<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[196414] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/196414">196414</a></dd>
<dt>Author</dt> <dd>keith_miller@apple.com</dd>
<dt>Date</dt> <dd>2016-02-10 20:06:37 -0800 (Wed, 10 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Symbol.species accessors on builtin constructors should be configurable
https://bugs.webkit.org/show_bug.cgi?id=154097
Reviewed by Benjamin Poulain.
We did not have the Symbol.species accessors on our builtin constructors
marked as configurable. This does not accurately follow the ES6 spec as
the ES6 spec states that all default accessors on builtins should be
configurable. This means that we need an additional watchpoint on
ArrayConstructor to make sure that no users re-configures Symbol.species.
* runtime/ArrayConstructor.cpp:
(JSC::ArrayConstructor::finishCreation):
* runtime/ArrayPrototype.cpp:
(JSC::speciesConstructArray):
(JSC::ArrayPrototype::setConstructor):
(JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
* runtime/ArrayPrototype.h:
(JSC::ArrayPrototype::didChangeConstructorOrSpeciesProperties):
(JSC::ArrayPrototype::didChangeConstructorProperty): Deleted.
* runtime/JSArrayBufferConstructor.cpp:
(JSC::JSArrayBufferConstructor::finishCreation):
* runtime/JSPromiseConstructor.cpp:
(JSC::JSPromiseConstructor::finishCreation):
* runtime/JSTypedArrayViewConstructor.cpp:
(JSC::JSTypedArrayViewConstructor::finishCreation):
* runtime/MapConstructor.cpp:
(JSC::MapConstructor::finishCreation):
* runtime/RegExpConstructor.cpp:
(JSC::RegExpConstructor::finishCreation):
* runtime/SetConstructor.cpp:
(JSC::SetConstructor::finishCreation):
* tests/stress/array-species-config-array-constructor.js: Added.
(A):
* tests/stress/symbol-species.js:
(testSymbolSpeciesOnConstructor):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayConstructorcpp">trunk/Source/JavaScriptCore/runtime/ArrayConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayPrototypecpp">trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeArrayPrototypeh">trunk/Source/JavaScriptCore/runtime/ArrayPrototype.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSArrayBufferConstructorcpp">trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSPromiseConstructorcpp">trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSTypedArrayViewConstructorcpp">trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeMapConstructorcpp">trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeRegExpConstructorcpp">trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeSetConstructorcpp">trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstresssymbolspeciesjs">trunk/Source/JavaScriptCore/tests/stress/symbol-species.js</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoretestsstressarrayspeciesconfigarrayconstructorjs">trunk/Source/JavaScriptCore/tests/stress/array-species-config-array-constructor.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -1,3 +1,42 @@
</span><ins>+2016-02-10 Keith Miller <keith_miller@apple.com>
+
+ Symbol.species accessors on builtin constructors should be configurable
+ https://bugs.webkit.org/show_bug.cgi?id=154097
+
+ Reviewed by Benjamin Poulain.
+
+ We did not have the Symbol.species accessors on our builtin constructors
+ marked as configurable. This does not accurately follow the ES6 spec as
+ the ES6 spec states that all default accessors on builtins should be
+ configurable. This means that we need an additional watchpoint on
+ ArrayConstructor to make sure that no users re-configures Symbol.species.
+
+ * runtime/ArrayConstructor.cpp:
+ (JSC::ArrayConstructor::finishCreation):
+ * runtime/ArrayPrototype.cpp:
+ (JSC::speciesConstructArray):
+ (JSC::ArrayPrototype::setConstructor):
+ (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
+ * runtime/ArrayPrototype.h:
+ (JSC::ArrayPrototype::didChangeConstructorOrSpeciesProperties):
+ (JSC::ArrayPrototype::didChangeConstructorProperty): Deleted.
+ * runtime/JSArrayBufferConstructor.cpp:
+ (JSC::JSArrayBufferConstructor::finishCreation):
+ * runtime/JSPromiseConstructor.cpp:
+ (JSC::JSPromiseConstructor::finishCreation):
+ * runtime/JSTypedArrayViewConstructor.cpp:
+ (JSC::JSTypedArrayViewConstructor::finishCreation):
+ * runtime/MapConstructor.cpp:
+ (JSC::MapConstructor::finishCreation):
+ * runtime/RegExpConstructor.cpp:
+ (JSC::RegExpConstructor::finishCreation):
+ * runtime/SetConstructor.cpp:
+ (JSC::SetConstructor::finishCreation):
+ * tests/stress/array-species-config-array-constructor.js: Added.
