Skip to content

V
V8
Commit 021e9b08 authored by Georg Neis's avatar Georg Neis Committed by Commit Bot
Browse files
Options

Remove incorrect receiver checks from some array methods. 

Several functions on Array.prototype incorrectly threw a TypeError just
because their receiver was sealed or frozen.

Bug: v8:7677
Change-Id: I4ec38bfbf468f9bd676f1c0b341c8a50cf814f15
Reviewed-on: https://chromium-review.googlesource.com/1021870
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52718}
parent 1b033932
Hide whitespace changes
Inline Side-by-side
Showing with 91 additions and 50 deletions
src/bootstrapper.cc
View file @ 021e9b08
......@@ -1467,14 +1467,10 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
SimpleInstallFunction(object_function, "setPrototypeOf",
Builtins::kObjectSetPrototypeOf, 2, false);
Handle<JSFunction> object_is_extensible = SimpleInstallFunction(
object_function, "isExtensible", Builtins::kObjectIsExtensible,
1, false);
native_context()->set_object_is_extensible(*object_is_extensible);
Handle<JSFunction> object_is_frozen = SimpleInstallFunction(
object_function, "isFrozen", Builtins::kObjectIsFrozen, 1, false);
native_context()->set_object_is_frozen(*object_is_frozen);
SimpleInstallFunction(object_function, "isExtensible",
Builtins::kObjectIsExtensible, 1, false);
SimpleInstallFunction(object_function, "isFrozen",
Builtins::kObjectIsFrozen, 1, false);
Handle<JSFunction> object_is_sealed = SimpleInstallFunction(
object_function, "isSealed", Builtins::kObjectIsSealed, 1, false);
......
src/contexts.h
View file @ 021e9b08
......@@ -48,8 +48,6 @@ enum ContextLookupFlags {
V(OBJECT_DEFINE_PROPERTIES, JSFunction, object_define_properties) \
V(OBJECT_DEFINE_PROPERTY, JSFunction, object_define_property) \
V(OBJECT_GET_PROTOTYPE_OF, JSFunction, object_get_prototype_of) \
V(OBJECT_IS_EXTENSIBLE, JSFunction, object_is_extensible) \
V(OBJECT_IS_FROZEN, JSFunction, object_is_frozen) \
V(OBJECT_IS_SEALED, JSFunction, object_is_sealed) \
V(OBJECT_KEYS, JSFunction, object_keys) \
V(REGEXP_INTERNAL_MATCH, JSFunction, regexp_internal_match) \
......
src/js/array.js
View file @ 021e9b08
......@@ -540,8 +540,6 @@ function ArrayShiftFallback() {
return;
}
if (%object_is_sealed(array)) throw %make_type_error(kArrayFunctionsOnSealed);
var first = array[0];
if (UseSparseVariant(array, len, IS_ARRAY(array), len)) {
......@@ -636,13 +634,6 @@ function ArraySpliceFallback(start, delete_count) {
var deleted_elements = ArraySpeciesCreate(array, del_count);
deleted_elements.length = del_count;
if (del_count != num_elements_to_add && %object_is_sealed(array)) {
throw %make_type_error(kArrayFunctionsOnSealed);
} else if (del_count > 0 && %object_is_frozen(array)) {
throw %make_type_error(kArrayFunctionsOnFrozen);
}
var changed_elements = del_count;
if (num_elements_to_add != del_count) {
// If the slice needs to do a actually move elements after the insertion
......@@ -1112,10 +1103,6 @@ DEFINE_METHOD_LEN(
if (end > length) end = length;
}
if ((end - i) > 0 && %object_is_frozen(array)) {
throw %make_type_error(kArrayFunctionsOnFrozen);
}
for (; i < end; i++)
array[i] = value;
return array;
......
src/messages.h
View file @ 021e9b08
......@@ -273,8 +273,6 @@ class ErrorUtils : public AllStatic {
"Derived ArrayBuffer constructor created a buffer which was too small") \
T(ArrayBufferSpeciesThis, \
"ArrayBuffer subclass returned this from species constructor") \
T(ArrayFunctionsOnFrozen, "Cannot modify frozen array elements") \
T(ArrayFunctionsOnSealed, "Cannot add/remove sealed array elements") \
T(AwaitNotInAsyncFunction, "await is only valid in async function") \
T(AtomicsWaitNotAllowed, "Atomics.wait cannot be called in this context") \
T(BadSortComparisonFunction, \
......
test/cctest/interpreter/bytecode_expectations/AsyncGenerators.golden
View file @ 021e9b08
......@@ -367,7 +367,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(18),
B(LdaConstant), U8(15),
B(Star), R(19),
......
test/cctest/interpreter/bytecode_expectations/ForAwaitOf.golden
View file @ 021e9b08
......@@ -124,7 +124,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(19),
B(LdaConstant), U8(12),
B(Star), R(20),
......@@ -378,7 +378,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(19),
B(LdaConstant), U8(12),
B(Star), R(20),
......@@ -654,7 +654,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(19),
B(LdaConstant), U8(12),
B(Star), R(20),
......@@ -886,7 +886,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(17),
B(LdaConstant), U8(10),
B(Star), R(18),
......
test/cctest/interpreter/bytecode_expectations/ForOf.golden
View file @ 021e9b08
......@@ -86,7 +86,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(12),
B(LdaConstant), U8(8),
B(Star), R(13),
......@@ -220,7 +220,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(13),
B(LdaConstant), U8(8),
B(Star), R(14),
......@@ -366,7 +366,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(12),
B(LdaConstant), U8(8),
B(Star), R(13),
......@@ -502,7 +502,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(11),
B(LdaConstant), U8(10),
B(Star), R(12),
......
test/cctest/interpreter/bytecode_expectations/ForOfLoop.golden
View file @ 021e9b08
......@@ -90,7 +90,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(14),
B(LdaConstant), U8(7),
B(Star), R(15),
......@@ -261,7 +261,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(14),
B(LdaConstant), U8(11),
B(Star), R(15),
......@@ -408,7 +408,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(12),
B(LdaConstant), U8(9),
B(Star), R(13),
......@@ -503,7 +503,7 @@ bytecodes: [
B(JumpIfUndefined), U8(6),
B(Ldar), R(6),
B(JumpIfNotNull), U8(16),
B(LdaSmi), I8(77),
B(LdaSmi), I8(75),
B(Star), R(18),
B(LdaConstant), U8(4),
B(Star), R(19),
......@@ -559,7 +559,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(17),
B(LdaConstant), U8(9),
B(Star), R(18),
......@@ -713,7 +713,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(16),
B(LdaConstant), U8(10),
B(Star), R(17),
......@@ -882,7 +882,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(15),
B(LdaConstant), U8(13),
B(Star), R(16),
......@@ -1037,7 +1037,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(21),
B(LdaConstant), U8(7),
B(Star), R(22),
......@@ -1253,7 +1253,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(20),
B(LdaConstant), U8(8),
B(Star), R(21),
......
test/cctest/interpreter/bytecode_expectations/Generators.golden
View file @ 021e9b08
......@@ -204,7 +204,7 @@ bytecodes: [
B(TestTypeOf), U8(6),
B(JumpIfFalse), U8(4),
B(Jump), U8(18),
B(Wide), B(LdaSmi), I16(147),
B(Wide), B(LdaSmi), I16(145),
B(Star), R(14),
B(LdaConstant), U8(14),
B(Star), R(15),
......
test/cctest/interpreter/bytecode_expectations/StandardForLoop.golden
View file @ 021e9b08
......@@ -231,7 +231,7 @@ bytecodes: [
B(JumpIfUndefined), U8(6),
B(Ldar), R(3),
B(JumpIfNotNull), U8(16),
B(LdaSmi), I8(77),
B(LdaSmi), I8(75),
B(Star), R(4),
B(LdaConstant), U8(1),
B(Star), R(5),
......
