Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(986)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/runtime/runtime-array.cc

Issue 1270403002: Fix Array.prototype.concat for arguments object with getter. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-516775.js » ('j') | test/mjsunit/regress/regress-crbug-516775.js » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/runtime/runtime-array.cc
diff --git a/src/runtime/runtime-array.cc b/src/runtime/runtime-array.cc
index b5655db611a5ce34161d45990718872fa7f02916..4f8bc05cb6e43d9e36506bab216fc991a702992c 100644
--- a/src/runtime/runtime-array.cc
+++ b/src/runtime/runtime-array.cc
@@ -362,7 +362,8 @@ static int compareUInt32(const uint32_t* ap, const uint32_t* bp) {
}
-static void CollectElementIndices(Handle<JSObject> object, uint32_t range,
+// Return false on exception.
+static bool CollectElementIndices(Handle<JSObject> object, uint32_t range,
List<uint32_t>* indices) {
Isolate* isolate = object->GetIsolate();
ElementsKind kind = object->GetElementsKind();
@@ -432,14 +433,20 @@ static void CollectElementIndices(Handle<JSObject> object, uint32_t range,
for (uint32_t i = 0; i < length; i++) {
indices->Add(i);
}
- if (length == range) return; // All indices accounted for already.
+ if (length == range) return true; // All indices accounted for already.
break;
}
case FAST_SLOPPY_ARGUMENTS_ELEMENTS:
case SLOW_SLOPPY_ARGUMENTS_ELEMENTS: {
- MaybeHandle<Object> length_obj =
- Object::GetProperty(object, isolate->factory()->length_string());
- double length_num = length_obj.ToHandleChecked()->Number();
+ Handle<Object> length_obj;
+ // See ES6 22.1.3.1 step 7-a-ii
adamk 2015/08/05 18:05:53 I think you mean 7-d-ii?
+ ASSIGN_RETURN_ON_EXCEPTION_VALUE(
+ isolate, length_obj,
+ Object::GetProperty(object, isolate->factory()->length_string()),
+ false);
+ ASSIGN_RETURN_ON_EXCEPTION_VALUE(
+ isolate, length_obj, Execution::ToLength(isolate, length_obj), false);
+ double length_num = length_obj->Number();
uint32_t length = static_cast<uint32_t>(DoubleToInt32(length_num));
ElementsAccessor* accessor = object->GetElementsAccessor();
for (uint32_t i = 0; i < length; i++) {
@@ -455,10 +462,11 @@ static void CollectElementIndices(Handle<JSObject> object, uint32_t range,
if (!iter.IsAtEnd()) {
// The prototype will usually have no inherited element indices,
// but we have to check.
- CollectElementIndices(
+ return CollectElementIndices(
Handle<JSObject>::cast(PrototypeIterator::GetCurrent(iter)), range,
indices);
}
+ return true;
}
@@ -589,7 +597,7 @@ static bool IterateElements(Isolate* isolate, Handle<JSObject> receiver,
List<uint32_t> indices(dict->Capacity() / 2);
// Collect all indices in the object and the prototypes less
// than length. This might introduce duplicates in the indices list.
- CollectElementIndices(receiver, length, &indices);
+ if (!CollectElementIndices(receiver, length, &indices)) return false;
indices.Sort(&compareUInt32);
int j = 0;
int n = indices.length();
« no previous file with comments | « no previous file | test/mjsunit/regress/regress-crbug-516775.js » ('j') | test/mjsunit/regress/regress-crbug-516775.js » ('J')

Powered by Google App Engine
This is Rietveld 408576698