Commit 544a81b8 authored by barraclough@apple.com's avatar barraclough@apple.com
Browse files

Regression: put beyond vector length prefers prototype setters to sparse properties

https://bugs.webkit.org/show_bug.cgi?id=97593

Reviewed by Geoff Garen & Filip Pizlo.

Source/JavaScriptCore: 

* runtime/JSObject.cpp:
(JSC::JSObject::putByIndexBeyondVectorLength):
    - Check for self properties in the sparse map - if present, don't examine the protochain.

LayoutTests: 

* fast/js/script-tests/array-defineOwnProperty.js:
(Object.defineProperty):
(set Object.defineProperty):
    - Added test case.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129548 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent bdb7347c
2012-09-25 Gavin Barraclough <barraclough@apple.com>
Regression: put beyond vector length prefers prototype setters to sparse properties
https://bugs.webkit.org/show_bug.cgi?id=97593
Reviewed by Geoff Garen & Filip Pizlo.
* fast/js/script-tests/array-defineOwnProperty.js:
(Object.defineProperty):
(set Object.defineProperty):
- Added test case.
2012-09-25 David Grogan <dgrogan@chromium.org> 2012-09-25 David Grogan <dgrogan@chromium.org>
   
Unreviewed. Change some more svn:eol-style properties from native to LF. Unreviewed. Change some more svn:eol-style properties from native to LF.
...@@ -36,6 +36,8 @@ PASS Object.defineProperty(Object.defineProperty([], '0', { value: false }), '0' ...@@ -36,6 +36,8 @@ PASS Object.defineProperty(Object.defineProperty([], '0', { value: false }), '0'
PASS Object.defineProperty(Object.defineProperty([], '0', { value: Math }), '0', { value: Object })[0] threw exception TypeError: Attempting to change value of a readonly property.. PASS Object.defineProperty(Object.defineProperty([], '0', { value: Math }), '0', { value: Object })[0] threw exception TypeError: Attempting to change value of a readonly property..
PASS Object.defineProperty(Object.defineProperty([], '0', { value: null }), '0', { value: undefined })[0] threw exception TypeError: Attempting to change value of a readonly property.. PASS Object.defineProperty(Object.defineProperty([], '0', { value: null }), '0', { value: undefined })[0] threw exception TypeError: Attempting to change value of a readonly property..
PASS Object.defineProperty(Object.defineProperty([], '0', { value: undefined }), '0', { value: null })[0] threw exception TypeError: Attempting to change value of a readonly property.. PASS Object.defineProperty(Object.defineProperty([], '0', { value: undefined }), '0', { value: null })[0] threw exception TypeError: Attempting to change value of a readonly property..
PASS arrObj[0] = 42; arrObj.set; is true
PASS arrObj[1] = true; arrObj[1]; is true
PASS successfullyParsed is true PASS successfullyParsed is true
TEST COMPLETE TEST COMPLETE
......
...@@ -50,4 +50,11 @@ shouldThrow("Object.defineProperty(Object.defineProperty([], '0', { value: Math ...@@ -50,4 +50,11 @@ shouldThrow("Object.defineProperty(Object.defineProperty([], '0', { value: Math
shouldThrow("Object.defineProperty(Object.defineProperty([], '0', { value: null }), '0', { value: undefined })[0]"); shouldThrow("Object.defineProperty(Object.defineProperty([], '0', { value: null }), '0', { value: undefined })[0]");
shouldThrow("Object.defineProperty(Object.defineProperty([], '0', { value: undefined }), '0', { value: null })[0]"); shouldThrow("Object.defineProperty(Object.defineProperty([], '0', { value: undefined }), '0', { value: null })[0]");
Object.defineProperty(Array.prototype, "0", { set: function () { throw false; } });
Object.defineProperty(Array.prototype, "1", { set: function () { throw false; } });
var arrObj = [ , false ];
Object.defineProperty(arrObj, "0", { set: function (x) { this.set = x === 42; } });
shouldBeTrue("arrObj[0] = 42; arrObj.set;");
shouldBeTrue("arrObj[1] = true; arrObj[1];");
successfullyParsed = true; successfullyParsed = true;
2012-09-25 Gavin Barraclough <barraclough@apple.com>
Regression: put beyond vector length prefers prototype setters to sparse properties
https://bugs.webkit.org/show_bug.cgi?id=97593
Reviewed by Geoff Garen & Filip Pizlo.
* runtime/JSObject.cpp:
(JSC::JSObject::putByIndexBeyondVectorLength):
- Check for self properties in the sparse map - if present, don't examine the protochain.
2012-09-24 Gavin Barraclough <barraclough@apple.com> 2012-09-24 Gavin Barraclough <barraclough@apple.com>
   
https://bugs.webkit.org/show_bug.cgi?id=97530 https://bugs.webkit.org/show_bug.cgi?id=97530
......
...@@ -1350,10 +1350,13 @@ void JSObject::putByIndexBeyondVectorLength(ExecState* exec, unsigned i, JSValue ...@@ -1350,10 +1350,13 @@ void JSObject::putByIndexBeyondVectorLength(ExecState* exec, unsigned i, JSValue
} }
case NonArrayWithSlowPutArrayStorage: case NonArrayWithSlowPutArrayStorage:
case ArrayWithSlowPutArrayStorage: case ArrayWithSlowPutArrayStorage: {
if (attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow)) // No own property present in the vector, but there might be in the sparse map!
SparseArrayValueMap* map = arrayStorage()->m_sparseMap.get();
if (!(map && map->contains(i)) && attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow))
return; return;
// Otherwise, fall though. // Otherwise, fall though.
}
case NonArrayWithArrayStorage: case NonArrayWithArrayStorage:
case ArrayWithArrayStorage: case ArrayWithArrayStorage:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment