Revision: 3900
Author: [email protected]
Date: Thu Feb 18 05:13:21 2010
Log: Added access check to SetNormalizedProperty which is used from runtime
DefineOrRedefineDataProperty.
Review URL: http://codereview.chromium.org/647010
http://code.google.com/p/v8/source/detail?r=3900
Modified:
/branches/bleeding_edge/src/objects.cc
/branches/bleeding_edge/src/runtime.cc
=======================================
--- /branches/bleeding_edge/src/objects.cc Thu Feb 18 05:01:58 2010
+++ /branches/bleeding_edge/src/objects.cc Thu Feb 18 05:13:21 2010
@@ -2000,10 +2000,12 @@
if (!result->IsLoaded()) {
return SetLazyProperty(result, name, value, attributes);
}
+ PropertyDetails details = PropertyDetails(attributes, NORMAL);
+
// Check of IsReadOnly removed from here in clone.
switch (result->type()) {
case NORMAL:
- return SetNormalizedProperty(result, value);
+ return SetNormalizedProperty(name, value, details);
case FIELD:
return FastPropertyAtPut(result->GetFieldIndex(), value);
case MAP_TRANSITION:
=======================================
--- /branches/bleeding_edge/src/runtime.cc Thu Feb 18 01:07:03 2010
+++ /branches/bleeding_edge/src/runtime.cc Thu Feb 18 05:13:21 2010
@@ -2926,12 +2926,14 @@
// correctly in the case where a property is a field and is reset with
// new attributes.
if (result.IsProperty() && attr != result.GetAttributes()) {
- PropertyDetails details = PropertyDetails(attr, NORMAL);
// New attributes - normalize to avoid writing to instance descriptor
- js_object->NormalizeProperties(KEEP_INOBJECT_PROPERTIES, 0);
- return js_object->SetNormalizedProperty(*name, *obj_value, details);
- }
-
+ js_object->NormalizeProperties(CLEAR_INOBJECT_PROPERTIES, 0);
+ // Use IgnoreAttributes version since a readonly property may be
+ // overridden and SetProperty does not allow this.
+ return js_object->IgnoreAttributesAndSetLocalProperty(*name,
+ *obj_value,
+ attr);
+ }
return Runtime::SetObjectProperty(js_object, name, obj_value, attr);
}
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
