Closed Bug 1170216 Opened 10 years ago Closed 10 years ago

When using the slow-and-standard path in js::SetIntegrityLevel, don't manually call setNonwritableArrayLength afterwards

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla42

Tracking Flags:

Tracking

Status

firefox42

---

fixed

People

(Reporter: jorendorff, Assigned: jorendorff)

References

Details

Attachments

(1 file)

When using the slow-and-standard path in js::SetIntegrityLevel, don't manually call setNonwritableArrayLength afterwards 10 years ago Jason Orendorff [:jorendorff] 3.05 KB, patch	Waldo : review+	Details \| Diff \| Splinter Review

Jason Orendorff [:jorendorff]

Assignee

Description

•

10 years ago

We have this hack: // Ordinarily ArraySetLength handles this, but we're going behind its back // right now, so we must do this manually. Neither the custom property // tree mutations nor the DefineProperty call in the above code will do // this for us. // // ArraySetLength also implements the capacity <= length invariant for // arrays with non-writable length. We don't need to do anything special // for that, because capacity was zeroed out by preventExtensions. (See // the assertion before the if-else above.) if (level == IntegrityLevel::Frozen && obj->is<ArrayObject>()) { if (!obj->as<ArrayObject>().maybeCopyElementsForWrite(cx)) return false; obj->as<ArrayObject>().getElementsHeader()->setNonwritableArrayLength(); } This is no longer necessary in the case where we go through DefineProperty, because with bug 1125624, DefineProperty now has standard behavior. That is: the part of the comment quoted above that refers to DefineProperty is now wrong.

Jason Orendorff [:jorendorff]

Assignee

Updated

•

10 years ago

Depends on: 1125624

Jason Orendorff [:jorendorff]

Assignee

Comment 1

•

10 years ago

Attached patch When using the slow-and-standard path in js::SetIntegrityLevel, don't manually call setNonwritableArrayLength afterwards — Details — Splinter Review

Attachment #8613593 - Flags: review?(jwalden+bmo)

Jason Orendorff [:jorendorff]

Assignee

Updated

•

10 years ago

Assignee: nobody → jorendorff

Status: NEW → ASSIGNED

Jeff Walden [:Waldo]

Updated

•

10 years ago

Attachment #8613593 - Flags: review?(jwalden+bmo) → review+

Jason Orendorff [:jorendorff]

Assignee

Comment 2

•

10 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/822901f56c1f

Pulsebot

Comment 3

•

10 years ago

Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/ed587a5aaecf

Carsten Book [:Tomcat]

Comment 4

•

10 years ago

sorry had to back this out in https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=65e6e21a4725 i think that something in this push caused test failures like https://treeherder.mozilla.org/logviewer.html#?job_id=10872015&repo=mozilla-inbound

Jason Orendorff [:jorendorff]

Assignee

Comment 5

•

10 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/81cc971ff1d1

Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)

Comment 6

•

10 years ago

https://hg.mozilla.org/mozilla-central/rev/81cc971ff1d1

Status: ASSIGNED → RESOLVED

Closed: 10 years ago

status-firefox42: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla42

Chia-hung Tai [:ctai :ctai_mozilla :cht]

Updated

•

10 years ago

Blocks: 1183481

You need to log in before you can comment on or make changes to this bug.

Bugzilla

When using the slow-and-standard path in js::SetIntegrityLevel, don't manually call setNonwritableArrayLength afterwards

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: jorendorff, Assigned: jorendorff)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Updated

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Updated

Attachment

General

Description

File Name

Content Type