RESOLVED FIXED49577
Function.prototype should be non-configurable 
https://bugs.webkit.org/show_bug.cgi?id=49577
Summary Function.prototype should be non-configurable
Gavin Barraclough
Reported 2010-11-15 21:51:25 PST
JSC lazily allocates the prototype property of Function objects. We check the prototype exists on 'get', but not on 'put'. If you 'put' without having first done a 'get' you can end up with a configurable prototype (prototype should only ever be non-configurable). This is visible in a couple of ways: * 'delete' on the property may succeed. (the next access will result in a new, reset prototype object). * the prototype may be set to a getter.
Attachments
Add attachment proposed patch, testcase, etc.
Gavin Barraclough
Comment 1 2010-11-15 23:28:11 PST
fixed in http://trac.webkit.org/changeset/72063
Rico
Comment 2 2010-11-16 23:22:12 PST
It seems that the change introduces a test that is not consistent with the specification. The new test file: LayoutTests/fast/js/script-tests/function-prototype-descriptor.js Tests that the prototype property on a function is enumerable, which it should not be (see 15.3.5.2 and 13.2 step 18 in the spec). This was also discussed on the V8 issue tracker: http://code.google.com/p/v8/issues/detail?id=935 Please let me know if you disagree.
Gavin Barraclough
Comment 3 2010-11-18 16:54:18 PST
Hi Rico, Yes, looks to me like you're right. Should be a quick fix, will roll a patch for JSC & update regression tests. thanks, G.
Gavin Barraclough
Comment 4 2010-11-18 20:39:51 PST
Many thanks for bringing this to our attention Rico, should be fixed in r72362. Let me know if this doesn't resolve the issues for you. cheers, G.
Note You need to log in before you can comment on or make changes to this bug.