[v8-dev] Use SetOwnElement when creating splice records in array length setter (issue 820503005 by [email protected])

Fri, 19 Dec 2014 11:06:14 -0800 

Reviewers: arv,

Description:
Use SetOwnElement when creating splice records in array length setter

This avoids touching the Array prototype, which may have been tampered with.

BUG=chromium:443982
LOG=n

Please review this at https://codereview.chromium.org/820503005/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+24, -2 lines):
  M src/objects.cc
  A test/mjsunit/es7/regress/regress-443982.js


Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index 9d17f1f8bd4e6f9275c00b106dee86174b2edae1..24fdf477a8e6683f49a58789bd1866895b25f146 100644 
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -11807,8 +11807,8 @@ MaybeHandle<Object> JSArray::SetElementsLength(
       // Skip deletions where the property was an accessor, leaving holes
       // in the array of old values.
       if (old_values[i]->IsTheHole()) continue;
-      JSObject::SetElement(
- deleted, indices[i] - index, old_values[i], NONE, SLOPPY).Assert(); 
+      JSObject::SetOwnElement(deleted, indices[i] - index, old_values[i],
+                              SLOPPY).Assert();
     }

     SetProperty(deleted, isolate->factory()->length_string(),
Index: test/mjsunit/es7/regress/regress-443982.js
diff --git a/test/mjsunit/es7/regress/regress-443982.js b/test/mjsunit/es7/regress/regress-443982.js 
new file mode 100644
index 0000000000000000000000000000000000000000..5a2e9cd6db7c2ab897db296b94e6eb1c14fe7fb8 
--- /dev/null
+++ b/test/mjsunit/es7/regress/regress-443982.js
@@ -0,0 +1,22 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var records;
+function observer(r) {
+  records = r;
+}
+
+Object.defineProperty(Array.prototype, '0', {
+  get: function() { return 0; },
+  set: function() { throw "boom!"; }
+});
+arr = [1, 2];
+Array.observe(arr, observer);
+arr.length = 0;
+assertEquals(0, arr.length);
+
+Object.deliverChangeRecords(observer);
+assertEquals(1, records.length);
+assertEquals('splice', records[0].type);
+assertArrayEquals([1, 2], records[0].removed);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to