Ignore:
Timestamp:
Feb 28, 2012, 5:39:15 PM (13 years ago)
Author:
[email protected]
Message:

Get/Put for primitives should not wrap on strict accessor call
https://bugs.webkit.org/show_bug.cgi?id=79588

Reviewed by Oliver Hunt.

In the case of Get, this is a pretty trivial bug - just don't wrap
primitives at the point you call a getter.

For setters, this is a little more involved, since we have already wrapped
the value up in a synthesized object. Stop doing so. There is also a further
subtely, that in strict mode all attempts to create a new data property on
the object should throw.

Source/JavaScriptCore:

  • runtime/JSCell.cpp:

(JSC::JSCell::put):

  • Put to a string primitive should use JSValue::putToPrimitive.
  • runtime/JSObject.cpp:

(JSC::JSObject::put):

  • Remove static function called in one place.
  • runtime/JSObject.h:

(JSC::JSValue::put):

  • Put to a non-cell JSValue should use JSValue::putToPrimitive.
  • runtime/JSValue.cpp:

(JSC::JSValue::synthesizePrototype):

  • Add support for synthesizing the prototype of strings.

(JSC::JSValue::putToPrimitive):

  • Added, implements Put for primitive bases, per 8.7.2.
  • runtime/JSValue.h:

(JSValue):

  • Add declaration for JSValue::putToPrimitive.
  • runtime/PropertySlot.cpp:

(JSC::PropertySlot::functionGetter):

  • Don't call ToObject on primitive this values.

LayoutTests:

  • fast/js/mozilla/strict/15.5.5.1-expected.txt:
  • fast/js/primitive-property-access-edge-cases-expected.txt:
  • fast/js/read-modify-eval-expected.txt:
  • fast/js/script-tests/primitive-property-access-edge-cases.js:
  • fast/js/script-tests/read-modify-eval.js:
    • Added new test cases & updated test results.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/PropertySlot.cpp

    r97097 r109177  
    3535    CallData callData;
    3636    CallType callType = m_data.getterFunc->methodTable()->getCallData(m_data.getterFunc, callData);
    37    
    38     // Only objects can have accessor properties.
    39     // If the base is WebCore's global object then we need to substitute the shell.
    40     ASSERT(m_slotBase.isObject());
    41     return call(exec, m_data.getterFunc, callType, callData, m_thisValue.toThisObject(exec), exec->emptyList());
     37    return call(exec, m_data.getterFunc, callType, callData, m_thisValue.isObject() ? m_thisValue.toThisObject(exec) : m_thisValue, exec->emptyList());
    4238}
    4339
Note: See TracChangeset for help on using the changeset viewer.