src/objects.cc - Issue 2090773006: Fix toString() behavior on proxy objects.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/objects.cc

Issue 2090773006: Fix toString() behavior on proxy objects. (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@SimplifyIsError

Patch Set: Rebase Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/objects.cc

diff --git a/src/objects.cc b/src/objects.cc

index 0b1d8982ba33bbbd0ce93d9f8272be3e377a9d07..d14a5b19ccb613bc5aa747588241ef1e217f877b 100644

--- a/src/objects.cc

+++ b/src/objects.cc

@@ -15602,6 +15602,15 @@ MaybeHandle<String> Object::ObjectProtoToString(Isolate* isolate,

Handle<JSReceiver> receiver =

Object::ToObject(isolate, object).ToHandleChecked();

+ // For proxies, we must check IsArray() before get(toStringTag) to comply

+ // with the specification

+ Maybe<bool> is_array = Nothing<bool>();

+ InstanceType instance_type = receiver->map()->instance_type();

+ if (instance_type == JS_PROXY_TYPE) {

+ is_array = Object::IsArray(receiver);

+ MAYBE_RETURN(is_array, MaybeHandle<String>());

+ }

Handle<String> tag;

Handle<Object> to_string_tag;

ASSIGN_RETURN_ON_EXCEPTION(

@@ -15612,8 +15621,6 @@ MaybeHandle<String> Object::ObjectProtoToString(Isolate* isolate,

if (to_string_tag->IsString()) {

tag = Handle<String>::cast(to_string_tag);

} else {

- InstanceType instance_type = receiver->map()->instance_type();

switch (instance_type) {

case JS_API_OBJECT_TYPE:

case JS_SPECIAL_API_OBJECT_TYPE:

@@ -15632,14 +15639,7 @@ MaybeHandle<String> Object::ObjectProtoToString(Isolate* isolate,

return isolate->factory()->date_to_string();

case JS_REGEXP_TYPE:

return isolate->factory()->regexp_to_string();

- // TODO(franzih): According to the specification, isArray() must be run

- // before get(@@toStringTag). On proxies, isArray() and get() can throw

- // if the proxy has been revoked, so we change observable behavior

- // by not obeying the correct order.

case JS_PROXY_TYPE: {

- Maybe<bool> is_array = Object::IsArray(receiver);

- MAYBE_RETURN(is_array, MaybeHandle<String>());

if (is_array.FromJust()) {

return isolate->factory()->array_to_string();

}

@@ -15668,7 +15668,6 @@ MaybeHandle<String> Object::ObjectProtoToString(Isolate* isolate,

}

default:

return isolate->factory()->object_to_string();

- break;

}

« no previous file with comments | « no previous file | test/mjsunit/es6/object-tostring.js » ('j') | no next file with comments »