[Webkit-unassigned] [Bug 163338] New: Array.prototype.slice should not modify frozen objects

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 12 10:01:46 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=163338

            Bug ID: 163338
           Summary: Array.prototype.slice should not modify frozen objects
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

The ES6 spec for Array.prototype.slice (https://tc39.github.io/ecma262/#sec-array.prototype.slice) states that it uses the CreateDataPropertyOrThrow() (https://tc39.github.io/ecma262/#sec-createdatapropertyorthrow) to add items to the result array.  The spec for CreateDataPropertyOrThrow states:

"This abstract operation creates a property whose attributes are set to the same defaults used for properties created by the ECMAScript language assignment operator. Normally, the property will not already exist. If it does exist and is not configurable or if O is not extensible, [[DefineOwnProperty]] will return false causing this operation to throw a TypeError exception."

Array.prototype.slice also uses a Set function (https://tc39.github.io/ecma262/#sec-set-o-p-v-throw) to set the "length" property and passes true for the Throw argument.  Ultimately, it ends up calling the OrdinarySet function (https://tc39.github.io/ecma262/#sec-ordinaryset) that will fail if the property is not writable.  This failure should result in a TypeError being thrown in Set.

Since the properties of frozen objects are not extensible, not configurable, and not writeable, Array.prototype.slice should fail to write to the result array if it is frozen.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161012/7852a188/attachment.html>

More information about the webkit-unassigned mailing list