• fpizlo@apple.com's avatar
    JSArray::putByIndex asserts with readonly property on prototype · 44e841ff
    fpizlo@apple.com authored
    https://bugs.webkit.org/show_bug.cgi?id=97435
    <rdar://problem/12357084>
    
    Reviewed by Geoffrey Garen.
    
    Source/JavaScriptCore: 
    
    Boy, there were some problems:
            
    - putDirectIndex() should know that it can set the index quickly even if it's a hole and we're
      in SlowPut mode, since that's the whole point of PutDirect.
            
    - We should have a fast path for putByIndex().
            
    - The LiteralParser should not use push(), since that may throw if we're having a bad time.
    
    * interpreter/Interpreter.cpp:
    (JSC::eval):
    * runtime/JSObject.h:
    (JSC::JSObject::putByIndexInline):
    (JSObject):
    (JSC::JSObject::putDirectIndex):
    * runtime/LiteralParser.cpp:
    (JSC::::parse):
    
    LayoutTests: 
    
    * fast/js/concat-while-having-a-bad-time.html: Added.
    * fast/js/concat-while-having-a-bad-time-expected.txt: Added.
    * fast/js/jsc-test-list:
    * fast/js/script-tests/concat-while-having-a-bad-time.js: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129432 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    44e841ff
ChangeLog 4.19 MB