Bug 49577
| Summary: | Function.prototype should be non-configurable | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Gavin Barraclough <barraclough> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | ricow |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | OS X 10.5 | ||
Gavin Barraclough
JSC lazily allocates the prototype property of Function objects.
We check the prototype exists on 'get', but not on 'put'.
If you 'put' without having first done a 'get' you can end up with a configurable prototype (prototype should only ever be non-configurable).
This is visible in a couple of ways:
* 'delete' on the property may succeed. (the next access will result in a new, reset prototype object).
* the prototype may be set to a getter.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Gavin Barraclough
fixed in http://trac.webkit.org/changeset/72063
Rico
It seems that the change introduces a test that is not consistent with the specification.
The new test file:
LayoutTests/fast/js/script-tests/function-prototype-descriptor.js
Tests that the prototype property on a function is enumerable, which it should not be (see 15.3.5.2 and 13.2 step 18 in the spec).
This was also discussed on the V8 issue tracker:
http://code.google.com/p/v8/issues/detail?id=935
Please let me know if you disagree.
Gavin Barraclough
Hi Rico,
Yes, looks to me like you're right. Should be a quick fix, will roll a patch for JSC & update regression tests.
thanks,
G.
Gavin Barraclough
Many thanks for bringing this to our attention Rico, should be fixed in r72362. Let me know if this doesn't resolve the issues for you.
cheers,
G.