[v8-dev] [v8] r22576 committed - Fix ArrayLengthSetter to not throw on non-extensible receivers....

Wed, 23 Jul 2014 13:28:37 -0700 

Revision: 22576
Author:   [email protected]
Date:     Wed Jul 23 20:27:32 2014 UTC
Log:      Fix ArrayLengthSetter to not throw on non-extensible receivers.

BUG=v8:3460
LOG=n
[email protected]

Review URL: https://codereview.chromium.org/411983003
http://code.google.com/p/v8/source/detail?r=22576

Added:
 /branches/bleeding_edge/test/mjsunit/regress/regress-mask-array-length.js
Modified:
 /branches/bleeding_edge/src/accessors.cc

=======================================
--- /dev/null
+++ /branches/bleeding_edge/test/mjsunit/regress/regress-mask-array-length.js Wed Jul 23 20:27:32 2014 UTC 
@@ -0,0 +1,10 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var a = [];
+var o = {
+  __proto__: a
+};
+Object.preventExtensions(o);
+o.length = 'abc';
=======================================
--- /branches/bleeding_edge/src/accessors.cc    Wed Jul 23 20:11:33 2014 UTC
+++ /branches/bleeding_edge/src/accessors.cc    Wed Jul 23 20:27:32 2014 UTC
@@ -174,13 +174,16 @@
     const v8::PropertyCallbackInfo<void>& info) {
   i::Isolate* isolate = reinterpret_cast<i::Isolate*>(info.GetIsolate());
   HandleScope scope(isolate);
-  Handle<JSObject> object = Handle<JSObject>::cast(
-      Utils::OpenHandle(*info.This()));
+  Handle<JSObject> object = Utils::OpenHandle(*info.This());
   Handle<Object> value = Utils::OpenHandle(*val);
   // This means one of the object's prototypes is a JSArray and the
   // object does not have a 'length' property.  Calling SetProperty
   // causes an infinite loop.
   if (!object->IsJSArray()) {
+    // This behaves sloppy since we lost the actual strict-mode.
+ // TODO(verwaest): Fix by making ExecutableAccessorInfo behave like data 
+    // properties.
+    if (!object->map()->is_extensible()) return;
MaybeHandle<Object> maybe_result = JSObject::SetOwnPropertyIgnoreAttributes( 
         object, isolate->factory()->length_string(), value, NONE);
     maybe_result.Check();

--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to