RESOLVED FIXED 266611
[JSC] Object.defineProperties fast path causes values to be assigned to incorrect property 
https://bugs.webkit.org/show_bug.cgi?id=266611
Summary [JSC] Object.defineProperties fast path causes values to be assigned to incor...
Jarred Sumner
Reported 2023-12-18 18:09:17 PST
If the following code is added to ObjectConstructor.cpp:922 https://github.com/WebKit/WebKit/blob/0345820aee4313ca1a9ec8f7d9e77ebe92c7dd4c/Source/JavaScriptCore/runtime/ObjectConstructor.cpp#L922 ``` if (descriptors.size() != numProperties) { printf("bad! %d and %d\n", descriptors.size(), numProperties); RELEASE_ASSERT(false); } ``` It prints `bad! 31 and 30` when given an object like this https://github.com/oven-sh/bun/blob/e33003f2e27a243aff566e4a5f062ac6e0d1b2bc/src/js/node/readline.js#L2657-L2867 If `index++` is added to this code, it works as expected: https://github.com/WebKit/WebKit/blob/0345820aee4313ca1a9ec8f7d9e77ebe92c7dd4c/Source/JavaScriptCore/runtime/ObjectConstructor.cpp#L896-L897 ``` if (UNLIKELY(!withoutSideEffect)) { index++; break; } ``` This bug does not occur when the fast path is not in use.
Attachments
Add attachment proposed patch, testcase, etc.
Dylan Conway
Comment 1 2023-12-21 00:41:49 PST
repro: ``` class InterfaceConstructor { two() {} } class Interface {} Object.defineProperties(Interface.prototype, { one: { __proto__: null, }, two: { value: InterfaceConstructor.prototype.two, }, }); var interface = new Interface(); print(typeof interface.two); ``` expected print() output: function received print() output: undefined
Radar WebKit Bug Importer
Comment 2 2023-12-25 18:10:14 PST
<rdar://problem/120137648>
Yusuke Suzuki
Comment 3 2023-12-26 07:07:42 PST
Pull request: https://github.com/WebKit/WebKit/pull/22240
EWS
Comment 4 2023-12-26 22:16:06 PST
Committed 272508@main (c157345d2b9c): <https://commits.webkit.org/272508@main> Reviewed commits have been landed. Closing PR #22240 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.