[v8-dev] Fix evaluation order of Object.prototype.hasOwnProperty (issue 1211663002 by [email protected])

Wed, 24 Jun 2015 14:45:07 -0700 

Reviewers: adamk,

Message:
PTAL

Description:
Fix evaluation order of Object.prototype.hasOwnProperty

We need to do the ToName before the ToObject.

BUG=v8:4229
LOG=N
R=adamk

Please review this at https://codereview.chromium.org/1211663002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+16, -13 lines):
  M src/v8natives.js
  A + test/mjsunit/has-own-property-evaluation-order.js


Index: src/v8natives.js
diff --git a/src/v8natives.js b/src/v8natives.js
index b002be3461852c65df3962e01354134d75b35f12..f556c397399332cff46f594dd010492fdacf614d 100644 
--- a/src/v8natives.js
+++ b/src/v8natives.js
@@ -174,15 +174,18 @@ function ObjectValueOf() {


 // ECMA-262 - 15.2.4.5
-function ObjectHasOwnProperty(V) {
-  if (%_IsJSProxy(this)) {
+function ObjectHasOwnProperty(value) {
+  var name = $toName(value);
+  var object = TO_OBJECT_INLINE(this);
+
+  if (%_IsJSProxy(object)) {
     // TODO(rossberg): adjust once there is a story for symbols vs proxies.
-    if (IS_SYMBOL(V)) return false;
+    if (IS_SYMBOL(value)) return false;

-    var handler = %GetHandler(this);
- return CallTrap1(handler, "hasOwn", ProxyDerivedHasOwnTrap, $toName(V)); 
+    var handler = %GetHandler(object);
+    return CallTrap1(handler, "hasOwn", ProxyDerivedHasOwnTrap, name);
   }
-  return %HasOwnProperty(TO_OBJECT_INLINE(this), $toName(V));
+  return %HasOwnProperty(object, name);
 }


Index: test/mjsunit/has-own-property-evaluation-order.js
diff --git a/test/mjsunit/compiler/regress-447567.js b/test/mjsunit/has-own-property-evaluation-order.js 
similarity index 58%
copy from test/mjsunit/compiler/regress-447567.js
copy to test/mjsunit/has-own-property-evaluation-order.js
index c348debee25fe3b3a909e163998b85088d605902..ae0218039602f2f030c8458abdead393ce5026aa 100644 
--- a/test/mjsunit/compiler/regress-447567.js
+++ b/test/mjsunit/has-own-property-evaluation-order.js
@@ -2,12 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

-assertThrows(function() {
-  [0].every(function(){ Object.seal((new Int8Array())); });
-})
+function MyError() {}

 assertThrows(function() {
-  "use strict";
-  const v = 42;
-  v += 1;
-});
+  Object.prototype.hasOwnProperty.call(null, {
+    toString() {
+      throw new MyError();
+    }
+  });
+}, MyError);


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to