RESOLVED FIXED 154175
Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the posibility of a descriptor that doesn’t have a value 
https://bugs.webkit.org/show_bug.cgi?id=154175
Summary Fast path in JSObject::defineOwnIndexedProperty() forgets to check for the po...
Filip Pizlo
Reported 2016-02-12 11:00:14 PST
Patch forthcoming.
Attachments
the patch (3.02 KB, patch)
2016-02-12 11:02 PST, Filip Pizlo 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2016-02-12 11:02:32 PST
Created attachment 271190 [details] the patch
Geoffrey Garen
Comment 2 2016-02-12 11:09:25 PST
Comment on attachment 271190 [details] the patch r=me
Geoffrey Garen
Comment 3 2016-02-12 11:13:27 PST
I know that there's a large test suite you're working on, which will reveal this bug -- meeting the WebKit requirement for tests with patches. Still, it seems like it would be nice to add a reduced test case here.
Filip Pizlo
Comment 4 2016-02-12 11:21:36 PST
(In reply to comment #3) > I know that there's a large test suite you're working on, which will reveal > this bug -- meeting the WebKit requirement for tests with patches. Still, it > seems like it would be nice to add a reduced test case here. I agree - for some reason at first I thought that the test would be hard because of the sparse indexing issue. It's actually not: var array = []; array[10000000] = 42; Object.defineProperty(array, 10000000, {configurable: true, enumerable: true, writable: true}); var result = array[10000000]; if (result != 42) throw "Error: bad result: " + result; That crashes on trunk.
Filip Pizlo
Comment 5 2016-02-12 11:51:05 PST
Landed in http://trac.webkit.org/changeset/196490
Note You need to log in before you can comment on or make changes to this bug.