Frozen Arrays length assignment should throw in strict mode
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 2 Jul 2019 18:46:42 +0000 (18:46 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 2 Jul 2019 18:46:42 +0000 (18:46 +0000)
https://bugs.webkit.org/show_bug.cgi?id=199365

Reviewed by Yusuke Suzuki.

JSTests:

* stress/frozen-array-length-should-throw-strict.js: Added.
(test):

Source/JavaScriptCore:

* runtime/JSArray.cpp:
(JSC::JSArray::put):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247065 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/frozen-array-length-should-throw-strict.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSArray.cpp

index 60e854a..fbb5927 100644 (file)
@@ -1,3 +1,13 @@
+2019-07-02  Keith Miller  <keith_miller@apple.com>
+
+        Frozen Arrays length assignment should throw in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=199365
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/frozen-array-length-should-throw-strict.js: Added.
+        (test):
+
 2019-07-01  Justin Michaud  <justin_michaud@apple.com>
 
         [Wasm-References] Disable references by default
diff --git a/JSTests/stress/frozen-array-length-should-throw-strict.js b/JSTests/stress/frozen-array-length-should-throw-strict.js
new file mode 100644 (file)
index 0000000..e6dfd32
--- /dev/null
@@ -0,0 +1,17 @@
+const a = Object.freeze(['a']);
+
+function test(a) {
+    "use strict";
+
+    try {
+        a.length = 2;
+    } catch (e) {
+        if (e instanceof TypeError)
+            return;
+    }
+    throw new Error("didn't throw the right exception");
+}
+noInline(test);
+
+for (let i = 0; i < 10000; i++)
+    test(a);
index 2cefb78..3c57d4e 100644 (file)
@@ -1,3 +1,13 @@
+2019-07-02  Keith Miller  <keith_miller@apple.com>
+
+        Frozen Arrays length assignment should throw in strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=199365
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::put):
+
 2019-07-02  Paulo Matos  <pmatos@linki.tools>
 
         Fix typo in if/else block and remove dead assignment
index 547c1b5..429749b 100644 (file)
@@ -286,8 +286,12 @@ bool JSArray::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSVa
     thisObject->ensureWritable(vm);
 
     if (propertyName == vm.propertyNames->length) {
-        if (!thisObject->isLengthWritable())
+        if (!thisObject->isLengthWritable()) {
+            if (slot.isStrictMode())
+                throwTypeError(exec, scope, "Array length is not writable"_s);
             return false;
+        }
+
         unsigned newLength = value.toUInt32(exec);
         RETURN_IF_EXCEPTION(scope, false);
         double valueAsNumber = value.toNumber(exec);