AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[runtime] Always succeed rewriting SameValue to non-config/writable prop

Browse Source 
Bug: chromium:1383883
Change-Id: I08d5b6c1c841a0f178d214f34bff0d2e973bbb02
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031193
Auto-Submit: Toon Verwaest <verwaest@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84322}
This commit is contained in:
Toon Verwaest 2022-11-17 11:58:56 +01:00 committed by V8 LUCI CQ
parent 7837b354d3
commit 704ea7ab3c
2 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/objects/js-objects.cc
View File

@ -1612,7 +1612,11 @@ Maybe<bool> JSReceiver::ValidateAndApplyPropertyDescriptor(
} }
// 7a ii. If Desc.[[Value]] is present and SameValue(Desc.[[Value]], // 7a ii. If Desc.[[Value]] is present and SameValue(Desc.[[Value]],
// current.[[Value]]) is false, return false. // current.[[Value]]) is false, return false.
if (desc->has_value() && !desc->value()->SameValue(*current->value())) { if (desc->has_value()) {
// We'll succeed applying the property, but the value is already the
// same and the property is read-only, so skip actually writing the
// property. Otherwise we may try to e.g., write to frozen elements.
if (desc->value()->SameValue(*current->value())) return Just(true);
RETURN_FAILURE( RETURN_FAILURE(
isolate, GetShouldThrow(isolate, should_throw), isolate, GetShouldThrow(isolate, should_throw),
NewTypeError(MessageTemplate::kRedefineDisallowed, NewTypeError(MessageTemplate::kRedefineDisallowed,

27
test/mjsunit/regress/regress-crbug-1383883.js Normal file
View File

@ -0,0 +1,27 @@
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
function __isPropertyOfType() {
}
function __getProperties(obj) {
let properties = [];
for (let name of Object.getOwnPropertyNames(obj)) {
properties.push(name);
}
return properties;
}
function __getRandomProperty(obj, seed) {
let properties = __getProperties(obj);
return properties[seed % properties.length];
}
const __v_12 =
[ 2, '3'];
function __f_8() {
if (__v_12 != null && typeof __v_12 == "object") Object.defineProperty(__v_12, __getRandomProperty(__v_12, 416937), {
value: 4294967295
});
}
__f_8();
var __v_15 = Object.freeze(__v_12);
__f_8();