));
+            array->putDirectIndex(globalExec(), i, jsString(globalExec(), arguments[i]), false);
         putDirect(globalData, Identifier(globalExec(), "arguments"), array);
     }

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -1045 +1045 @@
                 jsArray->setIndex(globalData, i, value);
             else
-                JSArray::putByIndex(jsArray, exec, i, value);
+                JSArray::putByIndex(jsArray, exec, i, value, exec->codeBlock()->isStrictMode());
             LLINT_END();
         }

trunk/Source/JavaScriptCore/runtime/Arguments.cpp

@@ -197 +197 @@
 }
 
-void Arguments::putByIndex(JSCell* cell, ExecState* exec, unsigned i, JSValue value)
+void Arguments::putByIndex(JSCell* cell, ExecState* exec, unsigned i, JSValue value, bool shouldThrow)
 {
     Arguments* thisObject = jsCast<Arguments*>(cell);
@@ -205 +205 @@
     }
 
-    PutPropertySlot slot;
+    PutPropertySlot slot(shouldThrow);
     JSObject::put(thisObject, exec, Identifier(exec, UString::number(i)), value, slot);
 }

trunk/Source/JavaScriptCore/runtime/Arguments.h

@@ -115 +115 @@
         static void getOwnPropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode);
         static void put(JSCell*, ExecState*, const Identifier& propertyName, JSValue, PutPropertySlot&);
-        static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue);
+        static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
         static bool deleteProperty(JSCell*, ExecState*, const Identifier& propertyName);
         static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned propertyName);

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -427 +427 @@
         // Check for integer overflow; where safe we can do a fast put by index.
         if (length + n >= length)
-            thisObj->methodTable()->putByIndex(thisObj, exec, length + n, exec->argument(n));
+            thisObj->methodTable()->putByIndex(thisObj, exec, length + n, exec->argument(n), true);
         else {
             PutPropertySlot slot;
@@ -433 +433 @@
             thisObj->methodTable()->put(thisObj, exec, propertyName, exec->argument(n), slot);
         }
+        if (exec->hadException())
+            return JSValue::encode(jsUndefined());
     }
     JSValue newLength(static_cast<int64_t>(length) + static_cast<int64_t>(exec->argumentCount()));
@@ -457 +459 @@
 
         if (obj2)
-            thisObj->methodTable()->putByIndex(thisObj, exec, k, obj2);
+            thisObj->methodTable()->putByIndex(thisObj, exec, k, obj2, true);
         else
             thisObj->methodTable()->deletePropertyByIndex(thisObj, exec, k);
+        if (exec->hadException())
+            return JSValue::encode(jsUndefined());
 
         if (obj)
-            thisObj->methodTable()->putByIndex(thisObj, exec, lk1, obj);
+            thisObj->methodTable()->putByIndex(thisObj, exec, lk1, obj, true);
         else
             thisObj->methodTable()->deletePropertyByIndex(thisObj, exec, lk1);
+        if (exec->hadException())
+            return JSValue::encode(jsUndefined());
     }
     return JSValue::encode(thisObj);
@@ -490 +496 @@
                     return JSValue::encode(jsUndefined());
                 if (obj)
-                    thisObj->methodTable()->putByIndex(thisObj, exec, k - 1, obj);
+                    thisObj->methodTable()->putByIndex(thisObj, exec, k - 1, obj, true);
                 else
                     thisObj->methodTable()->deletePropertyByIndex(thisObj, exec, k - 1);
+                if (exec->hadException())
+                    return JSValue::encode(jsUndefined());
             }
             thisObj->methodTable()->deletePropertyByIndex(thisObj, exec, length - 1);
@@ -581 +589 @@
         // Swap themin and i
         if (themin > i) {
-            thisObj->methodTable()->putByIndex(thisObj, exec, i, minObj);
-            thisObj->methodTable()->putByIndex(thisObj, exec, themin, iObj);
+            thisObj->methodTable()->putByIndex(thisObj, exec, i, minObj, true);
+            if (exec->hadException())
+                return JSValue::encode(jsUndefined());
+            thisObj->methodTable()->putByIndex(thisObj, exec, themin, iObj, true);
+            if (exec->hadException())
+                return JSValue::encode(jsUndefined());
         }
     }
@@ -638 +650 @@
                         return JSValue::encode(jsUndefined());
                     if (v)
-                        thisObj->methodTable()->putByIndex(thisObj, exec, k + additionalArgs, v);
+                        thisObj->methodTable()->putByIndex(thisObj, exec, k + additionalArgs, v, true);
                     else
                         thisObj->methodTable()->deletePropertyByIndex(thisObj, exec, k + additionalArgs);
+                    if (exec->hadException())
+                        return JSValue::encode(jsUndefined());
                 }
                 for (unsigned k = length; k > length - deleteCount + additionalArgs; --k)
@@ -654 +668 @@
                         return JSValue::encode(jsUndefined());
                     if (obj)
-                        thisObj->methodTable()->putByIndex(thisObj, exec, k + additionalArgs - 1, obj);
+                        thisObj->methodTable()->putByIndex(thisObj, exec, k + additionalArgs - 1, obj, true);
                     else
                         thisObj->methodTable()->deletePropertyByIndex(thisObj, exec, k + additionalArgs - 1);
+                    if (exec->hadException())
+                        return JSValue::encode(jsUndefined());
                 }
             }
         }
     }
-    for (unsigned k = 0; k < additionalArgs; ++k)
-        thisObj->methodTable()->putByIndex(thisObj, exec, k + begin, exec->argument(k + 2));
+    for (unsigned k = 0; k < additionalArgs; ++k) {
+        thisObj->methodTable()->putByIndex(thisObj, exec, k + begin, exec->argument(k + 2), true);
+        if (exec->hadException())
+            return JSValue::encode(jsUndefined());
+    }
 
     putProperty(exec, thisObj, exec->propertyNames().length, jsNumber(length - deleteCount + additionalArgs));
@@ -687 +706 @@
                     return JSValue::encode(jsUndefined());
                 if (v)
-                    thisObj->methodTable()->putByIndex(thisObj, exec, k + nrArgs - 1, v);
+                    thisObj->methodTable()->putByIndex(thisObj, exec, k + nrArgs - 1, v, true);
                 else
                     thisObj->methodTable()->deletePropertyByIndex(thisObj, exec, k + nrArgs - 1);
+                if (exec->hadException())
+                    return JSValue::encode(jsUndefined());
             }
         }
     }
-    for (unsigned k = 0; k < nrArgs; ++k)
-        thisObj->methodTable()->putByIndex(thisObj, exec, k, exec->argument(k));
+    for (unsigned k = 0; k < nrArgs; ++k) {
+        thisObj->methodTable()->putByIndex(thisObj, exec, k, exec->argument(k), true);
+        if (exec->hadException())
+            return JSValue::encode(jsUndefined());
+    }
     JSValue result = jsNumber(length + nrArgs);
     putProperty(exec, thisObj, exec->propertyNames().length, result);

trunk/Source/JavaScriptCore/runtime/ClassInfo.h

@@ -49 +49 @@
         PutFunctionPtr put;
 
-        typedef void (*PutByIndexFunctionPtr)(JSCell*, ExecState*, unsigned propertyName, JSValue);
+        typedef void (*PutByIndexFunctionPtr)(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
         PutByIndexFunctionPtr putByIndex;
 

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -208 +208 @@
 }
 
-inline void SparseArrayValueMap::put(ExecState* exec, JSArray* array, unsigned i, JSValue value)
+inline void SparseArrayValueMap::put(ExecState* exec, JSArray* array, unsigned i, JSValue value, bool shouldThrow)
 {
     std::pair<SparseArrayValueMap::iterator, bool> result = add(array, i);
@@ -218 +218 @@
     if (result.second && !array->isExtensible()) {
         remove(result.first);
-        // FIXME: should throw in strict mode.
+        if (shouldThrow)
+            throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
         return;
     }
@@ -224 +225 @@
     if (!(entry.attributes & Accessor)) {
         if (entry.attributes & ReadOnly) {
-            // FIXME: should throw if being called from strict mode.
-            // throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
+            if (shouldThrow)
+                throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
             return;
         }
@@ -238 +239 @@
     
