Ensure CreateDataProperty works correctly on TypedArrays

Previously, CreateDataProperty would fail a DCHECK when used to create an integer indexed property on a TypedArray. This patch makes it throw a TypeError instead. The issue came up when Array.prototype.concat was repaired to use CreateDataProperty rather than SetElement; concat can be tricked into making a new TypedArray if it is given an Array whose prototype is a TypedArray. This patch prevents the issue. R=adamk LOG=Y BUG=chromium:596394 Review URL: https://codereview.chromium.org/1821723004 Cr-Commit-Position: refs/heads/master@{#35271}
2016-04-05 09:55:16 -07:00 · 2016-04-05 09:55:16 -07:00 · 7a38462e8b
commit 7a38462e8b
parent 7936f40562
2 changed files with 16 additions and 1 deletions
--- a/src/objects.cc
+++ b/src/objects.cc
@ -6685,7 +6685,9 @@ Maybe<bool> JSObject::CreateDataProperty(LookupIterator* it,
  Isolate* isolate = receiver->GetIsolate();

  if (it->IsFound()) {
-    if (!it->IsConfigurable()) {
+    Maybe<PropertyAttributes> attributes = GetPropertyAttributes(it);
+    MAYBE_RETURN(attributes, Nothing<bool>());
+    if ((attributes.FromJust() & DONT_DELETE) != 0) {
      RETURN_FAILURE(
          isolate, should_throw,
          NewTypeError(MessageTemplate::kRedefineDisallowed, it->GetName()));
--- a/test/mjsunit/regress/regress-crbug-596394.js
+++ b/test/mjsunit/regress/regress-crbug-596394.js
@ -0,0 +1,13 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// In ES#sec-array.prototype.concat
+// When concat makes a new integer-indexed exotic object, the resulting properties
+// are non-configurable and cannot have CreateDataPropertyOrThrow called on them,
+// so it throws a TypeError on failure to make a new property.
+
+__v_0 = new Uint8Array(100);
+array = new Array(10);
+array.__proto__ = __v_0;
+assertThrows(() => Array.prototype.concat.call(array), TypeError);