Bug 184629

Summary: constructObjectFromPropertyDescriptor() is incorrect with partial descriptors
Product: WebKit Reporter: isol2
Component: JavaScriptCoreAssignee: Alexey Shvayka <ashvayka>
Status: RESOLVED FIXED    
Severity: Minor CC: ashvayka, ews-watchlist, keith_miller, mark.lam, msaboff, ross.kirsling, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=155404
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

isol2
Reported 2018-04-14 12:41:04 PDT
Hi everyone, I found a case of inconsistent assertions violated in this test case. Tag: 606.1.9.4 OS: ubuntu 16.04 x86 Reproduce steps: - Run this code: var def = []; var p = new Proxy({foo:1, bar:2}, { defineProperty: function(o, v, desc) { def.push(v); Object.defineProperty(o, v, desc); return true; }}); p.foo = 2; p.bar = 4; p.foo = 2; p.bar = 4; p.foo = 2; p.bar = 4; print(def + '' === "foo,bar"); Expected results false Actual results true JSCore should record all calls to setters "foo" and "bar" (six in total), whose expected effect is to store the string "foo,bar,foo,bar,foo,bar" on variable "def". Therefore, the test should fail under JSCore as it fails in other engines (V8, SpiderMonkey and Chakra) --return value should be true as per test assertion. However, JSCore only stores the first two calls to the setters and the test (incorrectly) passes.
Attachments
Patch (7.88 KB, patch)
2020-04-15 07:55 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (7.95 KB, patch)
2020-04-15 13:27 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (8.45 KB, patch)
2020-04-20 23:57 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (8.40 KB, patch)
2020-04-21 01:01 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
isol2
Comment 1 2018-08-08 08:36:25 PDT
cinfuzz
Alexey Shvayka
Comment 2 2020-04-15 07:55:52 PDT
Created attachment 396533 [details] Patch
Ross Kirsling
Comment 3 2020-04-15 12:09:29 PDT
Comment on attachment 396533 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396533&action=review > Source/JavaScriptCore/runtime/ObjectConstructor.h:98 > + JSObject* result = constructEmptyObject(globalObject); Huh, did this used to be able to throw? Most callsites don't use a ThrowScope but there's still a good handful of them that do...
Alexey Shvayka
Comment 4 2020-04-15 12:52:26 PDT
(In reply to Ross Kirsling from comment #3) > > Source/JavaScriptCore/runtime/ObjectConstructor.h:98 > > + JSObject* result = constructEmptyObject(globalObject); > > Huh, did this used to be able to throw? I did some ChangeLog digging, seems like it never threw, even `JSObject* prototype` overload. Just a precaution I suppose?
Yusuke Suzuki
Comment 5 2020-04-15 12:55:19 PDT
Comment on attachment 396533 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396533&action=review >> Source/JavaScriptCore/runtime/ObjectConstructor.h:98 >> + JSObject* result = constructEmptyObject(globalObject); > > Huh, did this used to be able to throw? Most callsites don't use a ThrowScope but there's still a good handful of them that do... This should not throw. You can add `scope.assertNoException();`
Alexey Shvayka
Comment 6 2020-04-15 13:27:04 PDT
Created attachment 396566 [details] Patch Bring back ThrowScope with an assert, set reviewer.
Alexey Shvayka
Comment 7 2020-04-20 23:57:07 PDT
Created attachment 397059 [details] Patch Rebase patch and fix typo in ChangeLog.
Ross Kirsling
Comment 8 2020-04-21 00:50:21 PDT
I wonder if it's overkill to scope.assertNoException() both inside the function as well as outside?
Alexey Shvayka
Comment 9 2020-04-21 01:01:27 PDT
Created attachment 397061 [details] Patch Remove inner scope.assertNoException().
Alexey Shvayka
Comment 10 2020-04-21 01:05:17 PDT
(In reply to Ross Kirsling from comment #8) > I wonder if it's overkill to scope.assertNoException() both inside the > function as well as outside? scope.assertNoException() are more useful outside, and I really like the absence of ThrowScope in constructObjectFromPropertyDescriptor().
Ross Kirsling
Comment 11 2020-04-21 12:09:07 PDT
(In reply to Alexey Shvayka from comment #10) > (In reply to Ross Kirsling from comment #8) > > I wonder if it's overkill to scope.assertNoException() both inside the > > function as well as outside? > > scope.assertNoException() are more useful outside, and I really like the > absence of ThrowScope in constructObjectFromPropertyDescriptor(). Agreed!
EWS
Comment 12 2020-04-21 12:18:41 PDT
Committed r260447: <https://trac.webkit.org/changeset/260447> All reviewed patches have been landed. Closing bug and clearing flags on attachment 397061 [details].
Radar WebKit Bug Importer
Comment 13 2020-04-21 12:19:19 PDT
<rdar://problem/62124337>
Note You need to log in before you can comment on or make changes to this bug.