Commit 44e841ff authored by fpizlo@apple.com's avatar fpizlo@apple.com
Browse files

JSArray::putByIndex asserts with readonly property on prototype

https://bugs.webkit.org/show_bug.cgi?id=97435
<rdar://problem/12357084>

Reviewed by Geoffrey Garen.

Source/JavaScriptCore: 

Boy, there were some problems:
        
- putDirectIndex() should know that it can set the index quickly even if it's a hole and we're
  in SlowPut mode, since that's the whole point of PutDirect.
        
- We should have a fast path for putByIndex().
        
- The LiteralParser should not use push(), since that may throw if we're having a bad time.

* interpreter/Interpreter.cpp:
(JSC::eval):
* runtime/JSObject.h:
(JSC::JSObject::putByIndexInline):
(JSObject):
(JSC::JSObject::putDirectIndex):
* runtime/LiteralParser.cpp:
(JSC::::parse):

LayoutTests: 

* fast/js/concat-while-having-a-bad-time.html: Added.
* fast/js/concat-while-having-a-bad-time-expected.txt: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/concat-while-having-a-bad-time.js: Added.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129432 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent fdc2e809
2012-09-24 Filip Pizlo <fpizlo@apple.com>
JSArray::putByIndex asserts with readonly property on prototype
https://bugs.webkit.org/show_bug.cgi?id=97435
<rdar://problem/12357084>
Reviewed by Geoffrey Garen.
* fast/js/concat-while-having-a-bad-time.html: Added.
* fast/js/concat-while-having-a-bad-time-expected.txt: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/concat-while-having-a-bad-time.js: Added.
2012-09-24 Roger Fong <roger_fong@apple.com>
 
Unreviewed. Skip flaky http/tests/security/cookies/xmlhttprequest.html test on Windows.
Tests the behavior of Array.prototype.concat while the array is having a bad time due to one of the elements we are concatenating.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS [42].concat() is [42]
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<script src="resources/js-test-pre.js"></script>
</head>
<body>
<script src="script-tests/concat-while-having-a-bad-time.js"></script>
<script src="resources/js-test-post.js"></script>
</body>
</html>
......@@ -46,6 +46,7 @@ fast/js/comparefn-sort-stability
fast/js/comparison-operators-greater
fast/js/comparison-operators-less
fast/js/comparison-operators
fast/js/concat-while-having-a-bad-time
fast/js/const-without-initializer
fast/js/constant-count
fast/js/constant-encoding
......
description(
"Tests the behavior of Array.prototype.concat while the array is having a bad time due to one of the elements we are concatenating."
);
Object.defineProperty(Array.prototype, 0, { writable: false });
shouldBe("[42].concat()", "[42]");
2012-09-24 Filip Pizlo <fpizlo@apple.com>
JSArray::putByIndex asserts with readonly property on prototype
https://bugs.webkit.org/show_bug.cgi?id=97435
<rdar://problem/12357084>
Reviewed by Geoffrey Garen.
Boy, there were some problems:
- putDirectIndex() should know that it can set the index quickly even if it's a hole and we're
in SlowPut mode, since that's the whole point of PutDirect.
- We should have a fast path for putByIndex().
- The LiteralParser should not use push(), since that may throw if we're having a bad time.
* interpreter/Interpreter.cpp:
(JSC::eval):
* runtime/JSObject.h:
(JSC::JSObject::putByIndexInline):
(JSObject):
(JSC::JSObject::putDirectIndex):
* runtime/LiteralParser.cpp:
(JSC::::parse):
2012-09-24 Mark Lam <mark.lam@apple.com>
 
Added a missing "if VALUE_PROFILER" around an access to ArrayProfile record.
......
......@@ -166,6 +166,9 @@ JSValue eval(CallFrame* callFrame)
return parsedObject;
}
}
// If the literal parser bailed, it should not have thrown exceptions.
ASSERT(!callFrame->globalData().exception);
JSValue exceptionValue;
eval = callerCodeBlock->evalCodeCache().getSlow(callFrame, callerCodeBlock->ownerExecutable(), callerCodeBlock->isStrictMode(), programSource, callerScopeChain, exceptionValue);
......
......@@ -172,6 +172,15 @@ namespace JSC {
JS_EXPORT_PRIVATE static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
JS_EXPORT_PRIVATE static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
void putByIndexInline(ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
{
if (canSetIndexQuickly(propertyName)) {
setIndexQuickly(exec->globalData(), propertyName, value);
return;
}
methodTable()->putByIndex(this, exec, propertyName, value, shouldThrow);
}
// This is similar to the putDirect* methods:
// - the prototype chain is not consulted
// - accessors are not called.
......@@ -179,7 +188,7 @@ namespace JSC {
// This method creates a property with attributes writable, enumerable and configurable all set to true.
bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value, unsigned attributes, PutDirectIndexMode mode)
{
if (!attributes && canSetIndexQuickly(propertyName)) {
if (!attributes && canSetIndexQuicklyForPutDirect(propertyName)) {
setIndexQuickly(exec->globalData(), propertyName, value);
return true;
}
......@@ -235,6 +244,19 @@ namespace JSC {
}
}
bool canSetIndexQuicklyForPutDirect(unsigned i)
{
switch (structure()->indexingType()) {
case ALL_BLANK_INDEXING_TYPES:
return false;
case ALL_ARRAY_STORAGE_INDEXING_TYPES:
return i < m_butterfly->arrayStorage()->vectorLength();
default:
ASSERT_NOT_REACHED();
return false;
}
}
void setIndexQuickly(JSGlobalData& globalData, unsigned i, JSValue v)
{
switch (structure()->indexingType()) {
......
......@@ -570,7 +570,8 @@ JSValue LiteralParser<CharType>::parse(ParserState initialState)
goto startParseExpression;
}
case DoParseArrayEndExpression: {
asArray(objectStack.last())->push(m_exec, lastValue);
JSArray* array = asArray(objectStack.last());
array->putDirectIndex(m_exec, array->length(), lastValue);
if (m_lexer.currentToken().type == TokComma)
goto doParseArrayStartExpression;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment