Property setters should not be called for bound arguments list entries.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Jan 2017 23:17:42 +0000 (23:17 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Jan 2017 23:17:42 +0000 (23:17 +0000)
https://bugs.webkit.org/show_bug.cgi?id=165631

Reviewed by Filip Pizlo.

JSTests:

* stress/property-setters-should-not-be-called-for-bound-arguments-list-entries.js: Added.

Source/JavaScriptCore:

* builtins/FunctionPrototype.js:
(bind):
- use @putByValDirect to set the bound arguments so that we don't consult the
  prototype chain for setters.

* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::IntlDateTimeFormatPrototypeGetterFormat):
* runtime/IntlNumberFormatPrototype.cpp:
(JSC::IntlNumberFormatPrototypeGetterFormat):
- no need to create a bound arguments array because these bound functions binds
  no arguments according to the spec.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@210563 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/property-setters-should-not-be-called-for-bound-arguments-list-entries.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/builtins/FunctionPrototype.js
Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp

index cd54fa0..2002b75 100644 (file)
@@ -1,3 +1,12 @@
+2017-01-10  Mark Lam  <mark.lam@apple.com>
+
+        Property setters should not be called for bound arguments list entries.
+        https://bugs.webkit.org/show_bug.cgi?id=165631
+
+        Reviewed by Filip Pizlo.
+
+        * stress/property-setters-should-not-be-called-for-bound-arguments-list-entries.js: Added.
+
 2017-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
 
         Calling async arrow function which is in a class's member function will cause error
diff --git a/JSTests/stress/property-setters-should-not-be-called-for-bound-arguments-list-entries.js b/JSTests/stress/property-setters-should-not-be-called-for-bound-arguments-list-entries.js
new file mode 100644 (file)
index 0000000..d67862f
--- /dev/null
@@ -0,0 +1,8 @@
+Object.defineProperty(Array.prototype, "0", {
+    set: () => {
+        throw "ERROR: setter should not be called for bound arguments list";
+    }
+});
+
+function dummy() { }
+var f = dummy.bind({}, 1, 2, 3, 4);
index 50fc8c1..7bcde66 100644 (file)
@@ -1,3 +1,22 @@
+2017-01-10  Mark Lam  <mark.lam@apple.com>
+
+        Property setters should not be called for bound arguments list entries.
+        https://bugs.webkit.org/show_bug.cgi?id=165631
+
+        Reviewed by Filip Pizlo.
+
+        * builtins/FunctionPrototype.js:
+        (bind):
+        - use @putByValDirect to set the bound arguments so that we don't consult the
+          prototype chain for setters.
+
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototypeGetterFormat):
+        - no need to create a bound arguments array because these bound functions binds
+          no arguments according to the spec.
+
 2017-01-10  Skachkov Oleksandr  <gskachkov@gmail.com>
 
         Calling async arrow function which is in a class's member function will cause error
index 879c902..f1ee867 100644 (file)
@@ -72,7 +72,7 @@ function bind(thisValue)
         numBoundArgs = argumentCount - 1;
         boundArgs = @newArrayWithSize(numBoundArgs);
         for (let i = 0; i < numBoundArgs; i++)
-            boundArgs[i] = arguments[i + 1];
+            @putByValDirect(boundArgs, i, arguments[i + 1]);
     }
 
     let length = 0;
index 8142077..91b5a9a 100644 (file)
@@ -137,12 +137,8 @@ EncodedJSValue JSC_HOST_CALL IntlDateTimeFormatPrototypeGetterFormat(ExecState*
         // a. Let F be a new built-in function object as defined in 12.3.4.
         // b. The value of F’s length property is 1. (Note: F’s length property was 0 in ECMA-402 1.0)
         JSFunction* targetObject = JSFunction::create(vm, globalObject, 1, ASCIILiteral("format"), IntlDateTimeFormatFuncFormatDateTime, NoIntrinsic);
-        JSArray* boundArgs = JSArray::tryCreateUninitialized(vm, globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), 0);
-        if (!boundArgs)
-            return JSValue::encode(throwOutOfMemoryError(state, scope));
-
         // c. Let bf be BoundFunctionCreate(F, «this value»).
-        boundFormat = JSBoundFunction::create(vm, state, globalObject, targetObject, dtf, boundArgs, 1, ASCIILiteral("format"));
+        boundFormat = JSBoundFunction::create(vm, state, globalObject, targetObject, dtf, nullptr, 1, ASCIILiteral("format"));
         RETURN_IF_EXCEPTION(scope, encodedJSValue());
         // d. Set dtf.[[boundFormat]] to bf.
         dtf->setBoundFormat(vm, boundFormat);
index 3128c84..9ea7878 100644 (file)
@@ -125,12 +125,8 @@ EncodedJSValue JSC_HOST_CALL IntlNumberFormatPrototypeGetterFormat(ExecState* st
         // a. Let F be a new built-in function object as defined in 11.3.4.
         // b. The value of F’s length property is 1.
         JSFunction* targetObject = JSFunction::create(vm, globalObject, 1, ASCIILiteral("format"), IntlNumberFormatFuncFormatNumber, NoIntrinsic);
-        JSArray* boundArgs = JSArray::tryCreateUninitialized(vm, globalObject->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), 0);
-        if (!boundArgs)
-            return JSValue::encode(throwOutOfMemoryError(state, scope));
-
         // c. Let bf be BoundFunctionCreate(F, «this value»).
-        boundFormat = JSBoundFunction::create(vm, state, globalObject, targetObject, nf, boundArgs, 1, ASCIILiteral("format"));
+        boundFormat = JSBoundFunction::create(vm, state, globalObject, targetObject, nf, nullptr, 1, ASCIILiteral("format"));
         RETURN_IF_EXCEPTION(scope, encodedJSValue());
         // d. Set nf.[[boundFormat]] to bf.
         nf->setBoundFormat(vm, boundFormat);