RESOLVED FIXED Bug 173321
DFG doesn't properly handle a property that is change to read only in a prototype 
https://bugs.webkit.org/show_bug.cgi?id=173321
Summary DFG doesn't properly handle a property that is change to read only in a proto...
Michael Saboff
Reported 2017-06-13 12:47:07 PDT
Consider the code: var SimpleObject = function () { this.a = 0; this.b = 1; this.c = 2; } var proto = { p: 100 }; SimpleObject.prototype = proto; var test = function () { var o = new SimpleObject(); o.x = 10; o.y = 11; return o; } The results of calling test() is an object like: { a: 0, b: 1, c: 2, p: 100, x: 10, y: 11 } If you then call Object.defineProperty(proto, "a", { value: 101, writable: false }); The results of calling test() should be an object like: { a: 101, b: 1, c: 2, p: 100, x: 10, y: 11 } The DFG doesn't check for the ReadOnly case and therefore doesn't reflect the change in prototype.
Attachments
Patch (5.23 KB, patch)
2017-06-13 14:23 PDT, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2017-06-13 14:23:00 PDT
Created attachment 312808 [details] Patch
Michael Saboff
Comment 2 2017-06-13 14:23:21 PDT
<rdar://problem/28476667>
Michael Saboff
Comment 3 2017-06-13 14:52:08 PDT
Committed r218203: <http://trac.webkit.org/changeset/218203>
Michael Saboff
Comment 4 2017-06-13 15:42:42 PDT
*** Bug 162567 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.