Bug 247723
| Summary: | `Symbol.toPrimitive` in property access | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Kanguk Lee <p51lee> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | Normal | CC: | mark.lam, ross.kirsling, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Local Build | ||
| Hardware: | Mac (Apple Silicon) | ||
| OS: | macOS 13 | ||
Kanguk Lee
// input.js
null [ { [ Symbol . toPrimitive ] : () => { REF_ERR; } } ] ;
________________________________________________________________
Hello,
Running `input.js` should throw `ReferenceError`.
However, running it using Webkit JavaScriptCore throws `TypeError`:
---
$ jsc input.js
Exception: TypeError: null is not an object (evaluating 'null [ { [ Symbol . toPrimitive ] : () => { REF_ERR; } } ]')
global code@input.js:2:5
---
According to [ECMAScript 2022 spec section 13.3.2.1](https://262.ecma-international.org/13.0/#prod-3HizunKA), **EvaluatePropertyAccessWithIdentifierKey** is called in line 4, where *baseValue* is `null` and *Expression* is `{ [ Symbol . toPrimitive ] : () => { REF_ERR; } }`:
In line 3 of section [13.3.3](https://262.ecma-international.org/13.0/#sec-evaluate-property-access-with-expression-key), **ToPropertyKey** is called, where *propertyNameValue* is an evaluated value of `expression`( i.e. `{ [ Symbol . toPrimitive ] : () => { REF_ERR; } }`). By the way, `TypeError` caused by reading a property of `null` can be thrown after line 4:
Then **ToPrimitive** in the first line of section [7.1.19](https://262.ecma-international.org/13.0/#sec-topropertykey) is executed, with *argument* `{ [ Symbol . toPrimitive ] : () => { REF_ERR; } }`:
Inside the function [**ToPrimitive**](https://262.ecma-international.org/13.0/#sec-toprimitive), now *input* is `{ [ Symbol . toPrimitive ] : () => { REF_ERR; } }` so `exoticToPrim` in line 1-a becomes `() => { REF_ERR; }`.
Finally in line 1-b-iv, **Call** ing *exoticToPrim* leads to `ReferenceError` since `REF_ERR` is not defined.
Interestingly, V8 has the same bug:
---
$ node input.js
input.js:1
null [ { [ Symbol . toPrimitive ] : () => { REF_ERR; } } ] ;
^
TypeError: Cannot read properties of null (reading '#<Object>')
at Object.<anonymous> (input.js:1:6)
at Module._compile (node:internal/modules/cjs/loader:1159:14)
at Module._extensions..js (node:internal/modules/cjs/loader:1213:10)
at Module.load (node:internal/modules/cjs/loader:1037:32)
at Module._load (node:internal/modules/cjs/loader:878:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
at node:internal/main/run_main_module:23:47
Node.js v18.11.0
---
WebKit version: 615.1.10
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/102206485>
Ross Kirsling
This is a TypeError in all engines, so this would not be web compatible to fix. Please raise an issue at https://github.com/tc39/ecma262 if you think the spec requires a web reality fix.
Ross Kirsling
(In reply to Ross Kirsling from comment #2)
> This is a TypeError in all engines, so this would not be web compatible to
> fix. Please raise an issue at https://github.com/tc39/ecma262 if you think
> the spec requires a web reality fix.
Oops, the issue already exists: https://github.com/tc39/ecma262/issues/2659