ae6c58c26d
... when the element is read-only in one of the prototypes: * the length should not be updated, * in strict mode the store operation should throw TypeError. Bug: chromium:1055138 Change-Id: I7fc08e22c83f8a9848053cfe20851dc1b82f0e3d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172090 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/master@{#67717}
35 lines
944 B
JavaScript
35 lines
944 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
Object.prototype[1] = 153;
|
|
|
|
(function TestSloppyStoreToReadOnlyProperty() {
|
|
function foo(prototype_frozen) {
|
|
let ar = [];
|
|
for (let i = 0; i < 3; i++) {
|
|
ar[i] = 42;
|
|
|
|
if (prototype_frozen) {
|
|
if (i == 1) {
|
|
// Attempt to overwrite read-only element should not change
|
|
// array length.
|
|
assertEquals(1, ar.length);
|
|
} else {
|
|
assertEquals(i + 1, ar.length);
|
|
}
|
|
}
|
|
}
|
|
return ar;
|
|
}
|
|
|
|
// Warm-up store IC.
|
|
assertEquals([42,42,42], foo(false));
|
|
assertEquals([42,42,42], foo(false));
|
|
assertEquals([42,42,42], foo(false));
|
|
assertEquals([42,42,42], foo(false));
|
|
Object.freeze(Object.prototype);
|
|
// Ensure IC was properly invalidated.
|
|
assertEquals([42,153,42], foo(true));
|
|
})();
|