     if (!setter) {
-        // FIXME: should throw if being called from strict mode.
-        // throwTypeError(exec, "setting a property that has only a getter");
+        if (shouldThrow)
+            throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
         return;
     }
@@ -726 +727 @@
     unsigned i = propertyName.toArrayIndex(isArrayIndex);
     if (isArrayIndex) {
-        putByIndex(thisObject, exec, i, value);
+        putByIndex(thisObject, exec, i, value, slot.isStrictMode());
         return;
     }
@@ -743 +744 @@
 }
 
-void JSArray::putByIndex(JSCell* cell, ExecState* exec, unsigned i, JSValue value)
+void JSArray::putByIndex(JSCell* cell, ExecState* exec, unsigned i, JSValue value, bool shouldThrow)
 {
     JSArray* thisObject = jsCast<JSArray*>(cell);
@@ -770 +771 @@
     // Handle 2^32-1 - this is not an array index (see ES5.1 15.4), and is treated as a regular property.
     if (UNLIKELY(i > MAX_ARRAY_INDEX)) {
-        PutPropertySlot slot;
+        PutPropertySlot slot(shouldThrow);
         thisObject->methodTable()->put(thisObject, exec, Identifier::from(exec, i), value, slot);
         return;
@@ -776 +777 @@
 
     // For all other cases, call putByIndexBeyondVectorLength.
-    thisObject->putByIndexBeyondVectorLength(exec, i, value);
+    thisObject->putByIndexBeyondVectorLength(exec, i, value, shouldThrow);
     thisObject->checkConsistency();
 }
 
-void JSArray::putByIndexBeyondVectorLength(ExecState* exec, unsigned i, JSValue value)
+void JSArray::putByIndexBeyondVectorLength(ExecState* exec, unsigned i, JSValue value, bool shouldThrow)
 {
     JSGlobalData& globalData = exec->globalData();
@@ -811 +812 @@
         allocateSparseMap(exec->globalData());
         map = m_sparseValueMap;
-        map->put(exec, this, i, value);
+        map->put(exec, this, i, value, shouldThrow);
         return;
     }
@@ -820 +821 @@
         // Prohibit growing the array if length is not writable.
         if (map->lengthIsReadOnly() || !isExtensible()) {
-            // FIXME: should throw in strict mode.
+            if (shouldThrow)
+                throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
             return;
         }
@@ -831 +833 @@
     unsigned numValuesInArray = storage->m_numValuesInVector + map->size();
     if (map->sparseMode() || !isDenseEnoughForVector(length, numValuesInArray) || !increaseVectorLength(exec->globalData(), length)) {
-        map->put(exec, this, i, value);
+        map->put(exec, this, i, value, shouldThrow);
         return;
     }
@@ -1296 +1298 @@
     // Pushing to an array of length 2^32-1 stores the property, but throws a range error.
     if (UNLIKELY(storage->m_length == 0xFFFFFFFFu)) {
-        methodTable()->putByIndex(this, exec, storage->m_length, value);
+        methodTable()->putByIndex(this, exec, storage->m_length, value, true);
         // Per ES5.1 15.4.4.7 step 6 & 15.4.5.1 step 3.d.
-        throwError(exec, createRangeError(exec, "Invalid array length"));
+        if (!exec->hadException())
+            throwError(exec, createRangeError(exec, "Invalid array length"));
         return;
     }
 
