Define length on CoW array should properly convert to writable

https://bugs.webkit.org/show_bug.cgi?id=185927 Reviewed by Yusuke Suzuki. JSTests: * stress/cow-define-length-as-value.js: Added. (test): Source/JavaScriptCore: * runtime/JSArray.cpp: (JSC::JSArray::setLength): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@232138 268f45cc-cd09-0410-ab3c-d52691b4dbfc
wqyfavor · May 24, 2018 · 4789553 · 4789553
1 parent 6a31919
commit 4789553
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 1 deletion.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,13 @@
+2018-05-23  Keith Miller  <[email protected]>
+
+        Define length on CoW array should properly convert to writable
+        https://bugs.webkit.org/show_bug.cgi?id=185927
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/cow-define-length-as-value.js: Added.
+        (test):
+
 2018-05-23  Michael Saboff  <[email protected]>
 
         Date.parse() doesn't properly handle input outside of ES Spec limits

diff --git a/JSTests/stress/cow-define-length-as-value.js b/JSTests/stress/cow-define-length-as-value.js
@@ -0,0 +1,19 @@
+function test(create) {
+    // Set length to be smaller.
+    Object.defineProperty(create(), "length", { value: 1 });
+
+    // Set length to be bigger.
+    Object.defineProperty(create(), "length", { value: 4 });
+
+    // Set length to be the same size
+    Object.defineProperty(create(), "length", { value: 3 });
+}
+
+// Test Int32.
+test(() => [1, 2]);
+// Test double
+test(() => [1.123, 2.50934]);
+// Test contiguous via NaN
+test(() => [NaN, 2.50934]);
+// Test contiguous via string
+test(() => ["test", "42"]);
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,13 @@
+2018-05-23  Keith Miller  <[email protected]>
+
+        Define length on CoW array should properly convert to writable
+        https://bugs.webkit.org/show_bug.cgi?id=185927
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::setLength):
+
 2018-05-23  Keith Miller  <[email protected]>
 
         InPlaceAbstractState should filter variables at the tail from a GetLocal by their flush format

diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp
@@ -568,7 +568,7 @@ bool JSArray::setLength(ExecState* exec, unsigned newLength, bool throwException
     auto scope = DECLARE_THROW_SCOPE(vm);
 
     Butterfly* butterfly = this->butterfly();
-    switch (indexingType()) {
+    switch (indexingMode()) {
     case ArrayClass:
         if (!newLength)
             return true;
@@ -581,6 +581,15 @@ bool JSArray::setLength(ExecState* exec, unsigned newLength, bool throwException
         createInitialUndecided(vm, newLength);
         return true;
 
+    case CopyOnWriteArrayWithInt32:
+    case CopyOnWriteArrayWithDouble:
+    case CopyOnWriteArrayWithContiguous:
+        if (newLength == butterfly->publicLength())
+            return true;
+        convertFromCopyOnWrite(vm);
+        butterfly = this->butterfly();
+        FALLTHROUGH;
+
     case ArrayWithUndecided:
     case ArrayWithInt32:
     case ArrayWithDouble: