Chromium Code Reviews Chromium Code Reviews
Issue 279773002:
Fix Array.prototype.push and Array.prototype.unshift for read-only length. (Closed)
Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge| Index: src/builtins.cc |
| diff --git a/src/builtins.cc b/src/builtins.cc |
| index d0c1a446a8beb9e80e5ddce6fab385d74468363c..89552abaef7fbdf34097743f5324f1de2ddbb609 100644 |
| --- a/src/builtins.cc |
| +++ b/src/builtins.cc |
| @@ -382,15 +382,19 @@ BUILTIN(ArrayPush) { |
| } |
| Handle<JSArray> array = Handle<JSArray>::cast(receiver); |
| + int len = Smi::cast(array->length())->value(); |
| + int to_add = args.length() - 1; |
| + if (to_add > 0 && JSArray::ChangeOfReadOnlyLength(array, len + to_add)) { |
|
mvstanton
2014/05/09 12:56:09
The name of this function is odd, how about JSArra
|
| + RETURN_FAILURE_ON_EXCEPTION( |
| + isolate, |
| + JSArray::ReadOnlyLengthError(array)); |
| + } |
| ASSERT(!array->map()->is_observed()); |
| ElementsKind kind = array->GetElementsKind(); |
| if (IsFastSmiOrObjectElementsKind(kind)) { |
| Handle<FixedArray> elms = Handle<FixedArray>::cast(elms_obj); |
| - |
| - int len = Smi::cast(array->length())->value(); |
| - int to_add = args.length() - 1; |
| if (to_add == 0) { |
| return Smi::FromInt(len); |
| } |
| @@ -429,10 +433,7 @@ BUILTIN(ArrayPush) { |
| array->set_length(Smi::FromInt(new_length)); |
| return Smi::FromInt(new_length); |
| } else { |
| - int len = Smi::cast(array->length())->value(); |
| int elms_len = elms_obj->length(); |
| - |
| - int to_add = args.length() - 1; |
| if (to_add == 0) { |
| return Smi::FromInt(len); |
| } |
| @@ -587,6 +588,12 @@ BUILTIN(ArrayUnshift) { |
| // we should never hit this case. |
| ASSERT(to_add <= (Smi::kMaxValue - len)); |
| + if (to_add > 0 && JSArray::ChangeOfReadOnlyLength(array, len + to_add)) { |
| + RETURN_FAILURE_ON_EXCEPTION( |
| + isolate, |
| + JSArray::ReadOnlyLengthError(array)); |
| + } |
| + |
| JSObject::EnsureCanContainElements(array, &args, 1, to_add, |
| DONT_ALLOW_DOUBLE_ELEMENTS); |
