[v8-dev] [v8 commit] r1072 - in branches/bleeding_edge: src test/mjsunit/bugs test/mjsunit/regress

Wed, 14 Jan 2009 04:28:12 -0800 

Author: [email protected]
Date: Wed Jan 14 04:13:26 2009
New Revision: 1072

Added:
    branches/bleeding_edge/test/mjsunit/regress/regress-186.js
       - copied, changed from r1069,  
/branches/bleeding_edge/test/mjsunit/bugs/bug-186.js
Removed:
    branches/bleeding_edge/test/mjsunit/bugs/bug-186.js
Modified:
    branches/bleeding_edge/src/bootstrapper.cc
    branches/bleeding_edge/src/objects-debug.cc
    branches/bleeding_edge/src/objects-inl.h
    branches/bleeding_edge/src/objects.cc
    branches/bleeding_edge/src/objects.h

Log:
Fix issue 186:

     http://code.google.com/p/v8/issues/detail?id=186

Create a new instance type for context extension objects.  Use it to
not use the __proto__ accessor for context extension objects.
Review URL: http://codereview.chromium.org/18044

Modified: branches/bleeding_edge/src/bootstrapper.cc
==============================================================================
--- branches/bleeding_edge/src/bootstrapper.cc  (original)
+++ branches/bleeding_edge/src/bootstrapper.cc  Wed Jan 14 04:13:26 2009
@@ -794,8 +794,11 @@
      // Create a function for the context extension objects.
      Handle<Code> code = Handle<Code>(Builtins::builtin(Builtins::Illegal));
      Handle<JSFunction> context_extension_fun =
-        Factory::NewFunction(Factory::empty_symbol(), JS_OBJECT_TYPE,
-                             JSObject::kHeaderSize, code, true);
+        Factory::NewFunction(Factory::empty_symbol(),
+                             JS_CONTEXT_EXTENSION_OBJECT_TYPE,
+                             JSObject::kHeaderSize,
+                             code,
+                             true);

      Handle<String> name = Factory::LookupAsciiSymbol("context_extension");
      context_extension_fun->shared()->set_instance_class_name(*name);

Modified: branches/bleeding_edge/src/objects-debug.cc
==============================================================================
--- branches/bleeding_edge/src/objects-debug.cc (original)
+++ branches/bleeding_edge/src/objects-debug.cc Wed Jan 14 04:13:26 2009
@@ -117,6 +117,7 @@
        PrintF("filler");
        break;
      case JS_OBJECT_TYPE:  // fall through
+    case JS_CONTEXT_EXTENSION_OBJECT_TYPE:
      case JS_ARRAY_TYPE:
      case JS_REGEXP_TYPE:
        JSObject::cast(this)->JSObjectPrint();
@@ -193,6 +194,7 @@
        Oddball::cast(this)->OddballVerify();
        break;
      case JS_OBJECT_TYPE:
+    case JS_CONTEXT_EXTENSION_OBJECT_TYPE:
        JSObject::cast(this)->JSObjectVerify();
        break;
      case JS_VALUE_TYPE:
@@ -382,6 +384,7 @@
      case BYTE_ARRAY_TYPE: return "BYTE_ARRAY";
      case FILLER_TYPE: return "FILLER";
      case JS_OBJECT_TYPE: return "JS_OBJECT";
+    case JS_CONTEXT_EXTENSION_OBJECT_TYPE:  
return "JS_CONTEXT_EXTENSION_OBJECT";
      case ODDBALL_TYPE: return "ODDBALL";
      case SHARED_FUNCTION_INFO_TYPE: return "SHARED_FUNCTION_INFO";
      case JS_FUNCTION_TYPE: return "JS_FUNCTION";

Modified: branches/bleeding_edge/src/objects-inl.h
==============================================================================
--- branches/bleeding_edge/src/objects-inl.h    (original)
+++ branches/bleeding_edge/src/objects-inl.h    Wed Jan 14 04:13:26 2009
@@ -328,6 +328,13 @@
  }


+bool Object::IsJSContextExtensionObject() {
+  return IsHeapObject()
+    && (HeapObject::cast(this)->map()->instance_type() ==
+        JS_CONTEXT_EXTENSION_OBJECT_TYPE);
+}
+
+
  bool Object::IsMap() {
    return Object::IsHeapObject()
      && HeapObject::cast(this)->map()->instance_type() == MAP_TYPE;
@@ -1018,6 +1025,7 @@
      case JS_REGEXP_TYPE:
        return JSValue::kSize;
      case JS_OBJECT_TYPE:
+    case JS_CONTEXT_EXTENSION_OBJECT_TYPE:
        return JSObject::kHeaderSize;
      default:
        UNREACHABLE();

