[v8-dev] Fix ArrayLengthSetter to not throw on non-extensible receivers. (issue 411983003 by verwaest@chromium.org)

Wed, 23 Jul 2014 13:23:40 -0700 

Reviewers: Igor Sheludko,

Message:
PTAL

Description:
Fix ArrayLengthSetter to not throw on non-extensible receivers.

BUG=v8:3460

Please review this at https://codereview.chromium.org/411983003/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files (+11, -5 lines):
  M src/accessors.cc
  A + test/mjsunit/regress/regress-mask-array-length.js


Index: src/accessors.cc
diff --git a/src/accessors.cc b/src/accessors.cc
index cc7c22e223b52bce6a06c7dfc4a6c8001c5a7e63..702343778ae756a2a92f5ce19363f9d13581f242 100644 
--- a/src/accessors.cc
+++ b/src/accessors.cc
@@ -174,13 +174,16 @@ void Accessors::ArrayLengthSetter(
     const v8::PropertyCallbackInfo<void>& info) {
   i::Isolate* isolate = reinterpret_cast<i::Isolate*>(info.GetIsolate());
   HandleScope scope(isolate);
-  Handle<JSObject> object = Handle<JSObject>::cast(
-      Utils::OpenHandle(*info.This()));
+  Handle<JSObject> object = Utils::OpenHandle(*info.This());
   Handle<Object> value = Utils::OpenHandle(*val);
   // This means one of the object's prototypes is a JSArray and the
   // object does not have a 'length' property.  Calling SetProperty
   // causes an infinite loop.
   if (!object->IsJSArray()) {
+    // This behaves sloppy since we lost the actual strict-mode.
+ // TODO(verwaest): Fix by making ExecutableAccessorInfo behave like data 
+    // properties.
+    if (!object->map()->is_extensible()) return;
MaybeHandle<Object> maybe_result = JSObject::SetOwnPropertyIgnoreAttributes( 
         object, isolate->factory()->length_string(), value, NONE);
     maybe_result.Check();
Index: test/mjsunit/regress/regress-mask-array-length.js
diff --git a/test/mjsunit/regress/regress-349870.js b/test/mjsunit/regress/regress-mask-array-length.js 
similarity index 65%
copy from test/mjsunit/regress/regress-349870.js
copy to test/mjsunit/regress/regress-mask-array-length.js
index 72df05524bf1ccbcc8e4201512238e6f99e3fdea..bd87e7c5db10d92da62d131ed8b8d50e2f8e5a78 100644 
--- a/test/mjsunit/regress/regress-349870.js
+++ b/test/mjsunit/regress/regress-mask-array-length.js
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-var r = /x/;
-Object.freeze(r);
-r.compile("x");
+var a = [];
+var o = {
+  __proto__: a
+};
+Object.preventExtensions(o);
+o.length = 'abc';


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to