Diff
Modified: trunk/LayoutTests/ChangeLog (129431 => 129432)
--- trunk/LayoutTests/ChangeLog 2012-09-25 00:12:22 UTC (rev 129431)
+++ trunk/LayoutTests/ChangeLog 2012-09-25 00:20:13 UTC (rev 129432)
@@ -1,3 +1,16 @@
+2012-09-24 Filip Pizlo <[email protected]>
+
+ JSArray::putByIndex asserts with readonly property on prototype
+ https://bugs.webkit.org/show_bug.cgi?id=97435
+ <rdar://problem/12357084>
+
+ Reviewed by Geoffrey Garen.
+
+ * fast/js/concat-while-having-a-bad-time.html: Added.
+ * fast/js/concat-while-having-a-bad-time-expected.txt: Added.
+ * fast/js/jsc-test-list:
+ * fast/js/script-tests/concat-while-having-a-bad-time.js: Added.
+
2012-09-24 Roger Fong <[email protected]>
Unreviewed. Skip flaky http/tests/security/cookies/xmlhttprequest.html test on Windows.
Added: trunk/LayoutTests/fast/js/concat-while-having-a-bad-time-expected.txt (0 => 129432)
--- trunk/LayoutTests/fast/js/concat-while-having-a-bad-time-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/concat-while-having-a-bad-time-expected.txt 2012-09-25 00:20:13 UTC (rev 129432)
@@ -0,0 +1,10 @@
+Tests the behavior of Array.prototype.concat while the array is having a bad time due to one of the elements we are concatenating.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS [42].concat() is [42]
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/concat-while-having-a-bad-time.html (0 => 129432)
--- trunk/LayoutTests/fast/js/concat-while-having-a-bad-time.html (rev 0)
+++ trunk/LayoutTests/fast/js/concat-while-having-a-bad-time.html 2012-09-25 00:20:13 UTC (rev 129432)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: trunk/LayoutTests/fast/js/jsc-test-list (129431 => 129432)
--- trunk/LayoutTests/fast/js/jsc-test-list 2012-09-25 00:12:22 UTC (rev 129431)
+++ trunk/LayoutTests/fast/js/jsc-test-list 2012-09-25 00:20:13 UTC (rev 129432)
@@ -46,6 +46,7 @@
fast/js/comparison-operators-greater
fast/js/comparison-operators-less
fast/js/comparison-operators
+fast/js/concat-while-having-a-bad-time
fast/js/const-without-initializer
fast/js/constant-count
fast/js/constant-encoding
Added: trunk/LayoutTests/fast/js/script-tests/concat-while-having-a-bad-time.js (0 => 129432)
--- trunk/LayoutTests/fast/js/script-tests/concat-while-having-a-bad-time.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/concat-while-having-a-bad-time.js 2012-09-25 00:20:13 UTC (rev 129432)
@@ -0,0 +1,8 @@
+description(
+"Tests the behavior of Array.prototype.concat while the array is having a bad time due to one of the elements we are concatenating."
+);
+
+Object.defineProperty(Array.prototype, 0, { writable: false });
+shouldBe("[42].concat()", "[42]");
+
+
Modified: trunk/Source/_javascript_Core/ChangeLog (129431 => 129432)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-25 00:12:22 UTC (rev 129431)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-25 00:20:13 UTC (rev 129432)
@@ -1,3 +1,29 @@
+2012-09-24 Filip Pizlo <[email protected]>
+
+ JSArray::putByIndex asserts with readonly property on prototype
+ https://bugs.webkit.org/show_bug.cgi?id=97435
+ <rdar://problem/12357084>
+
+ Reviewed by Geoffrey Garen.
+
+ Boy, there were some problems:
+
+ - putDirectIndex() should know that it can set the index quickly even if it's a hole and we're
+ in SlowPut mode, since that's the whole point of PutDirect.
+
+ - We should have a fast path for putByIndex().
