[Webkit-unassigned] [Bug 38636] Object.defineProperty doesn't respect attributes when applied to the Global Object
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 3 06:07:57 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=38636
--- Comment #4 from Kent Hansen <kent.hansen at nokia.com> 2010-11-03 06:07:57 PST ---
Hi Xan, thanks for your interest in this issue. :-)
It looks like the valueBefore/valueAfter logic dates back to the patch for https://bugs.webkit.org/show_bug.cgi?id=17067 (http://trac.webkit.org/changeset/30534), although code has changed/moved around since then. Maybe Darin could comment on what this actually does.
It seems like this part
if (valueAfter)
JSObject::putWithAttributes(exec, propertyName, valueAfter, attributes);
relies on putWithAttributes() updating the attributes of the existing property (since the previous put() created it with no attributes).
This is the bug reported in https://bugs.webkit.org/show_bug.cgi?id=40613. And like I commented there, a potential fix would be to make JSObject::putWithAttributes() update the attributes in case the property already exists (just like it does for the value).
Simply removing the call to put() seems a bit risky since JSObject::put() has a lot more logic than JSObject::putWithAttributes().
For example, your testcase should have something like
Object.defineProperty(this, "__proto__", {value:123})
As per JSObject::put(), "Setting __proto__ to a non-object, non-null value is silently ignored to match Mozilla". (I just checked with V8 and they also match this behavior for defineProperty(O, "__proto__")).
You should also check what happens when the property exists as a getter/setter in the prototype chain, since JSObject::put() has logic for that too.
this.__proto__ = {};
this.__proto__.__defineGetter__("foo", function() { return this._x; });
this.__proto__.__defineSetter__("foo", function(v) { this._x = v; });
Object.defineProperty(this, "foo", { value: 123, configurable: true, writable: true });
this.hasOwnProperty("foo"); // FALSE!
I.e. currently (without your patch) the property will not be defined on the Global Object, but will rather invoke the foo setter in the prototype chain. This is different than the behavior for normal objects, where Object.defineProperty() _will_ create a new property on the object itself, even if there is a setter in the prototype chain. This is a different bug, but I don't see how it can be fixed so long as JSGlobalObject::putWithAttributes() calls JSObject::put()...
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list