     // Handled the same as putIndex.
-    putByIndexBeyondVectorLength(exec, storage->m_length, value);
+    putByIndexBeyondVectorLength(exec, storage->m_length, value, true);
     checkConsistency();
 }
@@ -1328 +1331 @@
                 JSValue p = prototype();
                 if ((!p.isNull()) && (asObject(p)->getPropertySlot(exec, i, slot)))
-                    methodTable()->putByIndex(this, exec, i, slot.getValue(exec, i));
+                    methodTable()->putByIndex(this, exec, i, slot.getValue(exec, i), false); // FIXME https://bugs.webkit.org/show_bug.cgi?id=80335
             }
         }
@@ -1373 +1376 @@
                 JSValue p = prototype();
                 if ((!p.isNull()) && (asObject(p)->getPropertySlot(exec, i, slot)))
-                    methodTable()->putByIndex(this, exec, i, slot.getValue(exec, i));
+                    methodTable()->putByIndex(this, exec, i, slot.getValue(exec, i), false); // FIXME https://bugs.webkit.org/show_bug.cgi?id=80335
             }
         }

trunk/Source/JavaScriptCore/runtime/JSArray.h

@@ -86 +86 @@
 
         // These methods may mutate the contents of the map
-        void put(ExecState*, JSArray*, unsigned, JSValue);
+        void put(ExecState*, JSArray*, unsigned, JSValue, bool shouldThrow);
         bool putDirect(ExecState*, JSArray*, unsigned, JSValue, bool shouldThrow);
         std::pair<iterator, bool> add(JSArray*, unsigned);
@@ -161 +161 @@
         JS_EXPORT_PRIVATE static bool getOwnPropertySlotByIndex(JSCell*, ExecState*, unsigned propertyName, PropertySlot&);
         static bool getOwnPropertyDescriptor(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&);
-        static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue);
+        static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
         // This is similar to the JSObject::putDirect* methods:
         //  - the prototype chain is not consulted
@@ -296 +296 @@
 
         bool getOwnPropertySlotSlowCase(ExecState*, unsigned propertyName, PropertySlot&);
-        void putByIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue);
-        bool putDirectIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
+        void putByIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
+        JS_EXPORT_PRIVATE bool putDirectIndexBeyondVectorLength(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
 
         unsigned getNewVectorLength(unsigned desiredLength);

trunk/Source/JavaScriptCore/runtime/JSByteArray.cpp

@@ -103 +103 @@
 }
 
-void JSByteArray::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value)
+void JSByteArray::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool)
 {
     jsCast<JSByteArray*>(cell)->setIndex(exec, propertyName, value);

trunk/Source/JavaScriptCore/runtime/JSByteArray.h

@@ -93 +93 @@
         JS_EXPORT_PRIVATE static bool getOwnPropertyDescriptor(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&);
         JS_EXPORT_PRIVATE static void put(JSC::JSCell*, JSC::ExecState*, const JSC::Identifier& propertyName, JSC::JSValue, JSC::PutPropertySlot&);
-        JS_EXPORT_PRIVATE static void putByIndex(JSC::JSCell*, JSC::ExecState*, unsigned propertyName, JSC::JSValue);
+        JS_EXPORT_PRIVATE static void putByIndex(JSC::JSCell*, JSC::ExecState*, unsigned propertyName, JSC::JSValue, bool shouldThrow);
 
         JS_EXPORT_PRIVATE static void getOwnPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, EnumerationMode);

trunk/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -106 +106 @@
 }
 
-void JSCell::putByIndex(JSCell* cell, ExecState* exec, unsigned identifier, JSValue value)
-{
-    JSObject* thisObject = cell->toObject(exec, exec->lexicalGlobalObject());
-    thisObject->methodTable()->putByIndex(thisObject, exec, identifier, value);
+void JSCell::putByIndex(JSCell* cell, ExecState* exec, unsigned identifier, JSValue value, bool shouldThrow)
+{
+    if (cell->isString()) {
+        PutPropertySlot slot(shouldThrow);
+        JSValue(cell).putToPrimitive(exec, Identifier::from(exec, identifier), value, slot);
+        return;
+    }
+    JSObject* thisObject = cell->toObject(exec, exec->lexicalGlobalObject());
+    thisObject->methodTable()->putByIndex(thisObject, exec, identifier, value, shouldThrow);
 }
 

