Reviewers: rossberg, rafaelw,
Description:
Don't pass the hole to SetElement when creating Array.observe change records
Also added comments to remind us why we were using the hole here in the
first
place (it's used for the case where Object.observe, rather than
Array.observe,
has been called on Array that's undergoing truncation).
BUG=356589
Please review this at https://codereview.chromium.org/213823002/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+12, -2 lines):
M src/objects.cc
A + test/mjsunit/regress/regress-356589.js
Index: src/objects.cc
diff --git a/src/objects.cc b/src/objects.cc
index
c764b33e6793ee169d0866318e19483a888e4b08..55e3b810979d1fad9ad53b0035eb496f553d7562
100644
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -11407,6 +11407,9 @@ Handle<Object>
JSArray::SetElementsLength(Handle<JSArray> array,
BeginPerformSplice(array);
for (int i = 0; i < indices.length(); ++i) {
+ // For deletions where the property was an accessor, old_values[i]
+ // will be the hole, which instructs EnqueueChangeRecord to elide
+ // the "oldValue" property.
JSObject::EnqueueChangeRecord(
array, "delete", isolate->factory()->Uint32ToString(indices[i]),
old_values[i]);
@@ -11423,6 +11426,9 @@ Handle<Object>
JSArray::SetElementsLength(Handle<JSArray> array,
Handle<JSArray> deleted = isolate->factory()->NewJSArray(0);
if (delete_count > 0) {
for (int i = indices.length() - 1; i >= 0; i--) {
+ // Skip deletions where the property was an accessor, leaving holes
+ // in the array of old values.
+ if (old_values[i]->IsTheHole()) continue;
JSObject::SetElement(deleted, indices[i] - index, old_values[i],
NONE,
SLOPPY);
}
Index: test/mjsunit/regress/regress-356589.js
diff --git a/test/mjsunit/regress/regress-3220.js
b/test/mjsunit/regress/regress-356589.js
similarity index 86%
copy from test/mjsunit/regress/regress-3220.js
copy to test/mjsunit/regress/regress-356589.js
index
6f8e8c8f0eedd2cd5e00cb00d9e9fee1899a27c6..f93c5456407e6f1a433aa2c63d84f0749489a19b
100644
--- a/test/mjsunit/regress/regress-3220.js
+++ b/test/mjsunit/regress/regress-356589.js
@@ -25,6 +25,10 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Flags: --use-strict
+// This test passes if it does not crash in debug mode
-String(new Date());
+arr = ['a', 'b', 'c', 'd'];
+Object.defineProperty(arr.__proto__, '0', { get: function(){} });
+Object.defineProperty(arr, '2', {get: function(){} });
+Object.observe(arr, function() {});
+arr.length = 2;
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