test/mjsunit/messages.js
View file @ 021e9b08
......@@ -44,19 +44,18 @@ test(function() {
}, "Function.prototype.apply was called on 1, which is a number " +
"and not a function", TypeError);
// kArrayFunctionsOnFrozen
test(function() {
var a = [1, 2];
Object.freeze(a);
a.splice(1, 1, [1]);
}, "Cannot modify frozen array elements", TypeError);
}, "Cannot assign to read only property '1' of object '[object Array]'",
TypeError);
// kArrayFunctionsOnSealed
test(function() {
var a = [1];
Object.seal(a);
a.shift();
}, "Cannot add/remove sealed array elements", TypeError);
}, "Cannot delete property '0' of [object Array]", TypeError);
// kCalledNonCallable
test(function() {
......
test/mjsunit/regress/regress-7677.js 0 → 100644
View file @ 021e9b08
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
"use strict";
// Generate a frozen or sealed array-like object.
function arraylike(freeze) {
let x;
const obj = {length: 42};
Object.defineProperty(obj, 5, {get() {return x}, set(y) {x = y}});
return freeze ? Object.freeze(obj) : Object.seal(obj);
}
// Array.prototype.fill
{
const sealed = arraylike(false);
Array.prototype.fill.call(sealed, "foo", 5, 6);
assertEquals("foo", sealed[5]);
assertThrows(() => Array.prototype.fill.call(sealed, "foo"), TypeError);
}{
const frozen = arraylike(true);
Array.prototype.fill.call(frozen, "foo", 5, 6);
assertEquals("foo", frozen[5]);
assertThrows(() => Array.prototype.fill.call(frozen, "foo"), TypeError);
}
// Array.prototype.shift
{
const sealed = Object.seal({length: 0});
assertEquals(undefined, Array.prototype.shift.call(sealed));
}{
const sealed = Object.seal({length: 42});
assertEquals(undefined, Array.prototype.shift.call(sealed));
}{
let x;
let obj = {length: 42, [1]: "foo"};
Object.defineProperty(obj, 0, {get() {return x}, set(y) {x = y}});
const sealed = Object.seal(obj);
assertThrows(() => Array.prototype.shift.call(sealed), TypeError);
assertEquals("foo", sealed[0]);
}{
const frozen = Object.freeze({length: 0});
assertThrows(() => Array.prototype.shift.call(frozen), TypeError);
}
// Array.prototype.splice
{
const sealed = arraylike(false);
assertEquals([undefined], Array.prototype.splice.call(sealed, 5, 1, "foo"));
assertEquals("foo", sealed[5]);
assertThrows(() => Array.prototype.splice.call(sealed, 5, 0, "bar"),
TypeError);
assertEquals("foo", sealed[5]);
}{
const frozen = arraylike(true);
assertThrows(() => Array.prototype.splice.call(frozen, 5, 1, "foo"),
TypeError);
assertEquals("foo", frozen[5]);
assertThrows(() => Array.prototype.splice.call(frozen, 5, 0, "bar"),
TypeError);
assertEquals("foo", frozen[5]);
}
test/unittests/interpreter/bytecode-array-builder-unittest.cc
View file @ 021e9b08
......@@ -193,7 +193,7 @@ TEST_F(BytecodeArrayBuilderTest, AllBytecodesGenerated) {
.CallUndefinedReceiver(reg, pair, 1)
.CallRuntime(Runtime::kIsArray, reg)
.CallRuntimeForPair(Runtime::kLoadLookupSlotForCall, reg_list, pair)
.CallJSRuntime(Context::OBJECT_IS_FROZEN, reg_list)
.CallJSRuntime(Context::OBJECT_CREATE, reg_list)
.CallWithSpread(reg, reg_list, 1);
// Emit binary operator invocations.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment