Bug 173321 - DFG doesn't properly handle a property that is change to read only in a prototype
Summary: DFG doesn't properly handle a property that is change to read only in a proto...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
: 162567 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-06-13 12:47 PDT by Michael Saboff
Modified: 2017-06-13 15:42 PDT (History)
6 users (show)

See Also:

Attachments
Patch (5.23 KB, patch)
2017-06-13 14:23 PDT, Michael Saboff 		fpizlo: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2017-06-13 12:47:07 PDT 
Consider the code:

var SimpleObject = function () {
    this.a = 0;
    this.b = 1;
    this.c = 2;
}

var proto = { p: 100 };

SimpleObject.prototype = proto;

var test = function () {
    var o = new SimpleObject();
    o.x = 10;
    o.y = 11;
    return o;
}

The results of calling test() is an object like:
    { a: 0, b: 1, c: 2, p: 100, x: 10, y: 11 }

If you then call
    Object.defineProperty(proto, "a", { value: 101, writable: false });

The results of calling test() should be an object like:
    { a: 101, b: 1, c: 2, p: 100, x: 10, y: 11 }

The DFG doesn't check for the ReadOnly case and therefore doesn't reflect the change in prototype.
Comment 1 Michael Saboff 2017-06-13 14:23:00 PDT 
Created attachment 312808 [details]
Patch
Comment 2 Michael Saboff 2017-06-13 14:23:21 PDT 
<rdar://problem/28476667>
Comment 3 Michael Saboff 2017-06-13 14:52:08 PDT 
Committed r218203: <http://trac.webkit.org/changeset/218203>
Comment 4 Michael Saboff 2017-06-13 15:42:42 PDT 
*** Bug 162567 has been marked as a duplicate of this bug. ***