[runtime] Always succeed rewriting SameValue to non-config/writable prop

Bug: chromium:1383883 Change-Id: I08d5b6c1c841a0f178d214f34bff0d2e973bbb02 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4031193 Auto-Submit: Toon Verwaest <verwaest@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#84322}
2022-11-17 11:58:56 +01:00 · 2022-11-17 11:58:56 +01:00 · 704ea7ab3c
commit 704ea7ab3c
parent 7837b354d3
2 changed files with 32 additions and 1 deletions
--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@ -1612,7 +1612,11 @@ Maybe<bool> JSReceiver::ValidateAndApplyPropertyDescriptor(
      }
      // 7a ii. If Desc.[[Value]] is present and SameValue(Desc.[[Value]],
      // current.[[Value]]) is false, return false.
-      if (desc->has_value() && !desc->value()->SameValue(*current->value())) {
+      if (desc->has_value()) {
+        // We'll succeed applying the property, but the value is already the
+        // same and the property is read-only, so skip actually writing the
+        // property. Otherwise we may try to e.g., write to frozen elements.
+        if (desc->value()->SameValue(*current->value())) return Just(true);
        RETURN_FAILURE(
            isolate, GetShouldThrow(isolate, should_throw),
            NewTypeError(MessageTemplate::kRedefineDisallowed,
--- a/test/mjsunit/regress/regress-crbug-1383883.js
+++ b/test/mjsunit/regress/regress-crbug-1383883.js
@ -0,0 +1,27 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __isPropertyOfType() {
+}
+function __getProperties(obj) {
+  let properties = [];
+  for (let name of Object.getOwnPropertyNames(obj)) {
+ properties.push(name);
+  }
+  return properties;
+}
+function __getRandomProperty(obj, seed) {
+  let properties = __getProperties(obj);
+  return properties[seed % properties.length];
+}
+const __v_12 =
+[ 2, '3'];
+function __f_8() {
+  if (__v_12 != null && typeof __v_12 == "object") Object.defineProperty(__v_12, __getRandomProperty(__v_12, 416937), {
+    value: 4294967295
+  });
+}
+  __f_8();
+  var __v_15 = Object.freeze(__v_12);
+  __f_8();