src/objects.cc - Issue 279773002: Fix Array.prototype.push and Array.prototype.unshift for read-only length.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/objects.cc

Issue 279773002: Fix Array.prototype.push and Array.prototype.unshift for read-only length. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge

Patch Set: Whitespace Created 6 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/objects.cc

diff --git a/src/objects.cc b/src/objects.cc

index b7928af19361db20e754f564a6dfe7f02c1dc49f..a20c286ef4287fbdd5f8a74579d3d7f6b75ca311 100644

--- a/src/objects.cc

+++ b/src/objects.cc

@@ -13239,6 +13239,14 @@ MaybeHandle<Object> JSObject::SetElementWithoutInterceptor(

CheckArrayAbuse(object, "elements write", index, true);

}

+ if (object->IsJSArray() && JSArray::WouldChangeReadOnlyLength(

+ Handle<JSArray>::cast(object), index)) {

+ if (strict_mode == SLOPPY) {

+ return value;

+ } else {

+ return JSArray::ReadOnlyLengthError(Handle<JSArray>::cast(object));

+ }

switch (object->GetElementsKind()) {

case FAST_SMI_ELEMENTS:

case FAST_ELEMENTS:

@@ -13524,6 +13532,41 @@ void JSArray::JSArrayUpdateLengthFromIndex(Handle<JSArray> array,

}

+bool JSArray::IsReadOnlyLengthDescriptor(Handle<Map> jsarray_map) {

+ Isolate* isolate = jsarray_map->GetIsolate();

+ ASSERT(!jsarray_map->is_dictionary_map());

+ LookupResult lookup(isolate);

+ Handle<Name> length_string = isolate->factory()->length_string();

+ jsarray_map->LookupDescriptor(NULL, *length_string, &lookup);

+ return lookup.IsReadOnly();

+bool JSArray::WouldChangeReadOnlyLength(Handle<JSArray> array,

+ uint32_t index) {

+ uint32_t length = 0;

+ CHECK(array->length()->ToArrayIndex(&length));

+ if (length <= index) {

+ Isolate* isolate = array->GetIsolate();

+ LookupResult lookup(isolate);

+ Handle<Name> length_string = isolate->factory()->length_string();

+ array->LocalLookupRealNamedProperty(length_string, &lookup);

+ return lookup.IsReadOnly();

+ }

+ return false;

+MaybeHandle<Object> JSArray::ReadOnlyLengthError(Handle<JSArray> array) {

+ Isolate* isolate = array->GetIsolate();

+ Handle<Name> length = isolate->factory()->length_string();

+ Handle<Object> args[2] = { length, array };

+ Handle<Object> error = isolate->factory()->NewTypeError(

+ "strict_read_only_property", HandleVector(args, ARRAY_SIZE(args)));

+ return isolate->Throw<Object>(error);

MaybeHandle<Object> JSObject::GetElementWithInterceptor(

Handle<JSObject> object,

Handle<Object> receiver,

« no previous file with comments | « src/objects.h ('k') | test/mjsunit/array-push-unshift-read-only-length.js » ('j') | no next file with comments »