Bug 97530 - Regression, freeze applied to numeric properties of non-array objects
Summary: Regression, freeze applied to numeric properties of non-array objects
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Gavin Barraclough
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-24 23:28 PDT by Gavin Barraclough
Modified: 2012-09-25 00:05 PDT (History)
0 users

See Also:

Attachments
Fix (3.87 KB, patch)
2012-09-24 23:32 PDT, Gavin Barraclough 		fpizlo: review-
Details | Formatted Diff | Diff
v2 (4.08 KB, patch)
2012-09-24 23:42 PDT, Gavin Barraclough 		fpizlo: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gavin Barraclough 2012-09-24 23:28:41 PDT 
Object.freeze has a fast implementation in JSObject, but this hasn't been updated to take into account numeric properties in butterflies.
For now, just fall back to the generic implementation if the object has numeric properties.
Comment 1 Gavin Barraclough 2012-09-24 23:32:29 PDT 
Created attachment 165530 [details]
Fix
Comment 2 Filip Pizlo 2012-09-24 23:38:06 PDT 
Comment on attachment 165530 [details]
Fix

View in context: https://bugs.webkit.org/attachment.cgi?id=165530&action=review

> Source/JavaScriptCore/runtime/ObjectConstructor.cpp:407
> +    if (isJSFinalObject(object) && !object->getVectorLength()) {

What if the object has gone into sparse mode?  Then vector length will be zero even though there are indexed properties.

I think what you wanted is:

hasIndexedProperties(object->structure()->indexingType())
Comment 3 Gavin Barraclough 2012-09-24 23:42:26 PDT 
Created attachment 165533 [details]
v2

You're right – added a 2nd test case that covers this.
Comment 4 Gavin Barraclough 2012-09-25 00:05:22 PDT 
Fixed in r129461