RESOLVED FIXED 221177
Attempting to [[Set]] JSArray's read-only "length" should throw even with current [[Value]] 
https://bugs.webkit.org/show_bug.cgi?id=221177
Summary Attempting to [[Set]] JSArray's read-only "length" should throw even with cur...
NWU_NISL
Reported 2021-01-30 06:00:58 PST
#version: d940b47 #Testcase var a=[1,2]; Object.freeze(a); var b=a.push(); print(b); #Command: ./webkit/WebKitBuild/Release/bin/jsc testcase.js #Output: 2 #Expected output: TypeError: "length" is read-only # Description When executing this test case, a is frozen in the second line, so an error should be thrown when executing Array.prototype.push, but JavaScriptCore outputs normally.
Attachments
Patch (8.79 KB, patch)
2022-02-05 13:16 PST, Alexey Shvayka 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2021-01-30 12:17:46 PST
setLength should throw an error even if it is setting the same length if length is readonly. This bug does not break the invariant of freezing (error will not happen only when the setting length equals to the existing length.) But it is strictly speaking not aligned to the spec. var a=[1,2]; Object.freeze(a); a.push(2); // Throwing an error correctly since it is pushing a value and changing length actually.
Radar WebKit Bug Importer
Comment 2 2021-02-06 06:01:13 PST
<rdar://problem/74059121>
Alexey Shvayka
Comment 3 2022-02-05 13:16:52 PST
Created attachment 450997 [details] Patch
Saam Barati
Comment 4 2022-02-05 13:22:04 PST
Comment on attachment 450997 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450997&action=review r=me > Source/JavaScriptCore/ChangeLog:13 > + a) it's the only callee of setLengthWithArrayStorage() that performs [[DefineOwnProperty]], callee -> caller
Alexey Shvayka
Comment 5 2022-02-05 13:42:48 PST
Comment on attachment 450997 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450997&action=review > JSTests/stress/array-prototype-methods-set-length.js:98 > + Array.defineProperty(testObject, "length", { writable: false }); Oops, of course it throws, will fix. I will tighten expected error messages in a follow-up, which will make read-only "length" error messages consistent.
Alexey Shvayka
Comment 6 2022-02-05 16:14:56 PST
Committed r289164 (246860@trunk): <https://commits.webkit.org/246860@trunk>
Alexey Shvayka
Comment 7 2022-02-05 16:16:28 PST
(In reply to Saam Barati from comment #4) > Comment on attachment 450997 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=450997&action=review > > r=me > > > Source/JavaScriptCore/ChangeLog:13 > > + a) it's the only callee of setLengthWithArrayStorage() that performs [[DefineOwnProperty]], > > callee -> caller Fixed, and the tests too. Also, exporting some of them to test262 so the V8 team would fix the bug as well: https://github.com/tc39/test262/pull/3400. Thanks Saam!
Note You need to log in before you can comment on or make changes to this bug.