Bug 158791

Summary: ArraySetLength should coerce [[Value]] before descriptor validation
Product: WebKit Reporter: André Bargull <andre.bargull>
Component: JavaScriptCoreAssignee: Alexey Shvayka <ashvayka>
Status: RESOLVED FIXED    
Severity: Trivial CC: ashvayka, darin, ews-watchlist, ggaren, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar, WebExposed
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch darin: review+

André Bargull
Reported 2016-06-15 10:23:00 PDT
SVN: rev202088 Build with: perl Tools/Scripts/build-jsc --gtk --debug The following test case triggers this assertion error: --- ASSERTION FAILED: isLengthWritable() || !writable --- Test case: --- var a = []; Object.defineProperty(a, "length", { writable: true, value: { valueOf() { Object.defineProperty(a, "length", {writable: false}); return 0; } } }); --- Stack trace: --- #0 0x00007ffff6de7098 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:317 #1 0x00007ffff6b8f827 in JSC::JSArray::setLengthWritable (this=0x7fffaf1c7ed0, exec=0x7fffffffcb20, writable=true) at ../../Source/JavaScriptCore/runtime/JSArray.cpp:65 #2 0x00007ffff6b8fc31 in JSC::JSArray::defineOwnProperty (object=0x7fffaf1c7ed0, exec=0x7fffffffcb20, propertyName=..., descriptor=..., throwException=true) at ../../Source/JavaScriptCore/runtime/JSArray.cpp:118 #3 0x00007ffff6c8d2f2 in JSC::objectConstructorDefineProperty (exec=0x7fffffffcb20) at ../../Source/JavaScriptCore/runtime/ObjectConstructor.cpp:433 #4 0x00007fffb0bff028 in ?? () #5 0x00007fffffffcba0 in ?? () #6 0x00007ffff69f26a1 in llint_entry () at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1054 ---
Attachments
Patch (12.59 KB, patch)
2020-09-13 14:22 PDT, Alexey Shvayka 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-06-15 17:17:25 PDT
<rdar://problem/26826784>
Yusuke Suzuki
Comment 2 2016-06-16 03:36:33 PDT
interesting. ToUint32(Desc.[[Value]]) causes the invocation of valueOf, and it changes the writablility of the "length" prop during [[DefineOwnProperty]].
Alexey Shvayka
Comment 3 2020-09-13 14:22:07 PDT
Created attachment 408664 [details] Patch
Alexey Shvayka
Comment 4 2020-09-14 13:48:41 PDT
Committed r267037: <https://trac.webkit.org/changeset/267037>
Alexey Shvayka
Comment 5 2020-09-14 13:48:59 PDT
Thank you for taking time to review this, Darin! It's not very easy to vet spec compliance here. There is a similar bug in SpiderMonkey with [[Set]] + unchanged length: test262 coverage update is on the way. Also, we might consider tweaking the spec to a) remove step 12 and b) always set [[Writable]]: false separately.
Note You need to log in before you can comment on or make changes to this bug.