Bug 80577

Summary: Object.freeze broken on latest Nightly
Product: WebKit Reporter: Mark S. Miller <erights>
Component: JavaScriptCoreAssignee: Gavin Barraclough <barraclough>
Status: RESOLVED FIXED    
Severity: Major CC: barraclough, erights, oliver
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: http://es-lab.googlecode.com/svn/trunk/src/ses/explicit.html
Attachments:
Description Flags
Fix
oliver: review+
More fixed! oliver: review+

Mark S. Miller
Reported 2012-03-07 23:51:56 PST
When executing the following three lines on Safari Version 5.1.3 (7534.53.10), the last correctly returned true. On WebKit Nightly Version 5.1.3 (7534.53.10, r110098), it gives false, which is wrong. > function foo(){} > Object.freeze(foo); > Object.isFrozen(foo); The problem seems to be the prototype property. On WebKit Nightly > JSON.stringify(Object.getOwnPropertyDescriptor(foo, 'prototype')) {"value":{},"writable":true,"enumerable":false,"configurable":false} On Safari, we instead get the correct "writable":false For some reason, it seems this same problem manifests differently on http://es-lab.googlecode.com/svn/trunk/src/ses/explicit.html When freezing a particular function with a writable non-configurable prototype, this page now throws "TypeError: Attempting to change access mechanism for an unconfigurable property" on this latest Nightly. It did not do so on last night's Nightly. From the nature of this symptom, I'm not sure that the problem is with the 'prototype' property specifically, since the error doesn't say what property it is complaining about. Regardless, it is never correct from Object.freeze itself to fail because of (non) configurability. All the state changes it causes are always allowed.
Attachments
Fix (5.12 KB, patch)
2012-03-09 18:50 PST, Gavin Barraclough 		oliver: review+
DetailsFormatted DiffDiff
More fixed! (12.99 KB, patch)
2012-03-19 14:03 PDT, Gavin Barraclough 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Gavin Barraclough
Comment 1 2012-03-08 13:56:21 PST
Ugh, will look into this. I'm guessing this is related to the fact the prototype property is added lazily, but haven't figured out exactly what went wrong here. Cheers for the bug report Mark.
Gavin Barraclough
Comment 2 2012-03-09 18:50:43 PST
Created attachment 131147 [details] Fix
Gavin Barraclough
Comment 3 2012-03-11 11:58:25 PDT
Fixed in r110396
Mark S. Miller
Comment 4 2012-03-12 04:24:01 PDT
On r110411 visiting http://es-lab.googlecode.com/svn/trunk/src/ses/explicit.html I'm still seeing TypeError: Attempting to change access mechanism for an unconfigurable property thrown when freezing a function. Reopening.
Gavin Barraclough
Comment 5 2012-03-12 10:00:52 PDT
Gah, I bet I know what this is. The problem is probably preventExtension then freeze.
Gavin Barraclough
Comment 6 2012-03-19 14:03:07 PDT
Created attachment 132663 [details] More fixed!
Gavin Barraclough
Comment 7 2012-03-19 14:40:12 PDT
Fixed in r111250 - last time I forgot to check http://eslab.googlecode.com/svn/trunk/src/ses/explicit.html - this time I did, & looks like all is good, so hopefully this bug is fully fixed now! Thanks for the bug report Mark, cheers, G.
Note You need to log in before you can comment on or make changes to this bug.