projects / platform / upstream / v8.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 662fcc6) | patch
Array builtins need to be prevented from changing frozen objects, and changing struct...
authormvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Fri, 29 Nov 2013 15:22:16 +0000 (15:22 +0000)
committermvstanton@chromium.org <mvstanton@chromium.org@ce2b1a6d-e550-0410-aec6-3dcde31c8c00>
Fri, 29 Nov 2013 15:22:16 +0000 (15:22 +0000)
commit5ba1304d60d8c58746bf91e549608090778239a1
treedf071b0ab9d0829656cfb913b30b08473de33ee4tree | snapshot
parent662fcc63638a14faddd2bc89ca5916e592b7a4fccommit | diff
Array builtins need to be prevented from changing frozen objects, and changing structure on sealed objects.

BUG=299979
LOG=Y
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/80623002

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@18164 ce2b1a6d-e550-0410-aec6-3dcde31c8c00
12 files changed:
src/arm/stub-cache-arm.cc diff | blob | history
src/array.js diff | blob | history
src/builtins.cc diff | blob | history
src/ia32/stub-cache-ia32.cc diff | blob | history
src/messages.js diff | blob | history
src/mips/stub-cache-mips.cc diff | blob | history
src/objects-printer.cc diff | blob | history
src/x64/stub-cache-x64.cc diff | blob | history
test/mjsunit/object-freeze.js diff | blob | history
test/mjsunit/object-seal.js diff | blob | history
test/mjsunit/regress/regress-2711.js diff | blob | history
test/mjsunit/regress/regress-299979.js [new file with mode: 0644] blob
Domain: Web Framework / Web Engine;