[Webkit-unassigned] [Bug 266611] New: Object.defineProperties fast path causes values to be assigned to incorrect property

Mon Dec 18 18:09:17 PST 2023

https://bugs.webkit.org/show_bug.cgi?id=266611

            Bug ID: 266611
           Summary: Object.defineProperties fast path causes values to be
                    assigned to incorrect property
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jarred at jarredsumner.com

If the following code is added to ObjectConstructor.cpp:922 https://github.com/WebKit/WebKit/blob/0345820aee4313ca1a9ec8f7d9e77ebe92c7dd4c/Source/JavaScriptCore/runtime/ObjectConstructor.cpp#L922

```
if (descriptors.size() != numProperties) {
  printf("bad! %d and %d\n", descriptors.size(), numProperties);
  RELEASE_ASSERT(false);
}
```

It prints `bad! 31 and 30` when given an object like this https://github.com/oven-sh/bun/blob/e33003f2e27a243aff566e4a5f062ac6e0d1b2bc/src/js/node/readline.js#L2657-L2867

If `index++` is added to this code, it works as expected: https://github.com/WebKit/WebKit/blob/0345820aee4313ca1a9ec8f7d9e77ebe92c7dd4c/Source/JavaScriptCore/runtime/ObjectConstructor.cpp#L896-L897

```
if (UNLIKELY(!withoutSideEffect)) {
  index++;
  break;
}
```

This bug does not occur when the fast path is not in use.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231219/d0e94710/attachment.htm>