Bug 221177 - Attempting to [[Set]] JSArray's read-only "length" should throw even with current [[Value]]
Summary: Attempting to [[Set]] JSArray's read-only "length" should throw even with cur...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Minor
Assignee: Alexey Shvayka
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-01-30 06:00 PST by NWU_NISL
Modified: 2022-02-05 16:16 PST (History)
10 users (show)

See Also:

Attachments
Patch (8.79 KB, patch)
2022-02-05 13:16 PST, Alexey Shvayka 		saam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description NWU_NISL 2021-01-30 06:00:58 PST 
#version: d940b47

#Testcase
var a=[1,2];
Object.freeze(a); 
var b=a.push(); 
print(b);

#Command:
./webkit/WebKitBuild/Release/bin/jsc testcase.js

#Output:
2

#Expected output:
TypeError: "length" is read-only

# Description
When executing this test case, a is frozen in the second line, so an error should be thrown when executing Array.prototype.push, but JavaScriptCore outputs normally.
Comment 1 Yusuke Suzuki 2021-01-30 12:17:46 PST 
setLength should throw an error even if it is setting the same length if length is readonly.
This bug does not break the invariant of freezing (error will not happen only when the setting length equals to the existing length.) But it is strictly speaking not aligned to the spec.

var a=[1,2];
Object.freeze(a); 
a.push(2); // Throwing an error correctly since it is pushing a value and changing length actually.
Comment 2 Radar WebKit Bug Importer 2021-02-06 06:01:13 PST 
<rdar://problem/74059121>
Comment 3 Alexey Shvayka 2022-02-05 13:16:52 PST 
Created attachment 450997 [details]
Patch
Comment 4 Saam Barati 2022-02-05 13:22:04 PST 
Comment on attachment 450997 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=450997&action=review

r=me

> Source/JavaScriptCore/ChangeLog:13
> +          a) it's the only callee of setLengthWithArrayStorage() that performs [[DefineOwnProperty]],

callee -> caller
Comment 5 Alexey Shvayka 2022-02-05 13:42:48 PST 
Comment on attachment 450997 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=450997&action=review

> JSTests/stress/array-prototype-methods-set-length.js:98
> +            Array.defineProperty(testObject, "length", { writable: false });

Oops, of course it throws, will fix.

I will tighten expected error messages in a follow-up, which will make read-only "length" error messages consistent.
Comment 6 Alexey Shvayka 2022-02-05 16:14:56 PST 
Committed r289164 (246860@trunk): <https://commits.webkit.org/246860@trunk>
Comment 7 Alexey Shvayka 2022-02-05 16:16:28 PST 
(In reply to Saam Barati from comment #4)
> Comment on attachment 450997 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=450997&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/ChangeLog:13
> > +          a) it's the only callee of setLengthWithArrayStorage() that performs [[DefineOwnProperty]],
> 
> callee -> caller

Fixed, and the tests too.
Also, exporting some of them to test262 so the V8 team would fix the bug as well: https://github.com/tc39/test262/pull/3400.

Thanks Saam!