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -108 +108 @@
         const MethodTable* methodTable() const;
         static void put(JSCell*, ExecState*, const Identifier& propertyName, JSValue, PutPropertySlot&);
-        static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue);
+        static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
         
         static bool deleteProperty(JSCell*, ExecState*, const Identifier& propertyName);

trunk/Source/JavaScriptCore/runtime/JSNotAnObject.cpp

@@ -71 +71 @@
 }
 
-void JSNotAnObject::putByIndex(JSCell*, ExecState* exec, unsigned, JSValue)
+void JSNotAnObject::putByIndex(JSCell*, ExecState* exec, unsigned, JSValue, bool)
 {
     ASSERT_UNUSED(exec, exec->hadException());

trunk/Source/JavaScriptCore/runtime/JSNotAnObject.h

@@ -74 +74 @@
 
         static void put(JSCell*, ExecState*, const Identifier& propertyName, JSValue, PutPropertySlot&);
-        static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue);
+        static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
 
         static bool deleteProperty(JSCell*, ExecState*, const Identifier& propertyName);

trunk/Source/JavaScriptCore/runtime/JSONObject.cpp

@@ -705 +705 @@
                 if (filteredValue.isUndefined())
                     array->methodTable()->deletePropertyByIndex(array, m_exec, indexStack.last());
-                else {
-                    if (isJSArray(array) && array->canSetIndex(indexStack.last()))
-                        array->setIndex(m_exec->globalData(), indexStack.last(), filteredValue);
-                    else
-                        array->methodTable()->putByIndex(array, m_exec, indexStack.last(), filteredValue);
-                }
+                else
+                    array->putDirectIndex(m_exec, indexStack.last(), filteredValue, false);
                 if (m_exec->hadException())
                     return jsNull();

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -186 +186 @@
 }
 
-void JSObject::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value)
-{
-    PutPropertySlot slot;
+void JSObject::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
+{
+    PutPropertySlot slot(shouldThrow);
     JSObject* thisObject = jsCast<JSObject*>(cell);
     thisObject->methodTable()->put(thisObject, exec, Identifier::from(exec, propertyName), value, slot);

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -110 +110 @@
 
         JS_EXPORT_PRIVATE static void put(JSCell*, ExecState*, const Identifier& propertyName, JSValue, PutPropertySlot&);
-        JS_EXPORT_PRIVATE static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue);
+        JS_EXPORT_PRIVATE static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
 
         // putDirect is effectively an unchecked vesion of 'defineOwnProperty':
@@ -848 +848 @@
         return;
     }
-    asCell()->methodTable()->putByIndex(asCell(), exec, propertyName, value);
+    asCell()->methodTable()->putByIndex(asCell(), exec, propertyName, value, shouldThrow);
 }
 

trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp

@@ -154 +154 @@
         int start = m_regExpResult.ovector[2 * i];
         if (start >= 0)
-            JSArray::putByIndex(this, exec, i, jsSubstring(exec, m_regExpResult.input, start, m_regExpResult.ovector[2 * i + 1] - start));
+            putDirectIndex(exec, i, jsSubstring(exec, m_regExpResult.input, start, m_regExpResult.ovector[2 * i + 1] - start), false);
         else
-            JSArray::putByIndex(this, exec, i, jsUndefined());
+            putDirectIndex(exec, i, jsUndefined(), false);
     }
 

trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h

@@ -83 +83 @@
         }
         
-        static void putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue v)
+        static void putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue v, bool shouldThrow)
         {
             RegExpMatchesArray* thisObject = jsCast<RegExpMatchesArray*>(cell);
             if (!thisObject->m_didFillArrayInstance)
                 thisObject->fillArrayInstance(exec);
-            JSArray::putByIndex(thisObject, exec, propertyName, v);
+            JSArray::putByIndex(thisObject, exec, propertyName, v, shouldThrow);
         }
 

