[Webkit-unassigned] [Bug 173321] New: DFG doesn't properly handle a property that is change to read only in a prototype
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 13 12:47:07 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=173321
Bug ID: 173321
Summary: DFG doesn't properly handle a property that is change
to read only in a prototype
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: msaboff at apple.com
Consider the code:
var SimpleObject = function () {
this.a = 0;
this.b = 1;
this.c = 2;
}
var proto = { p: 100 };
SimpleObject.prototype = proto;
var test = function () {
var o = new SimpleObject();
o.x = 10;
o.y = 11;
return o;
}
The results of calling test() is an object like:
{ a: 0, b: 1, c: 2, p: 100, x: 10, y: 11 }
If you then call
Object.defineProperty(proto, "a", { value: 101, writable: false });
The results of calling test() should be an object like:
{ a: 101, b: 1, c: 2, p: 100, x: 10, y: 11 }
The DFG doesn't check for the ReadOnly case and therefore doesn't reflect the change in prototype.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170613/dbe6a9de/attachment.html>
More information about the webkit-unassigned
mailing list