+ (A):
+ * tests/stress/symbol-species.js:
+ (testSymbolSpeciesOnConstructor):
+
</ins><span class="cx"> 2016-02-10 Benjamin Poulain <benjamin@webkit.org>
</span><span class="cx">
</span><span class="cx"> [JSC] The destination of Sqrt should be Def, not UseDef
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayConstructor.cpp (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayConstructor.cpp 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/runtime/ArrayConstructor.cpp 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -67,7 +67,7 @@
</span><span class="cx"> Base::finishCreation(vm, arrayPrototype->classInfo()->className);
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->prototype, arrayPrototype, DontEnum | DontDelete | ReadOnly);
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), ReadOnly | DontEnum | DontDelete);
</span><del>- putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
</del><ins>+ putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ArrayConstructor::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot &slot)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -192,7 +192,7 @@
</span><span class="cx"> // We need prototype check for subclasses of Array, which are Array objects but have a different prototype by default.
</span><span class="cx"> if (LIKELY(!thisObject->hasCustomProperties()
</span><span class="cx"> && thisObject->globalObject()->arrayPrototype() == thisObject->prototype()
</span><del>- && !thisObject->globalObject()->arrayPrototype()->didChangeConstructorProperty()))
</del><ins>+ && !thisObject->globalObject()->arrayPrototype()->didChangeConstructorOrSpeciesProperties()))
</ins><span class="cx"> return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
</span><span class="cx">
</span><span class="cx"> constructor = thisObject->get(exec, exec->propertyNames().constructor);
</span><span class="lines">@@ -1060,6 +1060,7 @@
</span><span class="cx"> {
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->constructor, constructorProperty, attributes);
</span><span class="cx">
</span><ins>+ // Do the watchpoint on our constructor property
</ins><span class="cx"> PropertyOffset offset = this->structure()->get(vm, vm.propertyNames->constructor);
</span><span class="cx"> ASSERT(isValidOffset(offset));
</span><span class="cx"> this->structure()->startWatchingPropertyForReplacements(vm, offset);
</span><span class="lines">@@ -1069,6 +1070,18 @@
</span><span class="cx">
</span><span class="cx"> m_constructorWatchpoint = std::make_unique<ArrayPrototypeAdaptiveInferredPropertyWatchpoint>(condition, this);
</span><span class="cx"> m_constructorWatchpoint->install();
</span><ins>+
+ // Do the watchpoint on the constructor's Symbol.species property
+ offset = constructorProperty->structure()->get(vm, vm.propertyNames->speciesSymbol);
+ ASSERT(isValidOffset(offset));
+ constructorProperty->structure()->startWatchingPropertyForReplacements(vm, offset);
+
+ ASSERT(constructorProperty->getDirect(offset).isGetterSetter());
+ condition = ObjectPropertyCondition::equivalence(vm, this, constructorProperty, vm.propertyNames->speciesSymbol.impl(), constructorProperty->getDirect(offset));
+ ASSERT(condition.isWatchable());
+
+ m_constructorSpeciesWatchpoint = std::make_unique<ArrayPrototypeAdaptiveInferredPropertyWatchpoint>(condition, this);
+ m_constructorSpeciesWatchpoint->install();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ArrayPrototypeAdaptiveInferredPropertyWatchpoint::ArrayPrototypeAdaptiveInferredPropertyWatchpoint(const ObjectPropertyCondition& key, ArrayPrototype* prototype)
</span><span class="lines">@@ -1084,7 +1097,7 @@
</span><span class="cx">
</span><span class="cx"> StringFireDetail stringDetail(out.toCString().data());
</span><span class="cx">
</span><del>- m_arrayPrototype->m_didChangeConstructorProperty = true;
</del><ins>+ m_arrayPrototype->m_didChangeConstructorOrSpeciesProperties = true;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeArrayPrototypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ArrayPrototype.h (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ArrayPrototype.h 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/runtime/ArrayPrototype.h 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -46,7 +46,7 @@
</span><span class="cx">
</span><span class="cx"> void setConstructor(VM&, JSObject* constructorProperty, unsigned attributes);
</span><span class="cx">
</span><del>- bool didChangeConstructorProperty() const { return m_didChangeConstructorProperty; }
</del><ins>+ bool didChangeConstructorOrSpeciesProperties() const { return m_didChangeConstructorOrSpeciesProperties; }
</ins><span class="cx">
</span><span class="cx"> static const bool needsDestruction = false;
</span><span class="cx"> // We don't need destruction since we use a finalizer.
</span><span class="lines">@@ -59,7 +59,8 @@
</span><span class="cx"> // This bit is set if any user modifies the constructor property Array.prototype. This is used to optimize species creation for JSArrays.