trunk/Source/JavaScriptCore/runtime/StringPrototype.cpp

@@ -949 +949 @@
             // a. Call the [[DefineOwnProperty]] internal method of A with arguments "0",
             //    Property Descriptor {[[Value]]: S, [[Writable]]: true, [[Enumerable]]: true, [[Configurable]]: true}, and false.
-            result->methodTable()->putByIndex(result, exec, 0, jsStringWithReuse(exec, thisValue, input));
+            result->putDirectIndex(exec, 0, jsStringWithReuse(exec, thisValue, input), false);
             // b. Return A.
             return JSValue::encode(result);
@@ -962 +962 @@
             // d. Return A.
             if (reg->match(*globalData, input, 0) < 0)
-                result->methodTable()->putByIndex(result, exec, 0, jsStringWithReuse(exec, thisValue, input));
+                result->putDirectIndex(exec, 0, jsStringWithReuse(exec, thisValue, input), false);
             return JSValue::encode(result);
         }
@@ -993 +993 @@
             // 2. Call the [[DefineOwnProperty]] internal method of A with arguments ToString(lengthA),
             //    Property Descriptor {[[Value]]: T, [[Writable]]: true, [[Enumerable]]: true, [[Configurable]]: true}, and false.
-            result->methodTable()->putByIndex(result, exec, resultLength, jsSubstring(exec, input, position, matchPosition - position));
+            result->putDirectIndex(exec, resultLength, jsSubstring(exec, input, position, matchPosition - position), false);
             // 3. Increment lengthA by 1.
             // 4. If lengthA == lim, return A.
@@ -1012 +1012 @@
                 //   true, [[Enumerable]]: true, [[Configurable]]: true}, and false.
                 int sub = ovector[i * 2];
-                result->methodTable()->putByIndex(result, exec, resultLength, sub < 0 ? jsUndefined() : jsSubstring(exec, input, sub, ovector[i * 2 + 1] - sub));
+                result->putDirectIndex(exec, resultLength, sub < 0 ? jsUndefined() : jsSubstring(exec, input, sub, ovector[i * 2 + 1] - sub), false);
                 // c Increment lengthA by 1.
                 // d If lengthA == lim, return A.
@@ -1031 +1031 @@
             // a.  Call the [[DefineOwnProperty]] internal method of A with arguments "0",
             //     Property Descriptor {[[Value]]: S, [[Writable]]: true, [[Enumerable]]: true, [[Configurable]]: true}, and false.
-            result->methodTable()->putByIndex(result, exec, 0, jsStringWithReuse(exec, thisValue, input));
+            result->putDirectIndex(exec, 0, jsStringWithReuse(exec, thisValue, input), false);
             // b.  Return A.
             return JSValue::encode(result);
@@ -1044 +1044 @@
             // d. Return A.
             if (!separator.isEmpty())
-                result->methodTable()->putByIndex(result, exec, 0, jsStringWithReuse(exec, thisValue, input));
+                result->putDirectIndex(exec, 0, jsStringWithReuse(exec, thisValue, input), false);
             return JSValue::encode(result);
         }
@@ -1055 +1055 @@
 
             do {
-                result->methodTable()->putByIndex(result, exec, position, jsSingleCharacterSubstring(exec, input, position));
+                result->putDirectIndex(exec, position, jsSingleCharacterSubstring(exec, input, position), false);
             } while (++position < limit);
 
@@ -1072 +1072 @@
             // 2. Call the [[DefineOwnProperty]] internal method of A with arguments ToString(lengthA),
             //    Property Descriptor {[[Value]]: T, [[Writable]]: true, [[Enumerable]]: true, [[Configurable]]: true}, and false.
-            result->methodTable()->putByIndex(result, exec, resultLength, jsSubstring(exec, input, position, matchPosition - position));
+            result->putDirectIndex(exec, resultLength, jsSubstring(exec, input, position, matchPosition - position), false);
             // 3. Increment lengthA by 1.
             // 4. If lengthA == lim, return A.
@@ -1088 +1088 @@
     // 15. Call the [[DefineOwnProperty]] internal method of A with arguments ToString(lengthA), Property Descriptor
     //     {[[Value]]: T, [[Writable]]: true, [[Enumerable]]: true, [[Configurable]]: true}, and false.
-    result->methodTable()->putByIndex(result, exec, resultLength++, jsSubstring(exec, input, position, input.length() - position));
+    result->putDirectIndex(exec, resultLength++, jsSubstring(exec, input, position, input.length() - position), false);
 
     // 16. Return A.

