Bug 66451
| Summary: | Assigning a value to an existing non-enumerable property of a built-in before accessing it change its [[Enumerable]] attribute to true | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | John-David Dalton <john.david.dalton> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | UNCONFIRMED | ||
| Severity: | Normal | CC: | c.hammer, erikcorry, ngockhanhlam87, oliver |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://dl.dropbox.com/u/513327/enum_bug.html | ||
| See Also: | https://bugs.chromium.org/p/v8/issues/detail?id=1623 | ||
John-David Dalton
From the es-discuss posts:
https://mail.mozilla.org/pipermail/es-discuss/2011-August/016290.html
https://mail.mozilla.org/pipermail/es-discuss/2011-August/016293.html
https://mail.mozilla.org/pipermail/es-discuss/2011-August/016298.html
https://mail.mozilla.org/pipermail/es-discuss/2011-August/016306.html
Oliver wrote:
> I suspect that this only applies to builtin properties on objects, as I think JSC has a similar issue.
>
> Speaking for JSC (but i wouldn't be surprised if V8 did something similar) we will delay the creation of the majority of builtin properties until they're actually used, eg. until you actually access Array.prototype.reduce we won't reify the property. A side effect of this is that when you simply assign to the property we skip reification, and so the property attributes are the same as you would get if you were creating a new property.
>
> A simple test would be to see if
> Array.prototype.reduce;
> Array.prototype.reduce = ...
>
> Results in the correct behavior.
I have created a test case here:
http://dl.dropbox.com/u/513327/enum_bug.html
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
John-David Dalton
Related V8 issue:
http://code.google.com/p/v8/issues/detail?id=1623