Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(355)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/builtins.cc

Issue 279773002: Fix Array.prototype.push and Array.prototype.unshift for read-only length. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Rename ChangeOfReadOnlyLength and fix getting length from array. Created 6 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « src/array.js ('k') | src/hydrogen.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/builtins.cc
diff --git a/src/builtins.cc b/src/builtins.cc
index d0c1a446a8beb9e80e5ddce6fab385d74468363c..cbbb447951303b488fd157b5cf4199c1bb7bfc11 100644
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -382,15 +382,19 @@ BUILTIN(ArrayPush) {
}
Handle<JSArray> array = Handle<JSArray>::cast(receiver);
+ int len = Smi::cast(array->length())->value();
+ int to_add = args.length() - 1;
+ if (to_add > 0 && JSArray::WouldChangeReadOnlyLength(array, len + to_add)) {
+ RETURN_FAILURE_ON_EXCEPTION(
+ isolate,
+ JSArray::ReadOnlyLengthError(array));
Michael Starzinger 2014/05/14 08:30:48 As discussed offline: Instead of handling this cor
ulan 2014/05/15 11:15:54 Replaced RETURN_FAILURE_ON_EXCEPTION(..) with call
+ }
ASSERT(!array->map()->is_observed());
ElementsKind kind = array->GetElementsKind();
if (IsFastSmiOrObjectElementsKind(kind)) {
Handle<FixedArray> elms = Handle<FixedArray>::cast(elms_obj);
-
- int len = Smi::cast(array->length())->value();
- int to_add = args.length() - 1;
if (to_add == 0) {
return Smi::FromInt(len);
}
@@ -429,10 +433,7 @@ BUILTIN(ArrayPush) {
array->set_length(Smi::FromInt(new_length));
return Smi::FromInt(new_length);
} else {
- int len = Smi::cast(array->length())->value();
int elms_len = elms_obj->length();
-
- int to_add = args.length() - 1;
if (to_add == 0) {
return Smi::FromInt(len);
}
@@ -587,6 +588,12 @@ BUILTIN(ArrayUnshift) {
// we should never hit this case.
ASSERT(to_add <= (Smi::kMaxValue - len));
+ if (to_add > 0 && JSArray::WouldChangeReadOnlyLength(array, len + to_add)) {
+ RETURN_FAILURE_ON_EXCEPTION(
+ isolate,
+ JSArray::ReadOnlyLengthError(array));
Michael Starzinger 2014/05/14 08:30:48 Likewise.
+ }
+
JSObject::EnsureCanContainElements(array, &args, 1, to_add,
DONT_ALLOW_DOUBLE_ELEMENTS);
« no previous file with comments | « src/array.js ('k') | src/hydrogen.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698