Bug 158791

Summary:

ArraySetLength should coerce [[Value]] before descriptor validation

Product:

WebKit

Reporter:

André Bargull <andre.bargull>

Component:

JavaScriptCore

Assignee:

Alexey Shvayka <ashvayka>

Status:

RESOLVED FIXED

Severity:

Trivial

CC:

ashvayka, darin, ews-watchlist, ggaren, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar, WebExposed

Version:

WebKit Nightly Build

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	darin: review+

Description André Bargull 2016-06-15 10:23:00 PDT

SVN: rev202088
Build with: perl Tools/Scripts/build-jsc --gtk --debug


The following test case triggers this assertion error:
---
ASSERTION FAILED: isLengthWritable() || !writable
---


Test case:
---
var a = [];
Object.defineProperty(a, "length", {
  writable: true,
  value: {
    valueOf() {
      Object.defineProperty(a, "length", {writable: false});
      return 0;
    }
  }
});
---


Stack trace:
---
#0  0x00007ffff6de7098 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:317
#1  0x00007ffff6b8f827 in JSC::JSArray::setLengthWritable (this=0x7fffaf1c7ed0, exec=0x7fffffffcb20, writable=true)
    at ../../Source/JavaScriptCore/runtime/JSArray.cpp:65
#2  0x00007ffff6b8fc31 in JSC::JSArray::defineOwnProperty (object=0x7fffaf1c7ed0, exec=0x7fffffffcb20, propertyName=..., descriptor=..., throwException=true)
    at ../../Source/JavaScriptCore/runtime/JSArray.cpp:118
#3  0x00007ffff6c8d2f2 in JSC::objectConstructorDefineProperty (exec=0x7fffffffcb20) at ../../Source/JavaScriptCore/runtime/ObjectConstructor.cpp:433
#4  0x00007fffb0bff028 in ?? ()
#5  0x00007fffffffcba0 in ?? ()
#6  0x00007ffff69f26a1 in llint_entry () at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1054
---

Comment 1 Radar WebKit Bug Importer 2016-06-15 17:17:25 PDT

<rdar://problem/26826784>

Comment 2 Yusuke Suzuki 2016-06-16 03:36:33 PDT

interesting. ToUint32(Desc.[[Value]]) causes the invocation of valueOf, and it changes the writablility of the "length" prop during [[DefineOwnProperty]].

Comment 3 Alexey Shvayka 2020-09-13 14:22:07 PDT

Created attachment 408664 [details]
Patch

Comment 4 Alexey Shvayka 2020-09-14 13:48:41 PDT

Committed r267037: <https://trac.webkit.org/changeset/267037>

Comment 5 Alexey Shvayka 2020-09-14 13:48:59 PDT

Thank you for taking time to review this, Darin! It's not very easy to vet spec compliance here.

There is a similar bug in SpiderMonkey with [[Set]] + unchanged length: test262 coverage update is on the way.
Also, we might consider tweaking the spec to a) remove step 12 and b) always set [[Writable]]: false separately.