Skip to site navigation (Press enter)

[webkit-changes] [129461] trunk

barraclough Mon, 24 Sep 2012 23:47:32 -0700

Title: [129461] trunk

Revision: 129461
Author: [email protected]
Date: 2012-09-24 23:48:35 -0700 (Mon, 24 Sep 2012)

Log Message

https://bugs.webkit.org/show_bug.cgi?id=97530
Regression, freeze applied to numeric properties of non-array objects


Reviewed by Filip Pizlo.

Object.freeze has a fast implementation in JSObject, but this hasn't been updated to take into account numeric properties in butterflies.
For now, just fall back to the generic implementation if the object has numeric properties.

Source/_javascript_Core: 

* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorFreeze):
    - fallback if the object has a non-zero indexed property vector length.

LayoutTests: 

* fast/js/preventExtensions-expected.txt:
* fast/js/script-tests/preventExtensions.js:
    - Added a test case for freezing an object with a numeric property.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/fast/js/preventExtensions-expected.txt
trunk/LayoutTests/fast/js/script-tests/preventExtensions.js
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (129460 => 129461)


--- trunk/LayoutTests/ChangeLog	2012-09-25 06:32:23 UTC (rev 129460)
+++ trunk/LayoutTests/ChangeLog	2012-09-25 06:48:35 UTC (rev 129461)
@@ -1,3 +1,17 @@
+2012-09-24  Gavin Barraclough  <[email protected]>
+
+        https://bugs.webkit.org/show_bug.cgi?id=97530
+        Regression, freeze applied to numeric properties of non-array objects
+
+        Reviewed by Filip Pizlo.
+
+        Object.freeze has a fast implementation in JSObject, but this hasn't been updated to take into account numeric properties in butterflies.
+        For now, just fall back to the generic implementation if the object has numeric properties.
+
+        * fast/js/preventExtensions-expected.txt:
+        * fast/js/script-tests/preventExtensions.js:
+            - Added a test case for freezing an object with a numeric property.
+
 2012-09-24  Zan Dobersek  <[email protected]>
 
         Unreviewed GTK gardening.

Modified: trunk/LayoutTests/fast/js/preventExtensions-expected.txt (129460 => 129461)


--- trunk/LayoutTests/fast/js/preventExtensions-expected.txt	2012-09-25 06:32:23 UTC (rev 129460)
+++ trunk/LayoutTests/fast/js/preventExtensions-expected.txt	2012-09-25 06:48:35 UTC (rev 129461)
@@ -35,6 +35,8 @@
 PASS preventExtensionsFreezeIsFrozen(function foo(){ "use strict"; }) is true
 PASS preventExtensionsFreezeIsFrozen([0,1,2]) is true
 PASS preventExtensionsFreezeIsFrozen((function(){ return arguments; })(0,1,2)) is true
+PASS Object.getOwnPropertyDescriptor(freeze({0:0}), 0).configurable is false
+PASS Object.getOwnPropertyDescriptor(freeze({10000001:0}), 10000001).configurable is false
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/fast/js/script-tests/preventExtensions.js (129460 => 129461)


--- trunk/LayoutTests/fast/js/script-tests/preventExtensions.js	2012-09-25 06:32:23 UTC (rev 129460)
+++ trunk/LayoutTests/fast/js/script-tests/preventExtensions.js	2012-09-25 06:48:35 UTC (rev 129461)
@@ -130,3 +130,5 @@
 shouldBeTrue('preventExtensionsFreezeIsFrozen([0,1,2])')
 shouldBeTrue('preventExtensionsFreezeIsFrozen((function(){ return arguments; })(0,1,2))')
 
+shouldBeFalse('Object.getOwnPropertyDescriptor(freeze({0:0}), 0).configurable');
+shouldBeFalse('Object.getOwnPropertyDescriptor(freeze({10000001:0}), 10000001).configurable');

Modified: trunk/Source/_javascript_Core/ChangeLog (129460 => 129461)


--- trunk/Source/_javascript_Core/ChangeLog	2012-09-25 06:32:23 UTC (rev 129460)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-09-25 06:48:35 UTC (rev 129461)
@@ -1,5 +1,19 @@
 2012-09-24  Gavin Barraclough  <[email protected]>
 
+        https://bugs.webkit.org/show_bug.cgi?id=97530
+        Regression, freeze applied to numeric properties of non-array objects
+
+        Reviewed by Filip Pizlo.
+
+        Object.freeze has a fast implementation in JSObject, but this hasn't been updated to take into account numeric properties in butterflies.
+        For now, just fall back to the generic implementation if the object has numeric properties.
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorFreeze):
+            - fallback if the object has a non-zero indexed property vector length.
+
+2012-09-24  Gavin Barraclough  <[email protected]>
+
         Bug in numeric accessors on global environment
         https://bugs.webkit.org/show_bug.cgi?id=97526

Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (129460 => 129461)


--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp	2012-09-25 06:32:23 UTC (rev 129460)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp	2012-09-25 06:48:35 UTC (rev 129461)
@@ -404,7 +404,7 @@
         return throwVMError(exec, createTypeError(exec, ASCIILiteral("Object.freeze can only be called on Objects.")));
     JSObject* object = asObject(obj);
 
-    if (isJSFinalObject(object)) {
+    if (isJSFinalObject(object) && !hasIndexedProperties(object->structure()->indexingType())) {
         object->freeze(exec->globalData());
         return JSValue::encode(obj);
     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes