Bug 208708

Summary:

@putByValDirect does not perform [[DefineOwnProperty]] correctly

Product:

WebKit

Reporter:

Alexey Shvayka <ashvayka>

Component:

JavaScriptCore

Assignee:

Alexey Shvayka <ashvayka>

Status:

RESOLVED FIXED

Severity:

Minor

CC:

commit-queue, darin, ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

163446

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none

Alexey Shvayka

Reported 2020-03-06 05:49:13 PST

CreateDataPropertyOrThrow (https://tc39.es/ecma262/#sec-createdatapropertyorthrow), called on property with descriptor: 1. {writable: false, configurable: true} Expected: results in {value, writable: true, enumerable: true, configurable: true} Actual: TypeError is thrown (seems like [[Set]] is performed instead) ECMA262: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor (step 9.a) Test262: https://test262.report/browse/built-ins/Array/of/does-not-use-set-for-indices.js 2. {writable: true, configurable: false} or {set: function() {}, configurable: false} Expected: should throw TypeError Actual: results in {value, writable: true, enumerable: true, configurable: true} (seems like descriptor validation is skipped) ECMA262: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor (step 4.a) Test262: https://test262.report/browse/built-ins/Array/prototype/filter/target-array-with-non-configurable-property.js https://test262.report/browse/built-ins/Array/prototype/map/target-array-with-non-configurable-property.js

Attachments
Patch (12.33 KB, patch) 2020-03-06 06:01 PST, Alexey Shvayka	no flags	Details Formatted Diff Diff
Patch (12.03 KB, patch) 2020-03-08 17:05 PDT, Alexey Shvayka	no flags	Details Formatted Diff Diff
Patch (12.24 KB, patch) 2020-03-09 12:03 PDT, Alexey Shvayka	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Alexey Shvayka

Comment 1 2020-03-06 06:01:10 PST

Created attachment 392713 [details] Patch

Yusuke Suzuki

Comment 2 2020-03-08 01:49:40 PST

Can you measure JetStream2 score (by 6 times runs) to see the effect of this patch?

Alexey Shvayka

Comment 3 2020-03-08 17:01:35 PDT

(In reply to Yusuke Suzuki from comment #2) > Can you measure JetStream2 score (by 6 times runs) to see the effect of this patch? Geometric mean of 6 hot JetStream2 runs (60°C CPU temp, MacBookAir8,1): trunk: 109.810 patch: 110.567

Alexey Shvayka

Comment 4 2020-03-08 17:05:30 PDT

Created attachment 393001 [details] Patch Add note on JetStream2 results.

Yusuke Suzuki

Comment 5 2020-03-09 00:11:04 PDT

Comment on attachment 393001 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393001&action=review r=me with ChangeLog change. > Source/JavaScriptCore/ChangeLog:10 > + This change fixes @putByValDirect to perform [[DefineOwnProperty]] per spec [1] while preserving > + existing behavior for Arguments exotic objects (thus the checks order in canDoFastPutDirectIndex), > + aligning JSC with V8 and SpiderMonkey. Can you describe what is changed in detail?

Alexey Shvayka

Comment 6 2020-03-09 12:03:10 PDT

Created attachment 393060 [details] Patch Set reviewer and make ChangeLog more detailed.

WebKit Commit Bot

Comment 7 2020-03-09 16:17:47 PDT

Comment on attachment 393060 [details] Patch Clearing flags on attachment: 393060 Committed r258170: <https://trac.webkit.org/changeset/258170>

WebKit Commit Bot

Comment 8 2020-03-09 16:17:48 PDT

All reviewed patches have been landed. Closing bug.

Radar WebKit Bug Importer

Comment 9 2020-03-09 16:18:18 PDT

<rdar://problem/60248529>

Note You need to log in before you can comment on or make changes to this bug.