RESOLVED FIXED Bug 203456
Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes 
https://bugs.webkit.org/show_bug.cgi?id=203456
Summary Align JSGlobalObject::defineOwnProperty() with the spec and other runtimes
yaohouyou
Reported 2019-10-26 03:12:10 PDT
Version: d940b47 Testcase: var NISLFuzzingFunc = function() { var tmp = Object.defineProperty(this, "undefined", { configurable: true, get: function() { return false; } }); print(tmp); }; NISLFuzzingFunc(); Run steps: WebKitBuild/Release/bin/jsc testcase.js Output: [object global] Expected output: Throw TypeError exception Descriptions: According to ECMAScript-262, JSC should throw TypeError exception when run the testcase above. So I suspect it is a bug. The references of ECMAScript-262 are as follows: http://www.ecma-international.org/ecma-262/6.0/index.html#sec-undefined http://www.ecma-international.org/ecma-262/6.0/index.html#sec-definepropertyorthrow http://www.ecma-international.org/ecma-262/6.0/index.html#sec-validateandapplypropertydescriptor
Attachments
Patch (6.70 KB, patch)
2020-02-05 16:51 PST, Robin Morisset 		no flags
DetailsFormatted DiffDiff
Patch (6.41 KB, patch)
2020-02-06 13:28 PST, Robin Morisset 		no flags
DetailsFormatted DiffDiff
WIP (9.79 KB, patch)
2021-02-02 07:30 PST, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
WIP (25.11 KB, patch)
2021-02-05 14:08 PST, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (42.11 KB, patch)
2021-02-11 12:13 PST, Alexey Shvayka 		rmorisset: review+
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2019-10-27 18:59:35 PDT
<rdar://problem/56658015>
Robin Morisset
Comment 2 2020-02-05 16:45:56 PST
*** Bug 207310 has been marked as a duplicate of this bug. ***
Robin Morisset
Comment 3 2020-02-05 16:51:07 PST
Created attachment 389902 [details] Patch
Robin Morisset
Comment 4 2020-02-06 13:28:49 PST
Created attachment 389985 [details] Patch From EWS it appears that defineGetter and defineSetter are less dead than I thought. This patch is like the previous one except it does not remove them from JSGlobalObject.h.
Yusuke Suzuki
Comment 5 2020-03-10 01:37:13 PDT
Comment on attachment 389985 [details] Patch Looks like JSC tests etc. are failing. Can you review it?
Yusuke Suzuki
Comment 6 2020-03-10 13:58:34 PDT
/review/revise/s
Alexey Shvayka
Comment 7 2021-02-02 07:30:35 PST
Created attachment 418998 [details] WIP
Alexey Shvayka
Comment 8 2021-02-02 07:39:27 PST
*** Bug 220842 has been marked as a duplicate of this bug. ***
Yusuke Suzuki
Comment 9 2021-02-02 10:45:04 PST
Dupe bug 220842, and change assignee to Alexey.
Alexey Shvayka
Comment 10 2021-02-05 14:08:16 PST
Created attachment 419461 [details] WIP
Alexey Shvayka
Comment 11 2021-02-11 12:13:40 PST
Created attachment 420024 [details] Patch
EWS Watchlist
Comment 12 2021-02-11 12:14:27 PST
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Robin Morisset
Comment 13 2021-02-17 13:11:11 PST
Comment on attachment 420024 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=420024&action=review This looks good to me overall, thanks for this patch! r=me > Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1345 > + loadp CodeBlock[cfr], scratch It is probably not very important, but the loads of CodeBlock[cfr] and then CodeBlock::m_globalObject are repeated here and in varInjectionCheck, they could probably be factored out of these macros. > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:-1478 > - slot.disallowVMEntry.reset(); We lose this slot.disallowVMEntry.reset() call. I don't understand why it is no longer necessary.
Alexey Shvayka
Comment 14 2021-03-11 15:47:04 PST
(In reply to Robin Morisset from comment #13) > This looks good to me overall, thanks for this patch! > r=me Thank you for reviewing & investigating the stress test failure. > It is probably not very important, but the loads of CodeBlock[cfr] and then > CodeBlock::m_globalObject are repeated here and in varInjectionCheck, they > could probably be factored out of these macros. Yeah, it would be nice to pass a register with global object. However, this would require a) changing signature of 32-bit varInjectionCheck() to accept a register and b) extracting varInjectionCheckWithGlobalObject() / varReadOnlyCheckWithGlobalObject() macros because double load happens only in .pGlobalVarWithVarInjectionChecks branch, which itself is rare. Landing with FIXME comment for now. > We lose this slot.disallowVMEntry.reset() call. I don't understand why it is > no longer necessary. `slot.disallowVMEntry.reset()` was necessary for VMInquiry PropertySlot (please see its constructor), which was removed in favor of using different symbolTableGet().
Alexey Shvayka
Comment 15 2021-03-11 16:08:14 PST
Committed r274308 (235202@main): <https://commits.webkit.org/235202@main>
WebKit Commit Bot
Comment 16 2021-03-12 12:48:11 PST
Re-opened since this is blocked by bug 223134
Amir Mark Jr
Comment 17 2021-03-12 12:51:53 PST
This is reverted because it may have caused an assertion failure with these three tests: stress/global-object-define-own-property.js stress/global-object-define-own-property-put-to-scope.js stress/eval-func-decl-in-frozen-global.js
Alexey Shvayka
Comment 18 2021-03-14 15:21:38 PDT
(In reply to Amir Mark Jr from comment #17) > This is reverted because it may have caused an assertion failure with these > three tests: > > stress/global-object-define-own-property.js > stress/global-object-define-own-property-put-to-scope.js > stress/eval-func-decl-in-frozen-global.js r274406 fixed the failed assertions. Thank you for triaging!
Note You need to log in before you can comment on or make changes to this bug.