From 0d6fe0a44f59cba02be26d8c124d7d9e4958f2f3 Mon Sep 17 00:00:00 2001 From: "ricow@chromium.org" Date: Thu, 18 Feb 2010 13:13:21 +0000 Subject: [PATCH] Added access check to SetNormalizedProperty which is used from runtime DefineOrRedefineDataProperty. Review URL: http://codereview.chromium.org/647010 git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@3900 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 --- src/objects.cc | 4 +++- src/runtime.cc | 10 ++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/src/objects.cc b/src/objects.cc index 7b435ba497..d6b5ce7fde 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -2000,10 +2000,12 @@ Object* JSObject::IgnoreAttributesAndSetLocalProperty( if (!result->IsLoaded()) { return SetLazyProperty(result, name, value, attributes); } + PropertyDetails details = PropertyDetails(attributes, NORMAL); + // Check of IsReadOnly removed from here in clone. switch (result->type()) { case NORMAL: - return SetNormalizedProperty(result, value); + return SetNormalizedProperty(name, value, details); case FIELD: return FastPropertyAtPut(result->GetFieldIndex(), value); case MAP_TRANSITION: diff --git a/src/runtime.cc b/src/runtime.cc index 2a6715a1b5..4722008ee3 100644 --- a/src/runtime.cc +++ b/src/runtime.cc @@ -2926,12 +2926,14 @@ static Object* Runtime_DefineOrRedefineDataProperty(Arguments args) { // correctly in the case where a property is a field and is reset with // new attributes. if (result.IsProperty() && attr != result.GetAttributes()) { - PropertyDetails details = PropertyDetails(attr, NORMAL); // New attributes - normalize to avoid writing to instance descriptor - js_object->NormalizeProperties(KEEP_INOBJECT_PROPERTIES, 0); - return js_object->SetNormalizedProperty(*name, *obj_value, details); + js_object->NormalizeProperties(CLEAR_INOBJECT_PROPERTIES, 0); + // Use IgnoreAttributes version since a readonly property may be + // overridden and SetProperty does not allow this. + return js_object->IgnoreAttributesAndSetLocalProperty(*name, + *obj_value, + attr); } - return Runtime::SetObjectProperty(js_object, name, obj_value, attr); }