+
+ - The LiteralParser should not use push(), since that may throw if we're having a bad time.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::eval):
+ * runtime/JSObject.h:
+ (JSC::JSObject::putByIndexInline):
+ (JSObject):
+ (JSC::JSObject::putDirectIndex):
+ * runtime/LiteralParser.cpp:
+ (JSC::::parse):
+
2012-09-24 Mark Lam <[email protected]>
Added a missing "if VALUE_PROFILER" around an access to ArrayProfile record.
Modified: trunk/Source/_javascript_Core/interpreter/Interpreter.cpp (129431 => 129432)
--- trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2012-09-25 00:12:22 UTC (rev 129431)
+++ trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2012-09-25 00:20:13 UTC (rev 129432)
@@ -166,6 +166,9 @@
return parsedObject;
}
}
+
+ // If the literal parser bailed, it should not have thrown exceptions.
+ ASSERT(!callFrame->globalData().exception);
JSValue exceptionValue;
eval = callerCodeBlock->evalCodeCache().getSlow(callFrame, callerCodeBlock->ownerExecutable(), callerCodeBlock->isStrictMode(), programSource, callerScopeChain, exceptionValue);
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (129431 => 129432)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2012-09-25 00:12:22 UTC (rev 129431)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2012-09-25 00:20:13 UTC (rev 129432)
@@ -172,6 +172,15 @@
JS_EXPORT_PRIVATE static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);
JS_EXPORT_PRIVATE static void putByIndex(JSCell*, ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
+ void putByIndexInline(ExecState* exec, unsigned propertyName, JSValue value, bool shouldThrow)
+ {
+ if (canSetIndexQuickly(propertyName)) {
+ setIndexQuickly(exec->globalData(), propertyName, value);
+ return;
+ }
+ methodTable()->putByIndex(this, exec, propertyName, value, shouldThrow);
+ }
+
// This is similar to the putDirect* methods:
// - the prototype chain is not consulted
// - accessors are not called.
@@ -179,7 +188,7 @@
// This method creates a property with attributes writable, enumerable and configurable all set to true.
bool putDirectIndex(ExecState* exec, unsigned propertyName, JSValue value, unsigned attributes, PutDirectIndexMode mode)
{
- if (!attributes && canSetIndexQuickly(propertyName)) {
+ if (!attributes && canSetIndexQuicklyForPutDirect(propertyName)) {
setIndexQuickly(exec->globalData(), propertyName, value);
return true;
}
@@ -235,6 +244,19 @@
}
}
+ bool canSetIndexQuicklyForPutDirect(unsigned i)
+ {
+ switch (structure()->indexingType()) {
+ case ALL_BLANK_INDEXING_TYPES:
+ return false;
+ case ALL_ARRAY_STORAGE_INDEXING_TYPES:
+ return i < m_butterfly->arrayStorage()->vectorLength();
+ default:
+ ASSERT_NOT_REACHED();
+ return false;
+ }
+ }
+
void setIndexQuickly(JSGlobalData& globalData, unsigned i, JSValue v)
{
switch (structure()->indexingType()) {
Modified: trunk/Source/_javascript_Core/runtime/LiteralParser.cpp (129431 => 129432)
--- trunk/Source/_javascript_Core/runtime/LiteralParser.cpp 2012-09-25 00:12:22 UTC (rev 129431)
+++ trunk/Source/_javascript_Core/runtime/LiteralParser.cpp 2012-09-25 00:20:13 UTC (rev 129432)
@@ -570,7 +570,8 @@
goto startParseExpression;
}
case DoParseArrayEndExpression: {
- asArray(objectStack.last())->push(m_exec, lastValue);
+ JSArray* array = asArray(objectStack.last());
+ array->putDirectIndex(m_exec, array->length(), lastValue);
if (m_lexer.currentToken().type == TokComma)
goto doParseArrayStartExpression;
