Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(282)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: src/accessors.cc

Issue 7206038: Correctly handle non-array receivers in Array length setter. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Created 9 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-1491.js » ('j') | test/mjsunit/regress/regress-1491.js » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2011 the V8 project authors. All rights reserved. 1 // Copyright 2011 the V8 project authors. All rights reserved.
2 // Redistribution and use in source and binary forms, with or without 2 // Redistribution and use in source and binary forms, with or without
3 // modification, are permitted provided that the following conditions are 3 // modification, are permitted provided that the following conditions are
4 // met: 4 // met:
5 // 5 //
6 // * Redistributions of source code must retain the above copyright 6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer. 7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above 8 // * Redistributions in binary form must reproduce the above
9 // copyright notice, this list of conditions and the following 9 // copyright notice, this list of conditions and the following
10 // disclaimer in the documentation and/or other materials provided 10 // disclaimer in the documentation and/or other materials provided
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after
95 has_initial_map()); 95 has_initial_map());
96 Map* number_map = Isolate::Current()->context()->global_context()-> 96 Map* number_map = Isolate::Current()->context()->global_context()->
97 number_function()->initial_map(); 97 number_function()->initial_map();
98 if (wrapper->map() == number_map) return wrapper->value(); 98 if (wrapper->map() == number_map) return wrapper->value();
99 return value; 99 return value;
100 } 100 }
101 101
102 102
103 MaybeObject* Accessors::ArraySetLength(JSObject* object, Object* value, void*) { 103 MaybeObject* Accessors::ArraySetLength(JSObject* object, Object* value, void*) {
104 Isolate* isolate = object->GetIsolate(); 104 Isolate* isolate = object->GetIsolate();
105
106 // This means one of the object's prototypes is a JSArray and the
107 // object does not have a 'length' property. Calling SetProperty
108 // causes an infinite loop.
109 if (!object->IsJSArray()) {
110 return object->SetLocalPropertyIgnoreAttributes(
111 isolate->heap()->length_symbol(), value, NONE);
112 }
113
105 value = FlattenNumber(value); 114 value = FlattenNumber(value);
106 115
107 // Need to call methods that may trigger GC. 116 // Need to call methods that may trigger GC.
108 HandleScope scope(isolate); 117 HandleScope scope(isolate);
109 118
110 // Protect raw pointers. 119 // Protect raw pointers.
111 Handle<JSObject> object_handle(object, isolate); 120 Handle<JSObject> object_handle(object, isolate);
112 Handle<Object> value_handle(value, isolate); 121 Handle<Object> value_handle(value, isolate);
113 122
114 bool has_exception; 123 bool has_exception;
115 Handle<Object> uint32_v = Execution::ToUint32(value_handle, &has_exception); 124 Handle<Object> uint32_v = Execution::ToUint32(value_handle, &has_exception);
116 if (has_exception) return Failure::Exception(); 125 if (has_exception) return Failure::Exception();
117 Handle<Object> number_v = Execution::ToNumber(value_handle, &has_exception); 126 Handle<Object> number_v = Execution::ToNumber(value_handle, &has_exception);
118 if (has_exception) return Failure::Exception(); 127 if (has_exception) return Failure::Exception();
119 128
120 // Restore raw pointers,
121 object = *object_handle;
122 value = *value_handle;
123
124 if (uint32_v->Number() == number_v->Number()) { 129 if (uint32_v->Number() == number_v->Number()) {
125 if (object->IsJSArray()) { 130 return Handle<JSArray>::cast(object_handle)->SetElementsLength(*uint32_v);
126 return JSArray::cast(object)->SetElementsLength(*uint32_v);
127 } else {
128 // This means one of the object's prototypes is a JSArray and
129 // the object does not have a 'length' property.
130 // Calling SetProperty causes an infinite loop.
131 return object->SetLocalPropertyIgnoreAttributes(
132 isolate->heap()->length_symbol(), value, NONE);
133 }
134 } 131 }
135 return isolate->Throw( 132 return isolate->Throw(
136 *isolate->factory()->NewRangeError("invalid_array_length", 133 *isolate->factory()->NewRangeError("invalid_array_length",
137 HandleVector<Object>(NULL, 0))); 134 HandleVector<Object>(NULL, 0)));
138 } 135 }
139 136
140 137
141 const AccessorDescriptor Accessors::ArrayLength = { 138 const AccessorDescriptor Accessors::ArrayLength = {
142 ArrayGetLength, 139 ArrayGetLength,
143 ArraySetLength, 140 ArraySetLength,
(...skipping 614 matching lines...) Expand 10 before | Expand all | Expand 10 after
758 } 755 }
759 756
760 757
761 const AccessorDescriptor Accessors::ObjectPrototype = { 758 const AccessorDescriptor Accessors::ObjectPrototype = {
762 ObjectGetPrototype, 759 ObjectGetPrototype,
763 ObjectSetPrototype, 760 ObjectSetPrototype,
764 0 761 0
765 }; 762 };
766 763
767 } } // namespace v8::internal 764 } } // namespace v8::internal
OLDNEW
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-1491.js » ('j') | test/mjsunit/regress/regress-1491.js » ('J')

Powered by Google App Engine
This is Rietveld 408576698