Home Explore Help
Sign In
SunnyMirror
/
ChakraCore
mirror of https://github.com/microsoft/ChakraCore.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

slice helper should check for the ES5array or Proxy in the protototype

This way we can identify if the array's content can be affected. If there is sideeffect expected we can take the slower
to finish the logic.
Akrosh Gandhi 8 years ago
parent
664e6a10b3
commit
9aabce213f
4 changed files with 27 additions and 2 deletions
Split View Show Diff Stats
  1. 5 0
      lib/Runtime/Library/JavascriptArray.cpp
  2. 13 0
      test/Array/Array_TypeConfusion_bugs.js
  3. 7 0
      test/Array/rlexe.xml
  4. 2 2
      test/es5/es5array_objproto_builtin.js

+ 5 - 0
lib/Runtime/Library/JavascriptArray.cpp
View File 

@@ -6207,6 +6207,11 @@ Case0:
 
 
         if (pArr)
 
         {
 
+            if (HasAnyES5ArrayInPrototypeChain(pArr))
 
+            {
 
+                JS_REENTRANT_UNLOCK(jsReentLock, return JavascriptArray::SliceObjectHelper(obj, start, 0u, newArr, newObj, newLen, scriptContext));
 
+            }
 
+
 
             // If we constructed a new Array object, we have some nice helpers here
 
             if (newArr && isBuiltinArrayCtor)
 
             {

+ 13 - 0
test/Array/Array_TypeConfusion_bugs.js
View File 

@@ -786,5 +786,18 @@ var tests = [
 
             assert.isTrue(setterCalled);

         }

     },

+    {

+        name: "slice : the method slice should get property from prototype which is a proxy",

+        body: function ()

+        {

+            var arr = [];

+            arr.length = 100;

+            arr.__proto__ = new Proxy([16], {} );

+

+            arr.push(1);

+            var ret = arr.slice(0, 10);

+            assert.areEqual(16, ret[0]);

+        }

+    },

 ];

 testRunner.runTests(tests, { verbose: WScript.Arguments[0] != "summary" });

+ 7 - 0
test/Array/rlexe.xml
View File 

@@ -732,6 +732,13 @@
 
       <tags>BugFix</tags>
 
     </default>
 
   </test>
 
+  <test>
 
+    <default>
 
+      <files>Array_TypeConfusion_bugs.js</files>
 
+      <compile-flags>-ForceArrayBTree -args summary -endargs</compile-flags>
 
+      <tags>BugFix</tags>
 
+    </default>
 
+  </test>
 
   <test>
 
     <default>
 
       <files>bug_9575461.js</files>

+ 2 - 2
test/es5/es5array_objproto_builtin.js
View File 

@@ -4,8 +4,8 @@
 
 //-------------------------------------------------------------------------------------------------------

 

 var ary = Array(1);

-ary.prop = "Got array property. Failed";

-Object.prototype.prop = "pass";

+ary.prop = "pass";

+Object.prototype.prop = "Got object prototype : Failed";

 Array.prototype.prop = "Got array prototype. Failed";

 Object.defineProperty(Object.prototype, 0, {

   get: function () {