[v8-dev] Fix Array.prototype.join evaluation order. (issue 11280025)

Fri, 16 Nov 2012 04:27:17 -0800 

Reviewers: Yang,

Description:
Fix Array.prototype.join evaluation order.

[email protected]
BUG=v8:2263
TEST=mjsunit/regress/regress-2263


Please review this at https://codereview.chromium.org/11280025/

SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge

Affected files:
  M src/array.js
  A + test/mjsunit/regress/regress-2263.js


Index: src/array.js
diff --git a/src/array.js b/src/array.js
index 37053ce67e5fe8762d580f303c880acd3db513b0..47f796d2b11e3a768b123fb369500cbd946937b8 100644 
--- a/src/array.js
+++ b/src/array.js
@@ -413,6 +413,7 @@ function ArrayJoin(separator) {
                         ["Array.prototype.join"]);
   }

+  var length = TO_UINT32(this.length);
   if (IS_UNDEFINED(separator)) {
     separator = ',';
   } else if (!IS_STRING(separator)) {
@@ -422,7 +423,7 @@ function ArrayJoin(separator) {
   var result = %_FastAsciiArrayJoin(this, separator);
   if (!IS_UNDEFINED(result)) return result;

-  return Join(this, TO_UINT32(this.length), separator, ConvertToString);
+  return Join(this, length, separator, ConvertToString);
 }


Index: test/mjsunit/regress/regress-2263.js
diff --git a/test/mjsunit/regress/regress-110509.js b/test/mjsunit/regress/regress-2263.js 
similarity index 88%
copy from test/mjsunit/regress/regress-110509.js
copy to test/mjsunit/regress/regress-2263.js
index 132bd233bee32f6c84061049224ea43901dae06a..9a9db58773b18af75e686f8d11b607de867fde53 100644 
--- a/test/mjsunit/regress/regress-110509.js
+++ b/test/mjsunit/regress/regress-2263.js
@@ -25,17 +25,6 @@
 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-// Flags: --allow-natives-syntax
-
-// Verify that LRandom preserves rsi correctly.
-
-function foo() {
-  Math.random();
-  new Function("");
-}
-
-foo();
-foo();
-foo();
-%OptimizeFunctionOnNextCall(foo);
-foo();
+var obj = { length: { valueOf: function(){ throw { type: "length" }}}};
+var sep = { toString: function(){ throw { type: "toString" }}};
+assertThrows("Array.prototype.join.call(obj, sep)", undefined, "length");


--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev

Reply via email to