Reviewers: Igor Sheludko,
Message:
ptal
Description:
Fix keyed stores to strings convertible to indices
BUG=chromium:509545
LOG=n
Please review this at https://codereview.chromium.org/1232823002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+14, -19 lines):
M src/ic/ic.cc
M test/mjsunit/harmony/proxies.js
M test/mjsunit/primitive-keyed-access.js
Index: src/ic/ic.cc
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index
4006f296a10b5503e708c0151866aba8d8756a7b..7d572ee4819263c6368c0e83c458aa6d072c7e46
100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -1545,22 +1545,6 @@ MaybeHandle<Object> StoreIC::Store(Handle<Object>
object, Handle<Name> name,
return TypeError(MessageTemplate::kNonObjectPropertyStore, object,
name);
}
- // Check if the given name is an array index.
- uint32_t index;
- if (name->AsArrayIndex(&index)) {
- // Ignore other stores where the receiver is not a JSObject.
- // TODO(1475): Must check prototype chains of object wrappers.
- if (!object->IsJSObject()) return value;
- Handle<JSObject> receiver = Handle<JSObject>::cast(object);
-
- Handle<Object> result;
- ASSIGN_RETURN_ON_EXCEPTION(
- isolate(), result,
- Object::SetElement(isolate(), receiver, index, value,
language_mode()),
- Object);
- return value;
- }
-
// Observed objects are always modified through the runtime.
if (object->IsHeapObject() &&
Handle<HeapObject>::cast(object)->map()->is_observed()) {
@@ -2116,7 +2100,10 @@ MaybeHandle<Object>
KeyedStoreIC::Store(Handle<Object> object,
Handle<Object> store_handle;
Handle<Code> stub = megamorphic_stub();
- if (key->IsInternalizedString() || key->IsSymbol()) {
+ uint32_t index;
+ if ((key->IsInternalizedString() &&
+ !String::cast(*key)->AsArrayIndex(&index)) ||
+ key->IsSymbol()) {
ASSIGN_RETURN_ON_EXCEPTION(
isolate(), store_handle,
StoreIC::Store(object, Handle<Name>::cast(key), value,
@@ -2156,8 +2143,6 @@ MaybeHandle<Object>
KeyedStoreIC::Store(Handle<Object> object,
}
if (use_ic) {
- DCHECK(!object->IsAccessCheckNeeded());
-
if (object->IsJSObject()) {
Handle<JSObject> receiver = Handle<JSObject>::cast(object);
bool key_is_smi_like = !Object::ToSmi(isolate(), key).is_null();
Index: test/mjsunit/harmony/proxies.js
diff --git a/test/mjsunit/harmony/proxies.js
b/test/mjsunit/harmony/proxies.js
index
585574eb43a82b784a0f6402faab96e369af87a6..f1d37b445a9fc866375f1f9ccba9426c6f0e3b57
100644
--- a/test/mjsunit/harmony/proxies.js
+++ b/test/mjsunit/harmony/proxies.js
@@ -382,6 +382,10 @@ function TestSet2(create, handler) {
assertEquals(46, (function(n) { return p[n] = 46 })(99))
assertEquals("99", key)
assertEquals(46, val)
+
+ assertEquals(47, p["0"] = 47)
+ assertEquals("0", key)
+ assertEquals(47, val)
}
TestSet({
Index: test/mjsunit/primitive-keyed-access.js
diff --git a/test/mjsunit/primitive-keyed-access.js
b/test/mjsunit/primitive-keyed-access.js
index
16bb6a07cad53fcf8ca835685f5b5f0a93fe1902..c83975a8d30d560655cea66fe2384f32e46977e6
100644
--- a/test/mjsunit/primitive-keyed-access.js
+++ b/test/mjsunit/primitive-keyed-access.js
@@ -41,3 +41,9 @@ assertThrows(function() {
var sym = Symbol('66');
sym[62] = 0;
});
+
+assertThrows(function() {
+ "use strict";
+ var o = "bla";
+ o["0"] = 1;
+});
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