</span><span class="cx"> friend ArrayPrototypeAdaptiveInferredPropertyWatchpoint;
</span><span class="cx"> std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorWatchpoint;
</span><del>- bool m_didChangeConstructorProperty = false;
</del><ins>+ std::unique_ptr<ArrayPrototypeAdaptiveInferredPropertyWatchpoint> m_constructorSpeciesWatchpoint;
+ bool m_didChangeConstructorOrSpeciesProperties = false;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL arrayProtoFuncToString(ExecState*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSArrayBufferConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -53,7 +53,7 @@
</span><span class="cx"> Base::finishCreation(vm, ASCIILiteral("ArrayBuffer"));
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->prototype, prototype, DontEnum | DontDelete | ReadOnly);
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), DontEnum | DontDelete | ReadOnly);
</span><del>- putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
</del><ins>+ putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
</ins><span class="cx">
</span><span class="cx"> JSGlobalObject* globalObject = this->globalObject();
</span><span class="cx"> JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->isView, arrayBufferFuncIsView, DontEnum, 1);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSPromiseConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -85,7 +85,7 @@
</span><span class="cx"> Base::finishCreation(vm, ASCIILiteral("Promise"));
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->prototype, promisePrototype, DontEnum | DontDelete | ReadOnly);
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), ReadOnly | DontEnum | DontDelete);
</span><del>- putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
</del><ins>+ putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JSPromiseConstructor::addOwnInternalSlots(VM& vm, JSGlobalObject* globalObject)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSTypedArrayViewConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -50,7 +50,7 @@
</span><span class="cx"> Base::finishCreation(vm, "TypedArray");
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->prototype, prototype, DontEnum | DontDelete | ReadOnly);
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(3), DontEnum | DontDelete | ReadOnly);
</span><del>- putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
</del><ins>+ putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
</ins><span class="cx">
</span><span class="cx"> JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->of, typedArrayConstructorOfCodeGenerator, DontEnum);
</span><span class="cx"> JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->from, typedArrayConstructorFromCodeGenerator, DontEnum);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeMapConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/runtime/MapConstructor.cpp 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -45,7 +45,7 @@
</span><span class="cx"> Base::finishCreation(vm, mapPrototype->classInfo()->className);
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->prototype, mapPrototype, DontEnum | DontDelete | ReadOnly);
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(0), ReadOnly | DontEnum | DontDelete);
</span><del>- putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
</del><ins>+ putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL callMap(ExecState* exec)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeRegExpConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/runtime/RegExpConstructor.cpp 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -102,7 +102,7 @@
</span><span class="cx"> // no. of arguments for constructor
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(2), ReadOnly | DontDelete | DontEnum);
</span><span class="cx">
</span><del>- putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
</del><ins>+ putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void RegExpConstructor::destroy(JSCell* cell)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeSetConstructorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/runtime/SetConstructor.cpp 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -46,7 +46,7 @@
</span><span class="cx"> Base::finishCreation(vm, setPrototype->classInfo()->className);
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->prototype, setPrototype, DontEnum | DontDelete | ReadOnly);
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(0), ReadOnly | DontEnum | DontDelete);
</span><del>- putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum | DontDelete);
</del><ins>+ putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static EncodedJSValue JSC_HOST_CALL callSet(ExecState* exec)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressarrayspeciesconfigarrayconstructorjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/array-species-config-array-constructor.js (0 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/array-species-config-array-constructor.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/array-species-config-array-constructor.js 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+class A extends Array { }
+Object.defineProperty(Array, Symbol.species, { value: A, configurable: true });
+
+foo = [1,2,3,4];
+result = foo.concat([1]);
+if (!(result instanceof A))
+ throw "concat failed";
+
+result = foo.splice();
+if (!(result instanceof A))
+ throw "splice failed";
+
+result = foo.slice();
+if (!(result instanceof A))
+ throw "slice failed";
+
+Object.defineProperty(Array, Symbol.species, { value: Int32Array, configurable: true });
+
+result = foo.concat([1]);
+if (!(result instanceof Int32Array))
+ throw "concat failed";
+
+result = foo.splice();
+if (!(result instanceof Int32Array))
+ throw "splice failed";
+
+result = foo.slice();
+if (!(result instanceof Int32Array))
+ throw "slice failed";
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstresssymbolspeciesjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tests/stress/symbol-species.js (196413 => 196414)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/symbol-species.js 2016-02-11 03:20:28 UTC (rev 196413)
+++ trunk/Source/JavaScriptCore/tests/stress/symbol-species.js 2016-02-11 04:06:37 UTC (rev 196414)
</span><span class="lines">@@ -6,12 +6,9 @@
</span><span class="cx"> constructor[Symbol.species] = true;
</span><span class="cx"> if (constructor[Symbol.species] !== constructor)
</span><span class="cx"> throw "Symbol.species was mutable " + constructor.name;
</span><del>- try {
- Object.defineProperty(constructor, Symbol.species, { value: true });
- } catch(e) {
- return;
- }
- throw "Symbol.species was configurable " + constructor.name;
</del><ins>+
+ // Symbol.species should be configurable.
+ Object.defineProperty(constructor, Symbol.species, { value: true });
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>