Commit d914a9af authored by Igor Sheludko's avatar Igor Sheludko Committed by Commit Bot

[builtins] Fix handling of read-only length in Array.prototype.pop

Bug: v8:10484
Change-Id: I977c5974d33472f5af20d7646ad4cf2c58049632
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2182452
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Reviewed-by: 's avatarToon Verwaest <verwaest@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67612}
parent e4be6d41
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
// Use of this source code is governed by a BSD-style license that can be // Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file. // found in the LICENSE file.
#include "src/base/logging.h"
#include "src/builtins/builtins-utils-inl.h" #include "src/builtins/builtins-utils-inl.h"
#include "src/builtins/builtins.h" #include "src/builtins/builtins.h"
#include "src/codegen/code-factory.h" #include "src/codegen/code-factory.h"
...@@ -471,6 +472,15 @@ BUILTIN(ArrayPop) { ...@@ -471,6 +472,15 @@ BUILTIN(ArrayPop) {
uint32_t new_length = len - 1; uint32_t new_length = len - 1;
ASSIGN_RETURN_FAILURE_ON_EXCEPTION( ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, result, JSReceiver::GetElement(isolate, array, new_length)); isolate, result, JSReceiver::GetElement(isolate, array, new_length));
// The length could have become read-only during the last GetElement() call,
// so check again.
if (JSArray::HasReadOnlyLength(array)) {
THROW_NEW_ERROR_RETURN_FAILURE(
isolate, NewTypeError(MessageTemplate::kStrictReadOnlyProperty,
isolate->factory()->length_string(),
Object::TypeOf(isolate, array), array));
}
JSArray::SetLength(array, new_length); JSArray::SetLength(array, new_length);
} }
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var ar;
Object.defineProperty(Array.prototype, 3,
{ get() { Object.freeze(ar); } });
function foo() {
ar = [1, 2, 3];
ar.length = 4;
ar.pop();
}
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var ar;
Object.defineProperty(Array.prototype, 3,
{
get() {
Object.defineProperty(
ar, "length",
{ value: 3, writable: false, configurable: false });
}
});
function foo() {
ar = [1, 2, 3];
ar.length = 4;
ar.pop();
}
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
assertThrows(foo, TypeError);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment