Fix Runtime_SetProperty to properly handle OOM failures

BUG=chromium:249873 R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/17167002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15186 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

Fix Runtime_SetProperty to properly handle OOM failures
BUG=chromium:249873 R=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/17167002 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@15186 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
07596dd7 · jkummerow@chromium.org · c9624a44 · 07596dd7 · 07596dd7
Commit 07596dd7 authored Jun 17, 2013 by jkummerow@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 10 deletions

objects.cc src/objects.cc +1 -1

runtime.cc src/runtime.cc +24 -9

No files found.
--- a/src/objects.cc
+++ b/src/objects.cc
@@ -12060,7 +12060,7 @@ Handle<Object> JSObject::SetElement(Handle<JSObject> object,
                                    StrictModeFlag strict_mode,
                                    SetPropertyMode set_mode) {
  if (object->HasExternalArrayElements()) {
-    if (!value->IsSmi() && !value->IsHeapNumber() && !value->IsUndefined()) {
+    if (!value->IsNumber() && !value->IsUndefined()) {
      bool has_exception;
      Handle<Object> number = Execution::ToNumber(value, &has_exception);
      if (has_exception) return Handle<Object>();

--- a/src/runtime.cc
+++ b/src/runtime.cc
@@ -4753,25 +4753,40 @@ MaybeObject* Runtime::SetObjectProperty(Isolate* isolate,
    }

    js_object->ValidateElements();
-    Handle<Object> result = JSObject::SetElement(
-        js_object, index, value, attr, strict_mode, set_mode);
+    if (js_object->HasExternalArrayElements()) {
+      if (!value->IsNumber() && !value->IsUndefined()) {
+        bool has_exception;
+        Handle<Object> number = Execution::ToNumber(value, &has_exception);
+        if (has_exception) return Failure::Exception();
+        value = number;
+      }
+    }
+    MaybeObject* result = js_object->SetElement(
+        index, *value, attr, strict_mode, true, set_mode);
    js_object->ValidateElements();
-    if (result.is_null()) return Failure::Exception();
+    if (result->IsFailure()) return result;
    return *value;
  }

  if (key->IsName()) {
-    Handle<Object> result;
+    MaybeObject* result;
    Handle<Name> name = Handle<Name>::cast(key);
    if (name->AsArrayIndex(&index)) {
-      result = JSObject::SetElement(
-          js_object, index, value, attr, strict_mode, set_mode);
+      if (js_object->HasExternalArrayElements()) {
+        if (!value->IsNumber() && !value->IsUndefined()) {
+          bool has_exception;
+          Handle<Object> number = Execution::ToNumber(value, &has_exception);
+          if (has_exception) return Failure::Exception();
+          value = number;
+        }
+      }
+      result = js_object->SetElement(
+          index, *value, attr, strict_mode, true, set_mode);
    } else {
      if (name->IsString()) Handle<String>::cast(name)->TryFlatten();
-      result = JSReceiver::SetProperty(
-          js_object, name, value, attr, strict_mode);
+      result = js_object->SetProperty(*name, *value, attr, strict_mode);
    }
-    if (result.is_null()) return Failure::Exception();
+    if (result->IsFailure()) return result;
    return *value;
  }