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-03-05  Gavin Barraclough  <barraclough@apple.com>
+
+        putByIndex should throw in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=80335
+
+        Reviewed by Filip Pizlo.
+
+        Make the MethodTable PutByIndex trap take a boolean 'shouldThrow' parameter.
+
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneDeserializer::putProperty):
+        * bindings/objc/WebScriptObject.mm:
+        (-[WebScriptObject setWebScriptValueAtIndex:value:]):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateHeader):
+        (GenerateImplementation):
+        * bridge/NP_jsobject.cpp:
+        (_NPN_SetProperty):
+        * bridge/jni/jni_jsobject.mm:
+        (JavaJSObject::setSlot):
+        * bridge/runtime_array.cpp:
+        (JSC::RuntimeArray::putByIndex):
+        * bridge/runtime_array.h:
+        (RuntimeArray):
+
 2012-03-05  Shinya Kawanaka  <shinyak@chromium.org>
 

trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -1233 +1233 @@
     void putProperty(JSArray* array, unsigned index, JSValue value)
     {
-        if (array->canSetIndex(index))
-            array->setIndex(m_exec->globalData(), index, value);
-        else
-            array->methodTable()->putByIndex(array, m_exec, index, value);
+        array->putDirectIndex(m_exec, index, value, false);
     }
 

trunk/Source/WebCore/bindings/objc/WebScriptObject.mm

@@ -487 +487 @@
 
     JSLock lock(SilenceAssertionsOnly);
-    [self _imp]->methodTable()->putByIndex([self _imp], exec, index, convertObjcValueToValue(exec, &value, ObjcObjectType, [self _rootObject]));
+    [self _imp]->methodTable()->putByIndex([self _imp], exec, index, convertObjcValueToValue(exec, &value, ObjcObjectType, [self _rootObject]), false);
 
     if (exec->hadException()) {

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -777 +777 @@
     if ($hasSetter) {
         push(@headerContent, "    static void put(JSC::JSCell*, JSC::ExecState*, const JSC::Identifier& propertyName, JSC::JSValue, JSC::PutPropertySlot&);\n");
-        push(@headerContent, "    static void putByIndex(JSC::JSCell*, JSC::ExecState*, unsigned propertyName, JSC::JSValue);\n") if $dataNode->extendedAttributes->{"CustomIndexedSetter"};
+        push(@headerContent, "    static void putByIndex(JSC::JSCell*, JSC::ExecState*, unsigned propertyName, JSC::JSValue, bool shouldThrow);\n") if $dataNode->extendedAttributes->{"CustomIndexedSetter"};
         push(@headerContent, "    bool putDelegate(JSC::ExecState*, const JSC::Identifier&, JSC::JSValue, JSC::PutPropertySlot&);\n") if $dataNode->extendedAttributes->{"CustomNamedSetter"};
     }
@@ -1856 +1856 @@
 
             if ($dataNode->extendedAttributes->{"CustomIndexedSetter"}) {
-                push(@implContent, "void ${className}::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value)\n");
+                push(@implContent, "void ${className}::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool)\n");
                 push(@implContent, "{\n");
                 push(@implContent, "    ${className}* thisObject = jsCast<${className}*>(cell);\n");

trunk/Source/WebCore/bindings/scripts/test/JS/JSFloat64Array.cpp

@@ -201 +201 @@
 }
 
-void JSFloat64Array::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value)
+void JSFloat64Array::putByIndex(JSCell* cell, ExecState* exec, unsigned propertyName, JSValue value, bool)
 {
     JSFloat64Array* thisObject = jsCast<JSFloat64Array*>(cell);

