[Webkit-unassigned] [Bug 222538] New: Object.defineProperties triggering a setter

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=222538

            Bug ID: 222538
           Summary: Object.defineProperties triggering a setter
           Product: WebKit
           Version: Safari Technology Preview
          Hardware: Mac (Intel)
                OS: macOS 11
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: erights at gmail.com

Created attachment 421790

  --> https://bugs.webkit.org/attachment.cgi?id=421790&action=review

Screenshot of debugger state caught in buggy behavior

See https://github.com/Agoric/SES-shim/pull/592

The SES Demo console, after previously having worked on Safari Technology Preview, suddenly started failing with an infinite recursion. This instrumented variation of the PR in which this started failing catches when `Object.defineProperties` causes a setter to be called. The `Object.defineProperties` is attempting to convert `Array.prototype.toString` from a data property to an accessor property, after `Object.prototype.toString` has been similarly converted. Violating the semantics of `defineProperties`, it causes the setter of the `Object.prototype.toString` accessor property to be called. There follows some screenshots examining this state from within the debugger.

This is on Safari Technology Preview
Release 121 (Safari 14.2, WebKit 16612.1.4.3)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210301/80d1a82a/attachment.htm>