Modified: branches/bleeding_edge/src/objects.cc
==============================================================================
--- branches/bleeding_edge/src/objects.cc       (original)
+++ branches/bleeding_edge/src/objects.cc       Wed Jan 14 04:13:26 2009
@@ -940,6 +940,7 @@
        reinterpret_cast<FixedArray*>(this)->FixedArrayIterateBody(v);
        break;
      case JS_OBJECT_TYPE:
+    case JS_CONTEXT_EXTENSION_OBJECT_TYPE:
      case JS_VALUE_TYPE:
      case JS_ARRAY_TYPE:
      case JS_REGEXP_TYPE:
@@ -2360,7 +2361,7 @@
    }

    // Check __proto__ before interceptor.
-  if (name->Equals(Heap::Proto_symbol())) {
+  if (name->Equals(Heap::Proto_symbol()) && !IsJSContextExtensionObject())  
{
      result->ConstantResult(this);
      return;
    }

Modified: branches/bleeding_edge/src/objects.h
==============================================================================
--- branches/bleeding_edge/src/objects.h        (original)
+++ branches/bleeding_edge/src/objects.h        Wed Jan 14 04:13:26 2009
@@ -278,6 +278,7 @@
                                                  \
    V(JS_VALUE_TYPE)                              \
    V(JS_OBJECT_TYPE)                             \
+  V(JS_CONTEXT_EXTENSION_OBJECT_TYPE)           \
    V(JS_GLOBAL_OBJECT_TYPE)                      \
    V(JS_BUILTINS_OBJECT_TYPE)                    \
    V(JS_GLOBAL_PROXY_TYPE)                       \
@@ -535,6 +536,7 @@

    JS_VALUE_TYPE,
    JS_OBJECT_TYPE,
+  JS_CONTEXT_EXTENSION_OBJECT_TYPE,
    JS_GLOBAL_OBJECT_TYPE,
    JS_BUILTINS_OBJECT_TYPE,
    JS_GLOBAL_PROXY_TYPE,
@@ -622,6 +624,7 @@
    inline bool IsOutOfMemoryFailure();
    inline bool IsException();
    inline bool IsJSObject();
+  inline bool IsJSContextExtensionObject();
    inline bool IsMap();
    inline bool IsFixedArray();
    inline bool IsDescriptorArray();

Copied: branches/bleeding_edge/test/mjsunit/regress/regress-186.js (from  
r1069, /branches/bleeding_edge/test/mjsunit/bugs/bug-186.js)
==============================================================================
--- /branches/bleeding_edge/test/mjsunit/bugs/bug-186.js        (original)
+++ branches/bleeding_edge/test/mjsunit/regress/regress-186.js  Wed Jan 14  
04:13:26 2009
@@ -33,12 +33,27 @@
  var o = {};
  o.__defineSetter__("x", function() { setterCalled = true; });

+function runTest(test) {
+  setterCalled = false;
+  test();
+}
+
  function testLocal() {
    // Add property called __proto__ to the extension object.
    eval("var __proto__ = o");
    // Check that the extension object's prototype did not change.
    eval("var x = 27");
    assertFalse(setterCalled, "prototype of extension object changed");
+  assertEquals(o, eval("__proto__"));
+}
+
+function testConstLocal() {
+  // Add const property called __proto__ to the extension object.
+  eval("const __proto__ = o");
+  // Check that the extension object's prototype did not change.
+  eval("var x = 27");
+  assertFalse(setterCalled, "prototype of extension object changed");
+  assertEquals(o, eval("__proto__"));
  }

  function testGlobal() {
@@ -48,8 +63,10 @@
    eval("x = 27");
    assertTrue(setterCalled, "prototype of global object did not change");
    setterCalled = false;
+  assertEquals(o, eval("__proto__"));
  }

-testLocal();
-testGlobal();
+runTest(testLocal);
+runTest(testConstLocal);
+runTest(testGlobal);


--~--~---------~--~----~------------~-------~--~----~
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
-~----------~----~----~----~------~----~------~--~---

Reply via email to