Commit 1f1329d9 authored by adamk's avatar adamk Committed by Commit bot

Use SetOwnElement when creating splice records in array length setter

This avoids touching the Array prototype, which may have been tampered with.

BUG=chromium:443982
LOG=n

Review URL: https://codereview.chromium.org/820503005

Cr-Commit-Position: refs/heads/master@{#25908}
parent ad033893
...@@ -11809,8 +11809,8 @@ MaybeHandle<Object> JSArray::SetElementsLength( ...@@ -11809,8 +11809,8 @@ MaybeHandle<Object> JSArray::SetElementsLength(
// Skip deletions where the property was an accessor, leaving holes // Skip deletions where the property was an accessor, leaving holes
// in the array of old values. // in the array of old values.
if (old_values[i]->IsTheHole()) continue; if (old_values[i]->IsTheHole()) continue;
JSObject::SetElement( JSObject::SetOwnElement(deleted, indices[i] - index, old_values[i],
deleted, indices[i] - index, old_values[i], NONE, SLOPPY).Assert(); SLOPPY).Assert();
} }
SetProperty(deleted, isolate->factory()->length_string(), SetProperty(deleted, isolate->factory()->length_string(),
......
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var records;
function observer(r) {
records = r;
}
Object.defineProperty(Array.prototype, '0', {
get: function() { return 0; },
set: function() { throw "boom!"; }
});
arr = [1, 2];
Array.observe(arr, observer);
arr.length = 0;
assertEquals(0, arr.length);
Object.deliverChangeRecords(observer);
assertEquals(1, records.length);
assertEquals('splice', records[0].type);
assertArrayEquals([1, 2], records[0].removed);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment