<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - [test262] Fixing mapped arguments object property test case"
href="https://bugs.webkit.org/show_bug.cgi?id=159398#c43">Comment # 43</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - [test262] Fixing mapped arguments object property test case"
href="https://bugs.webkit.org/show_bug.cgi?id=159398">bug 159398</a>
from <span class="vcard"><a class="email" href="mailto:ticaiolima@gmail.com" title="Caio Lima <ticaiolima@gmail.com>"> <span class="fn">Caio Lima</span></a>
</span></b>
<pre>Comment on <span class=""><a href="attachment.cgi?id=284985&action=diff" name="attach_284985" title="Patch">attachment 284985</a> <a href="attachment.cgi?id=284985&action=edit" title="Patch">[details]</a></span>
Patch
View in context: <a href="https://bugs.webkit.org/attachment.cgi?id=284985&action=review">https://bugs.webkit.org/attachment.cgi?id=284985&action=review</a>
<span class="quote">>> Source/JavaScriptCore/ChangeLog:11
>> + cannot be deleted when argument "i" is not configurable.
>
> Shouldn't being non-configurable mean you can't be deleted?</span >
Yes. The current behavior is not following this rule.
<span class="quote">>> Source/JavaScriptCore/ChangeLog:14
>> + aliased xor stored in a JSObject with attributes. This patch changes
>
> what does it mean to be aliased in this situation?</span >
Aliased I mean that for example:
```
((a) => {
print(a); // prints 2
print(arguments[0]); prints 2
a = 3;
print(a); // prints 3
print(arguments[0]); // prints 3 because it is aliased with a
})(2);
<span class="quote">>> Source/JavaScriptCore/ChangeLog:18
>> + attribute is true. It is important realize that when the attribute is
>
> Really? I thought it can't be deleted if configurable is false. That's how normal objects work, anyways.</span >
I think I was not very clear in this ChangeLog. What I am trying to say is that when {configurable: false}, the member can't be deleted. In the current behavior it is not true and when arguments object isn't aliases with parameters, delete operations succeed, which is against specification.
<span class="quote">>> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:145
>> + PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty);
>
> Seems like this should be ::VMInquiry. ::GetOwnProperty is allowed to do arbitrary side effects.</span >
I am going to change it now. Also, as Darin Adler commented above, it is also not optimized.
<span class="quote">>> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:238
>> + if ((descriptor.writablePresent() && !descriptor.writable()) || descriptor.isAccessorDescriptor())
>
> Why do we care about it being non-writable? I thought for deleting a property, we care about it being configurable?</span >
This logic here is not related with {configurable}. In this current Patch, the configurable case is checked on lines 192 - 180. Here we are controlling the aliasing of "arguments" object. Checking the specification (<a href="http://www.ecma-international.org/ecma-262/7.0/index.html#sec-createunmappedargumentsobject">http://www.ecma-international.org/ecma-262/7.0/index.html#sec-createunmappedargumentsobject</a>), all indexed elements from arguments are "writable: true", which means that they are aliased by default. To stop the aliasing, "descriptor.writable" need to be present and false.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>