WebKit Bugzilla
Attachment 341147 Details for
Bug 185927
: Define length on CoW array should properly convert to writable
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-185927-20180523165909.patch (text/plain), 3.30 KB, created by
Keith Miller
on 2018-05-23 16:59:09 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2018-05-23 16:59:09 PDT
Size:
3.30 KB
patch
obsolete
>Subversion Revision: 232134 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 217fdeba41a6862304a864f52518729a268d2c50..1244abdf5528400d6ce01ee2bdcf0e95011b35c2 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,13 @@ >+2018-05-23 Keith Miller <keith_miller@apple.com> >+ >+ Define length on CoW array should properly convert to writable >+ https://bugs.webkit.org/show_bug.cgi?id=185927 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * runtime/JSArray.cpp: >+ (JSC::JSArray::setLength): >+ > 2018-05-23 Keith Miller <keith_miller@apple.com> > > InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format >diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp >index ba1819f30a6095934d9add0adbb222244d01887b..a52ceca13ea2efd8c76c5b8d67b342b3eeff0243 100644 >--- a/Source/JavaScriptCore/runtime/JSArray.cpp >+++ b/Source/JavaScriptCore/runtime/JSArray.cpp >@@ -568,7 +568,7 @@ bool JSArray::setLength(ExecState* exec, unsigned newLength, bool throwException > auto scope = DECLARE_THROW_SCOPE(vm); > > Butterfly* butterfly = this->butterfly(); >- switch (indexingType()) { >+ switch (indexingMode()) { > case ArrayClass: > if (!newLength) > return true; >@@ -581,6 +581,15 @@ bool JSArray::setLength(ExecState* exec, unsigned newLength, bool throwException > createInitialUndecided(vm, newLength); > return true; > >+ case CopyOnWriteArrayWithInt32: >+ case CopyOnWriteArrayWithDouble: >+ case CopyOnWriteArrayWithContiguous: >+ if (newLength == butterfly->publicLength()) >+ return true; >+ convertFromCopyOnWrite(vm); >+ butterfly = this->butterfly(); >+ FALLTHROUGH; >+ > case ArrayWithUndecided: > case ArrayWithInt32: > case ArrayWithDouble: >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 784e3df9ba54b7ec62069fc173774dd7ddd1ccb4..ac5fc8c098fae7c9098bcfb59ad39e0b42380fb0 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,13 @@ >+2018-05-23 Keith Miller <keith_miller@apple.com> >+ >+ Define length on CoW array should properly convert to writable >+ https://bugs.webkit.org/show_bug.cgi?id=185927 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/cow-define-length-as-value.js: Added. >+ (test): >+ > 2018-05-23 Michael Saboff <msaboff@apple.com> > > Date.parse() doesn't properly handle input outside of ES Spec limits >diff --git a/JSTests/stress/cow-define-length-as-value.js b/JSTests/stress/cow-define-length-as-value.js >new file mode 100644 >index 0000000000000000000000000000000000000000..0de9fcd86db8541eaf8e5bb21eee50aca9a79cdb >--- /dev/null >+++ b/JSTests/stress/cow-define-length-as-value.js >@@ -0,0 +1,19 @@ >+function test(create) { >+ // Set length to be smaller. >+ Object.defineProperty(create(), "length", { value: 1 }); >+ >+ // Set length to be bigger. >+ Object.defineProperty(create(), "length", { value: 4 }); >+ >+ // Set length to be the same size >+ Object.defineProperty(create(), "length", { value: 3 }); >+} >+ >+// Test Int32. >+test(() => [1, 2]); >+// Test double >+test(() => [1.123, 2.50934]); >+// Test contiguous via NaN >+test(() => [NaN, 2.50934]); >+// Test contiguous via string >+test(() => ["test", "42"]);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=341147">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
ysuzuki
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185927
: 341147