src/accessors.cc - Issue 7206038: Correctly handle non-array receivers in Array length setter.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/accessors.cc

Issue 7206038: Correctly handle non-array receivers in Array length setter. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge

Patch Set: Created 9 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/accessors.cc

diff --git a/src/accessors.cc b/src/accessors.cc

index d8df05e2a5964f963a1376fb85dc7445331bfa28..806c679f4bc82ef016777fb8c329ca2637489a49 100644

--- a/src/accessors.cc

+++ b/src/accessors.cc

@@ -102,6 +102,15 @@ Object* Accessors::FlattenNumber(Object* value) {

MaybeObject* Accessors::ArraySetLength(JSObject* object, Object* value, void*) {

Isolate* isolate = object->GetIsolate();

+ // This means one of the object's prototypes is a JSArray and the

+ // object does not have a 'length' property. Calling SetProperty

+ // causes an infinite loop.

+ if (!object->IsJSArray()) {

+ return object->SetLocalPropertyIgnoreAttributes(

+ isolate->heap()->length_symbol(), value, NONE);

+ }

value = FlattenNumber(value);

// Need to call methods that may trigger GC.

@@ -117,20 +126,8 @@ MaybeObject* Accessors::ArraySetLength(JSObject* object, Object* value, void*) {

Handle<Object> number_v = Execution::ToNumber(value_handle, &has_exception);

if (has_exception) return Failure::Exception();

- // Restore raw pointers,

- object = *object_handle;

- value = *value_handle;

if (uint32_v->Number() == number_v->Number()) {

- if (object->IsJSArray()) {

- return JSArray::cast(object)->SetElementsLength(*uint32_v);

- } else {

- // This means one of the object's prototypes is a JSArray and

- // the object does not have a 'length' property.

- // Calling SetProperty causes an infinite loop.

- return object->SetLocalPropertyIgnoreAttributes(

- isolate->heap()->length_symbol(), value, NONE);

- }

+ return Handle<JSArray>::cast(object_handle)->SetElementsLength(*uint32_v);

}

return isolate->Throw(

*isolate->factory()->NewRangeError("invalid_array_length",

« no previous file with comments | « no previous file | test/mjsunit/regress/regress-1491.js » ('j') | test/mjsunit/regress/regress-1491.js » ('J')