The put by id caching only has logic to return undefined when a setter is null. The ECMAScript spec requires that a null setter throws a TypeException. The (soon to be) attached test demonstrates the problem.
Created attachment 242855 [details] Test to demonstrate issue
<rdar://problem/19183271>
Created attachment 244949 [details] Patch
Comment on attachment 244949 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=244949&action=review r+ modulo style > Source/JavaScriptCore/runtime/NullSetterFunction.h:27 > +#ifndef NullSetterFunction_h > +#define NullSetterFunction_h Remove the extra space.
Committed r178696: <http://trac.webkit.org/changeset/178696>
Comment on attachment 244949 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=244949&action=review > Source/JavaScriptCore/runtime/NullSetterFunction.cpp:96 > +ConstructType NullSetterFunction::getConstructData(JSCell*, ConstructData& constructData) > +{ > + constructData.native.function = constructReturnUndefined; > + return ConstructTypeHost; > +} This looks wrong. A setter can't be called as a constructor, can it? I don't think your test covers this case, either. You should probably remove the constructor path.
(In reply to comment #6) > Comment on attachment 244949 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=244949&action=review > > > Source/JavaScriptCore/runtime/NullSetterFunction.cpp:96 > > +ConstructType NullSetterFunction::getConstructData(JSCell*, ConstructData& constructData) > > +{ > > + constructData.native.function = constructReturnUndefined; > > + return ConstructTypeHost; > > +} > > This looks wrong. A setter can't be called as a constructor, can it? I don't > think your test covers this case, either. You should probably remove the > constructor path. Filed <https://bugs.webkit.org/show_bug.cgi?id=140708> - "Eliminate construct methods from NullGetterFunction and NullSetterFunction classes" to track removing the constructor path.