diff options
Diffstat (limited to 'Source/JavaScriptCore/runtime/JSObject.cpp')
| -rw-r--r-- | Source/JavaScriptCore/runtime/JSObject.cpp | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp index 7bf12b67e..bf38f6876 100644 --- a/Source/JavaScriptCore/runtime/JSObject.cpp +++ b/Source/JavaScriptCore/runtime/JSObject.cpp @@ -1350,10 +1350,13 @@ void JSObject::putByIndexBeyondVectorLength(ExecState* exec, unsigned i, JSValue } case NonArrayWithSlowPutArrayStorage: - case ArrayWithSlowPutArrayStorage: - if (attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow)) + case ArrayWithSlowPutArrayStorage: { + // No own property present in the vector, but there might be in the sparse map! + SparseArrayValueMap* map = arrayStorage()->m_sparseMap.get(); + if (!(map && map->contains(i)) && attemptToInterceptPutByIndexOnHole(exec, i, value, shouldThrow)) return; // Otherwise, fall though. + } case NonArrayWithArrayStorage: case ArrayWithArrayStorage: |