Reviewers: Toon Verwaest, adamk,
Message:
Follow up CL from https://codereview.chromium.org/258793005/
Description:
Array Iterator next should check for own property
Since we are using private symbols for the internal slots we need to
check for a local property.
BUG=None
LOG=Y
Please review this at https://codereview.chromium.org/268363011/
SVN Base: http://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+24, -5 lines):
M src/array-iterator.js
M test/mjsunit/harmony/array-iterator.js
Index: src/array-iterator.js
diff --git a/src/array-iterator.js b/src/array-iterator.js
index
10116b1d10b502c2079ce5e320db21b06ef60858..e8205e59a50b8604a504d68594e8c0b7e3777576
100644
--- a/src/array-iterator.js
+++ b/src/array-iterator.js
@@ -55,12 +55,17 @@ function CreateIteratorResultObject(value, done) {
// 15.4.5.2.2 ArrayIterator.prototype.next( )
function ArrayIteratorNext() {
var iterator = ToObject(this);
- var array = GET_PRIVATE(iterator, arrayIteratorObjectSymbol);
- if (!array) {
+
+ if (!%HasLocalProperty(iterator, arrayIteratorObjectSymbol)) {
throw MakeTypeError('incompatible_method_receiver',
['Array Iterator.prototype.next']);
}
+ var array = GET_PRIVATE(iterator, arrayIteratorObjectSymbol);
+ if (IS_UNDEFINED(array)) {
+ return CreateIteratorResultObject(UNDEFINED, true);
+ }
+
var index = GET_PRIVATE(iterator, arrayIteratorNextIndexSymbol);
var itemKind = GET_PRIVATE(iterator, arrayIterationKindSymbol);
var length = TO_UINT32(array.length);
@@ -68,17 +73,19 @@ function ArrayIteratorNext() {
// "sparse" is never used.
if (index >= length) {
- SET_PRIVATE(iterator, arrayIteratorNextIndexSymbol, INFINITY);
+ SET_PRIVATE(iterator, arrayIteratorObjectSymbol, UNDEFINED);
return CreateIteratorResultObject(UNDEFINED, true);
}
SET_PRIVATE(iterator, arrayIteratorNextIndexSymbol, index + 1);
- if (itemKind == ITERATOR_KIND_VALUES)
+ if (itemKind == ITERATOR_KIND_VALUES) {
return CreateIteratorResultObject(array[index], false);
+ }
- if (itemKind == ITERATOR_KIND_ENTRIES)
+ if (itemKind == ITERATOR_KIND_ENTRIES) {
return CreateIteratorResultObject([index, array[index]], false);
+ }
return CreateIteratorResultObject(index, false);
}
Index: test/mjsunit/harmony/array-iterator.js
diff --git a/test/mjsunit/harmony/array-iterator.js
b/test/mjsunit/harmony/array-iterator.js
index
6a402e739394a67e8fdba3ad15d35dc55a628721..04d41c1f29bff5e7be3d78c33d79f44d7d063c26
100644
--- a/test/mjsunit/harmony/array-iterator.js
+++ b/test/mjsunit/harmony/array-iterator.js
@@ -193,3 +193,15 @@ function TestForArrayEntries() {
}
}
TestForArrayEntries();
+
+
+function TestNonOwnSlots() {
+ var array = [0];
+ var iterator = array.values();
+ var object = {__proto__: iterator};
+
+ assertThrows(function() {
+ object.next();
+ }, TypeError);
+}
+TestNonOwnSlots();
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
