Skip to content
Find file Blame History Permalink
  • fpizlo@apple.com's avatar
    Proxies should set InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero · d5e0b705
    fpizlo@apple.com authored 
    https://bugs.webkit.org/show_bug.cgi?id=105379

Reviewed by Gavin Barraclough.

Source/JavaScriptCore: 

Forgetting to set this flag led to the DFG trying to ensure array storage on a proxy. I've
now hardened the code with a release assertion as well as fixing the bug. A release assertion
is appropriate here since this is slow-path code.

* runtime/JSObject.cpp:
(JSC::JSObject::enterDictionaryIndexingMode):
(JSC::JSObject::ensureInt32Slow):
(JSC::JSObject::ensureDoubleSlow):
(JSC::JSObject::ensureContiguousSlow):
(JSC::JSObject::ensureArrayStorageSlowNoCheck):
(JSC::JSObject::ensureArrayStorageSlow):
(JSC):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
* runtime/JSObject.h:
(JSObject):
* runtime/JSProxy.h:
(JSProxy):

LayoutTests: 

* fast/js/dfg-ensure-non-array-array-storage-on-window-expected.txt: Added.
* fast/js/dfg-ensure-non-array-array-storage-on-window.html: Added.
* fast/js/script-tests/dfg-ensure-non-array-array-storage-on-window.js: Added.
(foo):
(bar):
(.shouldBe):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138107 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    d5e0b705