Bug 173321

Summary: DFG doesn't properly handle a property that is change to read only in a prototype
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, buildbot, fpizlo, keith_miller, mark.lam, saam
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch fpizlo: review+

Description Michael Saboff 2017-06-13 12:47:07 PDT 
Consider the code:

var SimpleObject = function () {
    this.a = 0;
    this.b = 1;
    this.c = 2;
}

var proto = { p: 100 };

SimpleObject.prototype = proto;

var test = function () {
    var o = new SimpleObject();
    o.x = 10;
    o.y = 11;
    return o;
}

The results of calling test() is an object like:
    { a: 0, b: 1, c: 2, p: 100, x: 10, y: 11 }

If you then call
    Object.defineProperty(proto, "a", { value: 101, writable: false });

The results of calling test() should be an object like:
    { a: 101, b: 1, c: 2, p: 100, x: 10, y: 11 }

The DFG doesn't check for the ReadOnly case and therefore doesn't reflect the change in prototype.
Comment 1 Michael Saboff 2017-06-13 14:23:00 PDT 
Created attachment 312808 [details]
Patch
Comment 2 Michael Saboff 2017-06-13 14:23:21 PDT 
<rdar://problem/28476667>
Comment 3 Michael Saboff 2017-06-13 14:52:08 PDT 
Committed r218203: <http://trac.webkit.org/changeset/218203>
Comment 4 Michael Saboff 2017-06-13 15:42:42 PDT 
*** Bug 162567 has been marked as a duplicate of this bug. ***