trunk/Source/WebCore/bindings/scripts/test/JS/JSFloat64Array.h

@@ -44 +44 @@
     static bool getOwnPropertySlotByIndex(JSC::JSCell*, JSC::ExecState*, unsigned propertyName, JSC::PropertySlot&);
     static void put(JSC::JSCell*, JSC::ExecState*, const JSC::Identifier& propertyName, JSC::JSValue, JSC::PutPropertySlot&);
-    static void putByIndex(JSC::JSCell*, JSC::ExecState*, unsigned propertyName, JSC::JSValue);
+    static void putByIndex(JSC::JSCell*, JSC::ExecState*, unsigned propertyName, JSC::JSValue, bool shouldThrow);
     static const JSC::ClassInfo s_info;
 

trunk/Source/WebCore/bridge/NP_jsobject.cpp

@@ -340 +340 @@
             obj->imp->methodTable()->put(obj->imp, exec, identifierFromNPIdentifier(exec, i->string()), convertNPVariantToValue(exec, variant, rootObject), slot);
         } else
-            obj->imp->methodTable()->putByIndex(obj->imp, exec, i->number(), convertNPVariantToValue(exec, variant, rootObject));
+            obj->imp->methodTable()->putByIndex(obj->imp, exec, i->number(), convertNPVariantToValue(exec, variant, rootObject), false);
         exec->clearException();
         return true;

trunk/Source/WebCore/bridge/jni/jni_jsobject.mm

@@ -394 +394 @@
     ExecState* exec = rootObject->globalObject()->globalExec();
     JSLock lock(SilenceAssertionsOnly);
-    _imp->methodTable()->putByIndex(_imp, exec, (unsigned)index, convertJObjectToValue(exec, value));
+    _imp->methodTable()->putByIndex(_imp, exec, (unsigned)index, convertJObjectToValue(exec, value), false);
 }
 

trunk/Source/WebCore/bridge/runtime_array.cpp

@@ -158 +158 @@
 }
 
-void RuntimeArray::putByIndex(JSCell* cell, ExecState* exec, unsigned index, JSValue value)
+void RuntimeArray::putByIndex(JSCell* cell, ExecState* exec, unsigned index, JSValue value, bool)
 {
     RuntimeArray* thisObject = jsCast<RuntimeArray*>(cell);

trunk/Source/WebCore/bridge/runtime_array.h

@@ -56 +56 @@
     static bool getOwnPropertyDescriptor(JSObject*, ExecState*, const Identifier&, PropertyDescriptor&);
     static void put(JSCell*, ExecState*, const Identifier& propertyName, JSValue, PutPropertySlot&);
-    static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue);
+    static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
     
     static bool deleteProperty(JSCell*, ExecState*, const Identifier &propertyName);

trunk/Source/WebKit/mac/ChangeLog

@@ +1 @@
+2012-03-05  Gavin Barraclough  <barraclough@apple.com>
+
+        putByIndex should throw in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=80335
+
+        Reviewed by Filip Pizlo.
+
+        Make the MethodTable PutByIndex trap take a boolean 'shouldThrow' parameter.
+
+        * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
+        (WebKit::NetscapePluginInstanceProxy::setProperty):
+
 2012-03-05  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm

@@ -1086 +1086 @@
     
     JSValue value = demarshalValue(exec, valueData, valueLength);
-    object->methodTable()->putByIndex(object, exec, propertyName, value);
+    object->methodTable()->putByIndex(object, exec, propertyName, value, false);
     
     exec->clearException();

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2012-03-05  Gavin Barraclough  <barraclough@apple.com>
+
+        putByIndex should throw in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=80335
+
+        Reviewed by Filip Pizlo.
+
+        Make the MethodTable PutByIndex trap take a boolean 'shouldThrow' parameter.
+
+        * WebProcess/Plugins/Netscape/NPJSObject.cpp:
+        (WebKit::NPJSObject::setProperty):
+
 2012-03-05  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp

@@ -191 +191 @@
         m_jsObject->methodTable()->put(m_jsObject.get(), exec, identifierFromIdentifierRep(exec, identifierRep), jsValue, slot);
     } else
-        m_jsObject->methodTable()->putByIndex(m_jsObject.get(), exec, identifierRep->number(), jsValue);
+        m_jsObject->methodTable()->putByIndex(m_jsObject.get(), exec, identifierRep->number(), jsValue, false);
     exec->clearException();