| Summary: | "ASSERTION FAILED: false" (GetterSetterImp::toObject is called) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Jesse Ruderman <jruderman> | ||||
| Component: | JavaScriptCore | Assignee: | Cameron Zwarich (cpst) <zwarich> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | gavin.sharp, zwarich | ||||
| Priority: | P2 | Keywords: | HasReduction, InRadar | ||||
| Version: | 528+ (Nightly build) | ||||||
| Hardware: | Mac | ||||||
| OS: | OS X 10.4 | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 13638 | ||||||
| Attachments: |
|
||||||
JSObject::defineSetter calls putDirect(propertyName, gs, GetterSetter), where "GetterSetter" is an attribute. If a property exists with the name, this ends up inside PropertyMap::put at the following code:
// Put a new value in an existing hash table entry.
m_u.table->entries()[entryIndex - 1].value = value;
// Attributes are intentionally not updated.
The problem here is the fact that we do not update the attribute of the property, which will lead to the PropertyMap returning an incorrect value for containsGettersOrSetters() when it is called after the setter for "a" in the test case is deleted.
It seems that this was fixed by the refactoring of the getter and setter code in r36016, the revision that introduced polymorphic inline caching. I'll write a test so we can close this bug. Created attachment 23134 [details]
Proposed patch adding layout tests
|
testkjs doesn't like this script. b = 3; this.__defineSetter__("a", function() {}); this.__defineSetter__("b", function() {}); delete a; b.c; A Debug build of testkjs exits, saying ASSERTION FAILED: false (/Users/jruderman/WebKit/JavaScriptCore/kjs/internal.cpp:191 virtual KJS::JSObject* KJS::GetterSetterImp::toObject(KJS::ExecState*) const) A Release build of testjks says "TypeError: Null value" when perhaps it should say "TypeError: Undefined value", but nothing really bad happens.