RESOLVED FIXED 163302
Array.prototype.concat should not modify frozen objects 
https://bugs.webkit.org/show_bug.cgi?id=163302
Summary Array.prototype.concat should not modify frozen objects
Mark Lam
Reported 2016-10-11 15:26:58 PDT
The ES6 spec for Array.prototype.concat states that it uses the CreateDataPropertyOrThrow() to add items to the result array. The spec for CreateDataPropertyOrThrow states: "This abstract operation creates a property whose attributes are set to the same defaults used for properties created by the ECMAScript language assignment operator. Normally, the property will not already exist. If it does exist and is not configurable or if O is not extensible, [[DefineOwnProperty]] will return false causing this operation to throw a TypeError exception." Since the properties of frozen objects are not extensible nor configurable, Array.prototype.concat should fail to write to the result array if it is frozen. Ref: https://tc39.github.io/ecma262/#sec-array.prototype.concat, https://tc39.github.io/ecma262/#sec-createdatapropertyorthrow, and https://tc39.github.io/ecma262/#sec-createdataproperty.
Attachments
proposed patch. (8.44 KB, patch)
2016-10-11 15:36 PDT, Mark Lam 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2016-10-11 15:36:58 PDT
Created attachment 291307 [details] proposed patch.
Mark Lam
Comment 2 2016-10-11 15:53:59 PDT
Thanks for the review. I'm going to change the attached test to only runFTLNoCJIT before landing. It doesn't need to run with other configurations.
Mark Lam
Comment 3 2016-10-11 16:28:51 PDT
Landed in r207178: <http://trac.webkit.org/r207178>.
Note You need to log in before you can comment on or make changes to this bug.