Bug 139418

Summary: A "cached" null setter should throw a TypeException when called in strict mode and doesn't
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 139229    
Bug Blocks:    
Attachments:
Description Flags
Test to demonstrate issue
none
Patch fpizlo: review+

Description Michael Saboff 2014-12-08 15:29:25 PST 
The put by id caching only has logic to return undefined when a setter is null.  The ECMAScript spec requires that a null setter throws a TypeException.  The (soon to be) attached test demonstrates the problem.
Comment 1 Michael Saboff 2014-12-08 15:34:27 PST 
Created attachment 242855 [details]
Test to demonstrate issue
Comment 2 Michael Saboff 2014-12-08 16:34:56 PST 
<rdar://problem/19183271>
Comment 3 Michael Saboff 2015-01-19 18:22:44 PST 
Created attachment 244949 [details]
Patch
Comment 4 Filip Pizlo 2015-01-19 21:05:44 PST 
Comment on attachment 244949 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=244949&action=review

r+ modulo style

> Source/JavaScriptCore/runtime/NullSetterFunction.h:27
> +#ifndef NullSetterFunction_h
> +#define  NullSetterFunction_h

Remove the extra space.
Comment 5 Michael Saboff 2015-01-19 21:27:59 PST 
Committed r178696: <http://trac.webkit.org/changeset/178696>
Comment 6 Geoffrey Garen 2015-01-20 12:10:47 PST 
Comment on attachment 244949 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=244949&action=review

> Source/JavaScriptCore/runtime/NullSetterFunction.cpp:96
> +ConstructType NullSetterFunction::getConstructData(JSCell*, ConstructData& constructData)
> +{
> +    constructData.native.function = constructReturnUndefined;
> +    return ConstructTypeHost;
> +}

This looks wrong. A setter can't be called as a constructor, can it? I don't think your test covers this case, either. You should probably remove the constructor path.
Comment 7 Michael Saboff 2015-01-20 17:29:59 PST 
(In reply to comment #6)
> Comment on attachment 244949 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=244949&action=review
> 
> > Source/JavaScriptCore/runtime/NullSetterFunction.cpp:96
> > +ConstructType NullSetterFunction::getConstructData(JSCell*, ConstructData& constructData)
> > +{
> > +    constructData.native.function = constructReturnUndefined;
> > +    return ConstructTypeHost;
> > +}
> 
> This looks wrong. A setter can't be called as a constructor, can it? I don't
> think your test covers this case, either. You should probably remove the
> constructor path.

Filed <https://bugs.webkit.org/show_bug.cgi?id=140708> - "Eliminate construct methods from NullGetterFunction and NullSetterFunction classes" to track removing the constructor path.