Bug 236330

Summary: [JSC] OrdinarySet should invoke custom [[Set]] methods for indexed puts
Product: WebKit Reporter: Alexey Shvayka <ashvayka>
Component: New BugsAssignee: Alexey Shvayka <ashvayka>
Status: NEW ---    
Severity: Normal CC: cdumez, ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch saam: review-

Description Alexey Shvayka 2022-02-08 14:39:27 PST 
[JSC] OrdinarySet should invoke custom [[Set]] methods for indexed puts
Comment 1 Alexey Shvayka 2022-02-08 14:44:35 PST 
Created attachment 451306 [details]
Patch
Comment 2 Alexey Shvayka 2022-02-09 09:09:32 PST 
Created attachment 451388 [details]
Patch

Adjust tests.
Comment 3 Saam Barati 2022-02-09 10:37:41 PST 
Comment on attachment 451388 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=451388&action=review

> Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:405
> +        if (UNLIKELY(slot.thisValue() != thisObject)) {

can we do the "isThisValueAltered" thing?

> Source/JavaScriptCore/runtime/JSObject.cpp:2899
> +        if (current->structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero()) {

this is bizarre that we're using this flag to indicate what to do for put. This feels like an inconsistent fix to me.

> Source/JavaScriptCore/runtime/StructureInlines.h:93
> +    if (typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero())
> +        return true;

this is not the intention of this flag. Now, if you put a typed array in a prototype chain, you're going to "have a bad time". Why is this needed?
Comment 4 Radar WebKit Bug Importer 2022-02-15 14:40:16 PST 
<rdar://problem/88988175>