[webkit-changes] [129548] trunk

[barraclough]

Title: [129548] trunk

Revision

129548

Author

barraclo...@apple.com

Date

2012-09-25 13:18:06 -0700 (Tue, 25 Sep 2012)

Log Message

Regression: put beyond vector length prefers prototype setters to sparse properties
https://bugs.webkit.org/show_bug.cgi?id=97593

Reviewed by Geoff Garen & Filip Pizlo.

Source/_javascript_Core: 

* runtime/JSObject.cpp:
(JSC::JSObject::putByIndexBeyondVectorLength):
    - Check for self properties in the sparse map - if present, don't examine the protochain.

LayoutTests: 

* fast/js/script-tests/array-defineOwnProperty.js:
(Object.defineProperty):
(set Object.defineProperty):
    - Added test case.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/js/array-defineOwnProperty-expected.txt
• trunk/LayoutTests/fast/js/script-tests/array-defineOwnProperty.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSObject.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (129547 => 129548)

--- trunk/LayoutTests/ChangeLog	2012-09-25 20:16:11 UTC (rev 129547)
+++ trunk/LayoutTests/ChangeLog	2012-09-25 20:18:06 UTC (rev 129548)
@@ -1,3 +1,15 @@
+2012-09-25  Gavin Barraclough  <barraclo...@apple.com>
+
+        Regression: put beyond vector length prefers prototype setters to sparse properties
+        https://bugs.webkit.org/show_bug.cgi?id=97593
+
+        Reviewed by Geoff Garen & Filip Pizlo.
+
+        * fast/js/script-tests/array-defineOwnProperty.js:
+        (Object.defineProperty):
+        (set Object.defineProperty):
+            - Added test case.
+
 2012-09-25  David Grogan  <dgro...@chromium.org>
 
         Unreviewed. Change some more svn:eol-style properties from native to LF.

Modified: trunk/LayoutTests/fast/js/array-defineOwnProperty-expected.txt (129547 => 129548)

--- trunk/LayoutTests/fast/js/array-defineOwnProperty-expected.txt	2012-09-25 20:16:11 UTC (rev 129547)
+++ trunk/LayoutTests/fast/js/array-defineOwnProperty-expected.txt	2012-09-25 20:18:06 UTC (rev 129548)
@@ -36,6 +36,8 @@
 PASS Object.defineProperty(Object.defineProperty([], '0', { value: Math }), '0', { value: Object })[0] threw exception TypeError: Attempting to change value of a readonly property..
 PASS Object.defineProperty(Object.defineProperty([], '0', { value: null }), '0', { value: undefined })[0] threw exception TypeError: Attempting to change value of a readonly property..
 PASS Object.defineProperty(Object.defineProperty([], '0', { value: undefined }), '0', { value: null })[0] threw exception TypeError: Attempting to change value of a readonly property..
+PASS arrObj[0] = 42; arrObj.set; is true
+PASS arrObj[1] = true; arrObj[1]; is true
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/fast/js/script-tests/array-defineOwnProperty.js (129547 => 129548)

--- trunk/LayoutTests/fast/js/script-tests/array-defineOwnProperty.js	2012-09-25 20:16:11 UTC (rev 129547)
+++ trunk/LayoutTests/fast/js/script-tests/array-defineOwnProperty.js	2012-09-25 20:18:06 UTC (rev 129548)
@@ -50,4 +50,11 @@
 shouldThrow("Object.defineProperty(Object.defineProperty([], '0', { value: null }), '0', { value: undefined })[0]");
 shouldThrow("Object.defineProperty(Object.defineProperty([], '0', { value: undefined }), '0', { value: null })[0]");
 
+Object.defineProperty(Array.prototype, "0", { set: function () { throw false; } });
+Object.defineProperty(Array.prototype, "1", { set: function () { throw false; } });
+var arrObj = [ , false ];
+Object.defineProperty(arrObj, "0", { set: function (x) { this.set = x === 42; } });
+shouldBeTrue("arrObj[0] = 42; arrObj.set;");
+shouldBeTrue("arrObj[1] = true; arrObj[1];");
+
 successfullyParsed = true;

Modified: trunk/Source/_javascript_Core/ChangeLog (129547 => 129548)

--- trunk/Source/_javascript_Core/ChangeLog	2012-09-25 20:16:11 UTC (rev 129547)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-09-25 20:18:06 UTC (rev 129548)
@@ -1,3 +1,14 @@
+2012-09-25  Gavin Barraclough  <barraclo...@apple.com>
+
+        Regression: put beyond vector length prefers prototype setters to sparse properties
+        https://bugs.webkit.org/show_bug.cgi?id=97593
+
+        Reviewed by Geoff Garen & Filip Pizlo.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putByIndexBeyondVectorLength):
+            - Check for self properties in the sparse map - if present, don't examine the protochain.
+
 2012-09-24  Gavin Barraclough  <barraclo...@apple.com>
 
         https://bugs.webkit.org/show_bug.cgi?id=97530

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (129547 => 129548)

--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2012-09-25 20:16:11 UTC (rev 129547)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2012-09-25 20:18:06 UTC (rev 129548)
@@ -1350,10 +1350,13 @@
     }
         
     case NonArrayWithSlowPutArrayStorage:
-    case ArrayWithSlowPutArrayStorage:
-        if (attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow))
+    case ArrayWithSlowPutArrayStorage: {
+        // No own property present in the vector, but there might be in the sparse map!
+        SparseArrayValueMap* map = arrayStorage()->m_sparseMap.get();
+        if (!(map && map->contains(i)) && attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow))
             return;
         // Otherwise, fall though.
+    }
 
     case NonArrayWithArrayStorage:
     case ArrayWithArrayStorage:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes