On 2013/02/25 14:43:40, rossberg wrote:
On 2013/02/25 14:29:08, Michael Starzinger wrote:
> The removal of the HandleScope itself looks good.
>
> https://codereview.chromium.org/12328064/diff/1/src/objects.cc
> File src/objects.cc (left):
>
>
https://codereview.chromium.org/12328064/diff/1/src/objects.cc#oldcode3373
> src/objects.cc:3373: // Handle [] on String objects.
> On 2013/02/25 10:46:25, rossberg wrote:
> > I'm not sure removing this is correct. This function is also called by
> > GetPropertyAttributeWithReceiver, and on that path, I don't think
strings
> would
> > be handled otherwise.
>
> I agree with this comment. I think this can be triggered by
checking "'0' in
o"
> where o has an interceptor and it's prototype is a string. But that is
just
> speculation.
You cannot actually have a string as a prototype. I think the example in
question would be:
"0" in ""
It is true that a string primitive cannot be used as a prototype, but a
string
value wrapper can be. And there is a call-path that leads to this site
through
the post-interceptor lookup on the prototype chain. So the following should
reproduce the issue ...
var s = new String('foobar');
var o = { __proto__:s };
print('0' in o);
... if "o" also has an interceptor. But then again, I am still speculating
here,
and I am too lazy to write a cctest to prove my point. :)
https://codereview.chromium.org/12328064/
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
