GetOwnProperty of TypedArray indexed fields is wrongly configurable
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Aug 2017 02:29:42 +0000 (02:29 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Aug 2017 02:29:42 +0000 (02:29 +0000)
https://bugs.webkit.org/show_bug.cgi?id=175307

Patch by Robin Morisset <rmorisset@apple.com> on 2017-08-07
Reviewed by Saam Barati.

JSTests:

* stress/typedarray-getownproperty-not-configurable.js: Added.
(assert):
(foo):

Source/JavaScriptCore:

```
let a = new Uint8Array(10);
let b = Object.getOwnPropertyDescriptor(a, 0);
assert(b.configurable === false);
```
should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p)
that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
that says that typed arrays are integer indexed exotic objects.

* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220377 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/typedarray-getownproperty-not-configurable.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

index ee32d139756f8f06414ba2b39aa77fc35731c29a..a847d810c663716909ef74503db64543c6f5043f 100644 (file)
@@ -1,3 +1,14 @@
+2017-08-07  Robin Morisset  <rmorisset@apple.com>
+
+        GetOwnProperty of TypedArray indexed fields is wrongly configurable
+        https://bugs.webkit.org/show_bug.cgi?id=175307
+
+        Reviewed by Saam Barati.
+
+        * stress/typedarray-getownproperty-not-configurable.js: Added.
+        (assert):
+        (foo):
+
 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         Promise resolve and reject function should have length = 1
diff --git a/JSTests/stress/typedarray-getownproperty-not-configurable.js b/JSTests/stress/typedarray-getownproperty-not-configurable.js
new file mode 100644 (file)
index 0000000..91fbb5d
--- /dev/null
@@ -0,0 +1,20 @@
+typedArrays = [Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Uint16Array, Int32Array, Uint32Array, Float32Array, Float64Array];
+
+function assert(cond) {
+    if (!cond)
+        throw new Error("bad assertion!");
+}
+
+function foo() {
+    for (constructor of typedArrays) {
+        let a = new constructor(10);
+        let b = Object.getOwnPropertyDescriptor(a, 0);
+        assert(b.value === 0);
+        assert(b.writable === false);
+        assert(b.enumerable === true);
+        assert(b.configurable === false);
+    }
+}
+
+for (let i = 0; i < 100; i++)
+    foo();
index 9e8e466080264cd33bf1f51a1880cc98087b5697..eda4fc5721d4a715f6ebb5a1a676c9c0ac548e1c 100644 (file)
@@ -1,3 +1,22 @@
+2017-08-07  Robin Morisset  <rmorisset@apple.com>
+
+        GetOwnProperty of TypedArray indexed fields is wrongly configurable
+        https://bugs.webkit.org/show_bug.cgi?id=175307
+
+        Reviewed by Saam Barati.
+
+        ```
+        let a = new Uint8Array(10);
+        let b = Object.getOwnPropertyDescriptor(a, 0);
+        assert(b.configurable === false);
+        ```
+        should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
+        that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
+        that says that typed arrays are integer indexed exotic objects.
+
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
+
 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
 
         Baseline JIT should do caging
index 1fd731879c6f0f2ca52dbec485ac06b7b4138de1..bd639b7c55dec0c6ea0c1eacd853f6ef9bb88d0a 100644 (file)
@@ -458,7 +458,7 @@ bool JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex(
     if (!thisObject->canGetIndexQuickly(propertyName))
         return false;
     
-    slot.setValue(thisObject, None, thisObject->getIndexQuickly(propertyName));
+    slot.setValue(thisObject, DontDelete, thisObject->getIndexQuickly(propertyName));
     return true;
 }