Commit 2f1df49a authored by cbruni's avatar cbruni Committed by Commit bot

Fixing Sloppy Symbol.iterator setter

In certiain cases the ArgumentsIteratorSetter would trigger an invalid
state in the LookupIterator when being overridden. This is now solved
by bypassing the SetDataProperty and directly using
DefinePropertyOrElementIgnoringAttributes since we know exactly which
property we're going to install

LOG=N
BUG=chromium:521484

Review URL: https://codereview.chromium.org/1332873002

Cr-Commit-Position: refs/heads/master@{#30705}
parent d8eade4d
...@@ -161,14 +161,13 @@ void Accessors::ArgumentsIteratorSetter( ...@@ -161,14 +161,13 @@ void Accessors::ArgumentsIteratorSetter(
const v8::PropertyCallbackInfo<void>& info) { const v8::PropertyCallbackInfo<void>& info) {
i::Isolate* isolate = reinterpret_cast<i::Isolate*>(info.GetIsolate()); i::Isolate* isolate = reinterpret_cast<i::Isolate*>(info.GetIsolate());
HandleScope scope(isolate); HandleScope scope(isolate);
Handle<JSObject> object = Utils::OpenHandle(*info.This()); Handle<JSObject> object_handle = Utils::OpenHandle(*info.This());
Handle<Object> value = Utils::OpenHandle(*val); Handle<Object> value_handle = Utils::OpenHandle(*val);
Handle<Name> name_handle = Utils::OpenHandle(*name);
LookupIterator it(object, Utils::OpenHandle(*name));
CHECK_EQ(LookupIterator::ACCESSOR, it.state());
DCHECK(it.HolderIsReceiverOrHiddenPrototype());
if (Object::SetDataProperty(&it, value).is_null()) { if (JSObject::DefinePropertyOrElementIgnoreAttributes(
object_handle, name_handle, value_handle, NONE)
.is_null()) {
isolate->OptionalRescheduleException(false); isolate->OptionalRescheduleException(false);
} }
} }
......
...@@ -160,6 +160,21 @@ function TestAssignmentToIterator() { ...@@ -160,6 +160,21 @@ function TestAssignmentToIterator() {
TestAssignmentToIterator(1, 2, 3, 4, 5); TestAssignmentToIterator(1, 2, 3, 4, 5);
// Regression test for crbug.com/521484.
function TestAssignmentToIterator2() {
var i = 0;
arguments.__defineGetter__('callee', function(){});
arguments.__defineGetter__('length', function(){ return 1 });
arguments[Symbol.iterator] = [].entries;
for (var entry of arguments) {
assertEquals([i, arguments[i]], entry);
i++;
}
assertEquals(arguments.length, i);
}
TestAssignmentToIterator2(1, 2, 3, 4, 5);
function TestArgumentsMutation() { function TestArgumentsMutation() {
var i = 0; var i = 0;
for (var x of arguments) { for (var x of arguments) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment