Commit bc9e3d16 authored by barraclough@apple.com's avatar barraclough@apple.com

Object.defineProperty([], 'length', {}) should not make length read-only

https://bugs.webkit.org/show_bug.cgi?id=76097

Reviewed by Oliver Hunt.

Source/JavaScriptCore: 

* runtime/JSArray.cpp:
(JSC::JSArray::defineOwnProperty):
    - We should be checking writablePresent().

LayoutTests: 

* fast/js/array-defineOwnProperty-expected.txt:
* fast/js/script-tests/array-defineOwnProperty.js:
    - Added test.



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104777 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent f6091281
2012-01-11 Gavin Barraclough <barraclough@apple.com>
Object.defineProperty([], 'length', {}) should not make length read-only
https://bugs.webkit.org/show_bug.cgi?id=76097
Reviewed by Oliver Hunt.
* fast/js/array-defineOwnProperty-expected.txt:
* fast/js/script-tests/array-defineOwnProperty.js:
- Added test.
2012-01-11 Adam Barth <abarth@webkit.org>
iframe sandbox doesn't block autofocus (IETC automatic-feature-block-autofocus-form-control)
......@@ -7,6 +7,7 @@ PASS Object.defineProperty([], 'x', { get:function(){return true;} }).x is true
PASS Object.defineProperty([], 'length', { value: 1 }).length is 1
PASS var a = Object.defineProperty([], 'length', { writable: false }); a[1] = 1; a.length is 0
PASS var a = Object.defineProperty([], 'length', { writable: false }); a.length = 1; a.length is 0
PASS var a = Object.defineProperty([], 'length', {}); a.length = 1; a.length is 1
PASS Object.defineProperty([], 'length', { get:function(){return true;} }) threw exception TypeError: Attempting to change access mechanism for an unconfigurable property..
PASS Object.defineProperty([], 'length', { enumerable: true }) threw exception TypeError: Attempting to change enumerable attribute of unconfigurable property..
PASS Object.defineProperty([], 'length', { configurable: true }) threw exception TypeError: Attempting to change configurable attribute of unconfigurable property..
......
......@@ -7,6 +7,8 @@ shouldBeTrue("Object.defineProperty([], 'x', { get:function(){return true;} }).x
shouldBe("Object.defineProperty([], 'length', { value: 1 }).length", '1');
shouldBe("var a = Object.defineProperty([], 'length', { writable: false }); a[1] = 1; a.length", '0');
shouldBe("var a = Object.defineProperty([], 'length', { writable: false }); a.length = 1; a.length", '0');
// If writable is not specified, it should not change.
shouldBe("var a = Object.defineProperty([], 'length', {}); a.length = 1; a.length", '1');
// The length property can be replaced with an accessor, or made either enumerable or configurable.
shouldThrow("Object.defineProperty([], 'length', { get:function(){return true;} })");
......
2012-01-11 Gavin Barraclough <barraclough@apple.com>
Object.defineProperty([], 'length', {}) should not make length read-only
https://bugs.webkit.org/show_bug.cgi?id=76097
Reviewed by Oliver Hunt.
* runtime/JSArray.cpp:
(JSC::JSArray::defineOwnProperty):
- We should be checking writablePresent().
2012-01-11 Filip Pizlo <fpizlo@apple.com>
Code duplication for invoking the JIT and DFG should be reduced
......@@ -531,10 +531,10 @@ bool JSArray::defineOwnProperty(JSObject* object, ExecState* exec, const Identif
if (propertyName == exec->propertyNames().length) {
// All paths through length definition call the default [[DefineOwnProperty]], hence:
// from ES5.1 8.12.9 7.a.
if (descriptor.configurable())
if (descriptor.configurablePresent() && descriptor.configurable())
return reject(exec, throwException, "Attempting to change configurable attribute of unconfigurable property.");
// from ES5.1 8.12.9 7.b.
if (descriptor.enumerable())
if (descriptor.enumerablePresent() && descriptor.enumerable())
return reject(exec, throwException, "Attempting to change enumerable attribute of unconfigurable property.");
// a. If the [[Value]] field of Desc is absent, then
......@@ -542,11 +542,12 @@ bool JSArray::defineOwnProperty(JSObject* object, ExecState* exec, const Identif
if (descriptor.isAccessorDescriptor())
return reject(exec, throwException, "Attempting to change access mechanism for an unconfigurable property.");
// from ES5.1 8.12.9 10.a.
if (!array->isLengthWritable() && descriptor.writable())
if (!array->isLengthWritable() && descriptor.writablePresent() && descriptor.writable())
return reject(exec, throwException, "Attempting to change writable attribute of unconfigurable property.");
// This descriptor is either just making length read-only, or changing nothing!
if (!descriptor.value()) {
array->setLengthWritable(exec, descriptor.writable());
if (descriptor.writablePresent())
array->setLengthWritable(exec, descriptor.writable());
return true;
}
......@@ -561,7 +562,8 @@ bool JSArray::defineOwnProperty(JSObject* object, ExecState* exec, const Identif
// Based on SameValue check in 8.12.9, this is always okay.
if (newLen == array->length()) {
array->setLengthWritable(exec, descriptor.writable());
if (descriptor.writablePresent())
array->setLengthWritable(exec, descriptor.writable());
return true;
}
......@@ -588,13 +590,17 @@ bool JSArray::defineOwnProperty(JSObject* object, ExecState* exec, const Identif
// 2. If newWritable is false, set newLenDesc.[[Writable] to false.
// 3. Call the default [[DefineOwnProperty]] internal method (8.12.9) on A passing "length", newLenDesc, and false as arguments.
// 4. Reject.
array->setLengthWritable(exec, descriptor.writable());
if (descriptor.writablePresent())
array->setLengthWritable(exec, descriptor.writable());
return false;
}
// m. If newWritable is false, then
// i. Call the default [[DefineOwnProperty]] internal method (8.12.9) on A passing "length", Property Descriptor{[[Writable]]: false}, and false as arguments. This call will always return true.
array->setLengthWritable(exec, descriptor.writable());
// i. Call the default [[DefineOwnProperty]] internal method (8.12.9) on A passing "length",
// Property Descriptor{[[Writable]]: false}, and false as arguments. This call will always
// return true.
if (descriptor.writablePresent())
array->setLengthWritable(exec, descriptor.writable());
// n. Return true.
return true;
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment