[Webkit-unassigned] [Bug 247723] New: `Symbol.toPrimitive` in property access

Thu Nov 10 02:47:09 PST 2022

https://bugs.webkit.org/show_bug.cgi?id=247723

            Bug ID: 247723
           Summary: `Symbol.toPrimitive` in property access
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Mac (Apple Silicon)
                OS: macOS 13
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: p51lee at kaist.ac.kr

// input.js
null [ { [ Symbol . toPrimitive ] : () => { REF_ERR; } } ] ;
________________________________________________________________

Hello,

Running `input.js` should throw `ReferenceError`.
However, running it using Webkit JavaScriptCore throws `TypeError`:

---
$ jsc input.js
Exception: TypeError: null is not an object (evaluating 'null [ { [ Symbol . toPrimitive ] : () => { REF_ERR; } } ]')
global code at input.js:2:5
---

According to [ECMAScript 2022 spec section 13.3.2.1](https://262.ecma-international.org/13.0/#prod-3HizunKA), **EvaluatePropertyAccessWithIdentifierKey** is called in line 4, where *baseValue* is `null` and *Expression* is `{ [ Symbol . toPrimitive ] : () => { REF_ERR; } }`:

In line 3 of section [13.3.3](https://262.ecma-international.org/13.0/#sec-evaluate-property-access-with-expression-key), **ToPropertyKey** is called, where *propertyNameValue* is an evaluated value of `expression`( i.e. `{ [ Symbol . toPrimitive ] : () => { REF_ERR; } }`). By the way, `TypeError` caused by reading a property of `null` can be thrown after line 4:

Then **ToPrimitive** in the first line of section [7.1.19](https://262.ecma-international.org/13.0/#sec-topropertykey) is executed, with *argument* `{ [ Symbol . toPrimitive ] : () => { REF_ERR; } }`:

Inside the function [**ToPrimitive**](https://262.ecma-international.org/13.0/#sec-toprimitive), now *input* is `{ [ Symbol . toPrimitive ] : () => { REF_ERR; } }` so `exoticToPrim` in line 1-a becomes `() => { REF_ERR; }`.
Finally in line 1-b-iv, **Call** ing *exoticToPrim* leads to `ReferenceError` since `REF_ERR` is not defined.

Interestingly, V8 has the same bug:

---
$ node input.js
input.js:1
null [ { [ Symbol . toPrimitive ] : () => { REF_ERR; } } ] ;
     ^

TypeError: Cannot read properties of null (reading '#<Object>')
    at Object.<anonymous> (input.js:1:6)
    at Module._compile (node:internal/modules/cjs/loader:1159:14)
    at Module._extensions..js (node:internal/modules/cjs/loader:1213:10)
    at Module.load (node:internal/modules/cjs/loader:1037:32)
    at Module._load (node:internal/modules/cjs/loader:878:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:23:47

Node.js v18.11.0
---

WebKit version: 615.1.10

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221110/ea8aa10e/attachment-0001.htm>