WebKit Bugzilla
Attachment 373339 Details for
Bug 199365
: Frozen Arrays length assignment should throw in strict mode
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-199365-20190702104709.patch (text/plain), 2.80 KB, created by
Keith Miller
on 2019-07-02 10:47:10 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2019-07-02 10:47:10 PDT
Size:
2.80 KB
patch
obsolete
>Subversion Revision: 247055 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 2cefb78e862b86f4a6105841693deeb8c35f4608..60cdaf65df4ad804bdacb3b9fb91f4816312dfd8 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,13 @@ >+2019-07-02 Keith Miller <keith_miller@apple.com> >+ >+ Frozen Arrays length assignment should throw in strict mode >+ https://bugs.webkit.org/show_bug.cgi?id=199365 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * runtime/JSArray.cpp: >+ (JSC::JSArray::put): >+ > 2019-07-02 Paulo Matos <pmatos@linki.tools> > > Fix typo in if/else block and remove dead assignment >diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp >index 547c1b59a95ab016a140514b6b8547d2b21cf77b..429749bec7ee2d5cfae9a889aa4402cb4928d42a 100644 >--- a/Source/JavaScriptCore/runtime/JSArray.cpp >+++ b/Source/JavaScriptCore/runtime/JSArray.cpp >@@ -286,8 +286,12 @@ bool JSArray::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSVa > thisObject->ensureWritable(vm); > > if (propertyName == vm.propertyNames->length) { >- if (!thisObject->isLengthWritable()) >+ if (!thisObject->isLengthWritable()) { >+ if (slot.isStrictMode()) >+ throwTypeError(exec, scope, "Array length is not writable"_s); > return false; >+ } >+ > unsigned newLength = value.toUInt32(exec); > RETURN_IF_EXCEPTION(scope, false); > double valueAsNumber = value.toNumber(exec); >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 60e854a2a4ab936504fead763c806bff1111860c..ec2f6aa0c370685412137debe106eefcd8c86bcc 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,13 @@ >+2019-07-02 Keith Miller <keith_miller@apple.com> >+ >+ Frozen Arrays length assignment should throw in strict mode >+ https://bugs.webkit.org/show_bug.cgi?id=199365 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/frozen-array-length-should-throw-strict.js: Added. >+ (test): >+ > 2019-07-01 Justin Michaud <justin_michaud@apple.com> > > [Wasm-References] Disable references by default >diff --git a/JSTests/stress/frozen-array-length-should-throw-strict.js b/JSTests/stress/frozen-array-length-should-throw-strict.js >new file mode 100644 >index 0000000000000000000000000000000000000000..e6dfd326bb99c15f8d398b30409130de72ff9dfe >--- /dev/null >+++ b/JSTests/stress/frozen-array-length-should-throw-strict.js >@@ -0,0 +1,17 @@ >+const a = Object.freeze(['a']); >+ >+function test(a) { >+ "use strict"; >+ >+ try { >+ a.length = 2; >+ } catch (e) { >+ if (e instanceof TypeError) >+ return; >+ } >+ throw new Error("didn't throw the right exception"); >+} >+noInline(test); >+ >+for (let i = 0; i < 10000; i++) >+ test(a);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=373339">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 199365
: 373339