putByIndex should throw in strict mode
https://bugs.webkit.org/show_bug.cgi?id=80335
Reviewed by Filip Pizlo.
Make the MethodTable PutByIndex trap take a boolean 'shouldThrow' parameter.
Source/JavaScriptCore:
This is a largely mechanical change, simply adding an extra parameter to a number
of functions. Some call sites need perform additional exception checks, and
operationPutByValBeyondArrayBounds needs to know whether it is strict or not.
This patch doesn't fix a missing throw from some cases of shift/unshift (this is
an existing bug), I'll follow up with a third patch to handle that.
(JSObjectSetPropertyAtIndex):
(JSC):
(JSC::DFG::putByVal):
- dfg/DFGOperations.h:
- dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
- dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
- interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
(JSC::DEFINE_STUB_FUNCTION):
(GlobalObject::finishCreation):
- llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::Arguments::putByIndex):
(Arguments):
- runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(MethodTable):
(JSC::SparseArrayValueMap::put):
(JSC::JSArray::put):
(JSC::JSArray::putByIndex):
(JSC::JSArray::putByIndexBeyondVectorLength):
(JSC::JSArray::push):
(JSC::JSArray::shiftCount):
(JSC::JSArray::unshiftCount):
(SparseArrayValueMap):
(JSArray):
(JSC::JSByteArray::putByIndex):
(JSByteArray):
(JSC::JSCell::putByIndex):
(JSCell):
- runtime/JSNotAnObject.cpp:
(JSC::JSNotAnObject::putByIndex):
(JSNotAnObject):
(JSC::Walker::walk):
(JSC::JSObject::putByIndex):
(JSC::JSValue::putByIndex):
- runtime/RegExpConstructor.cpp:
(JSC::RegExpMatchesArray::fillArrayInstance):
- runtime/RegExpMatchesArray.h:
(JSC::RegExpMatchesArray::putByIndex):
- runtime/StringPrototype.cpp:
(JSC::stringProtoFuncSplit):
Source/WebCore:
- bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::putProperty):
- bindings/objc/WebScriptObject.mm:
(-[WebScriptObject setWebScriptValueAtIndex:value:]):
- bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):
(GenerateImplementation):
(_NPN_SetProperty):
- bridge/jni/jni_jsobject.mm:
(JavaJSObject::setSlot):
- bridge/runtime_array.cpp:
(JSC::RuntimeArray::putByIndex):
(RuntimeArray):
Source/WebKit/mac:
- Plugins/Hosted/NetscapePluginInstanceProxy.mm:
(WebKit::NetscapePluginInstanceProxy::setProperty):
Source/WebKit2:
- WebProcess/Plugins/Netscape/NPJSObject.cpp:
(WebKit::NPJSObject::setProperty):
LayoutTests:
- fast/js/Object-defineProperty-expected.txt:
- fast/js/mozilla/strict/15.4.4.12-expected.txt:
- fast/js/mozilla/strict/15.4.4.13-expected.txt:
- fast/js/mozilla/strict/15.4.4.8-expected.txt:
- fast/js/mozilla/strict/15.4.4.9-expected.txt:
- fast/js/mozilla/strict/15.5.5.2-expected.txt:
- fast/js/mozilla/strict/8.12.5-expected.txt:
- fast/js/preventExtensions-expected.txt:
- fast/js/primitive-property-access-edge-cases-expected.txt:
- Checking in passing test results.
- fast/js/script-tests/Object-defineProperty.js:
- Added test cases for putting to numeric properties where property is read-only,
length is read-only, or property is accessor with missing set function.
- fast/js/script-tests/preventExtensions.js:
- Added test case, putting numeric property to non-extensible array.
- fast/js/script-tests/primitive-property-access-edge-cases.js:
- Enabled test cases for putting numeric properties to primitive strings.
