Bug 139418

Summary: A "cached" null setter should throw a TypeException when called in strict mode and doesn't
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 139229    
Bug Blocks:    
Attachments:
Description Flags
Test to demonstrate issue
none
Patch fpizlo: review+

Michael Saboff
Reported 2014-12-08 15:29:25 PST
The put by id caching only has logic to return undefined when a setter is null. The ECMAScript spec requires that a null setter throws a TypeException. The (soon to be) attached test demonstrates the problem.
Attachments
Test to demonstrate issue (2.49 KB, application/octet-stream)
2014-12-08 15:34 PST, Michael Saboff 		no flags
Details
Patch (22.50 KB, patch)
2015-01-19 18:22 PST, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2014-12-08 15:34:27 PST
Created attachment 242855 [details] Test to demonstrate issue
Michael Saboff
Comment 2 2014-12-08 16:34:56 PST
<rdar://problem/19183271>
Michael Saboff
Comment 3 2015-01-19 18:22:44 PST
Created attachment 244949 [details] Patch
Filip Pizlo
Comment 4 2015-01-19 21:05:44 PST
Comment on attachment 244949 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=244949&action=review r+ modulo style > Source/JavaScriptCore/runtime/NullSetterFunction.h:27 > +#ifndef NullSetterFunction_h > +#define NullSetterFunction_h Remove the extra space.
Michael Saboff
Comment 5 2015-01-19 21:27:59 PST
Committed r178696: <http://trac.webkit.org/changeset/178696>
Geoffrey Garen
Comment 6 2015-01-20 12:10:47 PST
Comment on attachment 244949 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=244949&action=review > Source/JavaScriptCore/runtime/NullSetterFunction.cpp:96 > +ConstructType NullSetterFunction::getConstructData(JSCell*, ConstructData& constructData) > +{ > + constructData.native.function = constructReturnUndefined; > + return ConstructTypeHost; > +} This looks wrong. A setter can't be called as a constructor, can it? I don't think your test covers this case, either. You should probably remove the constructor path.
Michael Saboff
Comment 7 2015-01-20 17:29:59 PST
(In reply to comment #6) > Comment on attachment 244949 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=244949&action=review > > > Source/JavaScriptCore/runtime/NullSetterFunction.cpp:96 > > +ConstructType NullSetterFunction::getConstructData(JSCell*, ConstructData& constructData) > > +{ > > + constructData.native.function = constructReturnUndefined; > > + return ConstructTypeHost; > > +} > > This looks wrong. A setter can't be called as a constructor, can it? I don't > think your test covers this case, either. You should probably remove the > constructor path. Filed <https://bugs.webkit.org/show_bug.cgi?id=140708> - "Eliminate construct methods from NullGetterFunction and NullSetterFunction classes" to track removing the constructor path.
Note You need to log in before you can comment on or make changes to this bug.