Changeset 129458 in webkit for trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp

Timestamp:

Sep 24, 2012, 11:12:11 PM (13 years ago)

Author:

[email protected]

Message:

Bug in numeric accessors on global environment
​https://bugs.webkit.org/show_bug.cgi?id=97526

Reviewed by Geoff Garen.

I've hit this assert in test262 in browser, but haven't yet worked out how to repro in a test case :-/
The sparsemap is failing to map back from the global object to the window shell.
A test case would need to resolve a numeric property name against the global environment.

(JSC::SparseArrayEntry::get):
(JSC::SparseArrayEntry::put):

• Add missing toThisObject calls.

File:

• trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp

@@ -160 +160 @@
     CallData callData;
     CallType callType = getter->methodTable()->getCallData(getter, callData);
-    return call(exec, getter, callType, callData, array, exec->emptyList());
+    return call(exec, getter, callType, callData, array->methodTable()->toThisObject(array, exec), exec->emptyList());
 }
 
@@ -190 +190 @@
     MarkedArgumentBuffer args;
     args.append(value);
+    if (thisValue.isObject())
+        thisValue = asObject(thisValue)->methodTable()->toThisObject(asObject(thisValue), exec);
     call(exec, setter, callType, callData, thisValue, args);
 }