Modified: trunk/Source/_javascript_Core/ChangeLog (129457 => 129458)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-25 05:27:33 UTC (rev 129457)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-25 06:12:11 UTC (rev 129458)
@@ -1,3 +1,18 @@
+2012-09-24 Gavin Barraclough <[email protected]>
+
+ Bug in numeric accessors on global environment
+ https://bugs.webkit.org/show_bug.cgi?id=97526
+
+ Reviewed by Geoff Garen.
+
+ I've hit this assert in test262 in browser, but haven't yet worked out how to repro in a test case :-/
+ The sparsemap is failing to map back from the global object to the window shell.
+ A test case would need to resolve a numeric property name against the global environment.
+
+ (JSC::SparseArrayEntry::get):
+ (JSC::SparseArrayEntry::put):
+ - Add missing toThisObject calls.
+
2012-09-24 Filip Pizlo <[email protected]>
SerializedScriptValue isn't aware of indexed storage, but should be
Modified: trunk/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp (129457 => 129458)
--- trunk/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp 2012-09-25 05:27:33 UTC (rev 129457)
+++ trunk/Source/_javascript_Core/runtime/SparseArrayValueMap.cpp 2012-09-25 06:12:11 UTC (rev 129458)
@@ -159,7 +159,7 @@
CallData callData;
CallType callType = getter->methodTable()->getCallData(getter, callData);
- return call(exec, getter, callType, callData, array, exec->emptyList());
+ return call(exec, getter, callType, callData, array->methodTable()->toThisObject(array, exec), exec->emptyList());
}
void SparseArrayEntry::put(ExecState* exec, JSValue thisValue, SparseArrayValueMap* map, JSValue value, bool shouldThrow)
@@ -189,6 +189,8 @@
CallType callType = setter->methodTable()->getCallData(setter, callData);
MarkedArgumentBuffer args;
args.append(value);
+ if (thisValue.isObject())
+ thisValue = asObject(thisValue)->methodTable()->toThisObject(asObject(thisValue), exec);
call(exec, setter, callType, callData, thisValue, args);
}
