Reviewers: kpreid2,
Description:
https://code.google.com/p/chromium/issues/detail?id=374327
https://gist.github.com/getify/22ac00ba029e707f19f5
demonstrate that setting a function's prototype with defineProperty
updates its descriptor but not its actual value.
Please review this at https://codereview.appspot.com/96420043/
Affected files (+43, -3 lines):
M src/com/google/caja/ses/repairES5.js
Index: src/com/google/caja/ses/repairES5.js
===================================================================
--- src/com/google/caja/ses/repairES5.js (revision 5685)
+++ src/com/google/caja/ses/repairES5.js (working copy)
@@ -2706,6 +2706,31 @@
}
}
+ /**
+ * Tests for https://code.google.com/p/chromium/issues/detail?id=374327
+ * https://gist.github.com/getify/22ac00ba029e707f19f5
+ * which reports that setting a function's prototype with
+ * defineProperty can update its descriptor without updating the
+ * actual value.
+ */
+ function test_DEFINE_PROPERTY_CONFUSES_FUNC_PROTO() {
+ function bar(){}
+ Object.defineProperty(bar,'prototype',{value:2,writable:false});
+ var desc = Object.getOwnPropertyDescriptor(bar, 'prototype');
+ if (desc.value !== 2) {
+ return 'Unexpected descriptor from setting a function\'s ' +
+ 'protptype with defineProperty: ' + JSON.stringify(desc);
+ }
+ if (bar.prototype === 2) {
+ return false;
+ } else if (typeof bar.prototype === 'object') {
+ return true;
+ } else {
+ return 'Unexpected result of setting a function\'s prototype ' +
+ 'with defineProperty: ' + typeof bar.prototype;
+ }
+ }
+
////////////////////// Repairs /////////////////////
//
// Each repair_NAME function exists primarily to repair the problem
@@ -2724,8 +2749,9 @@
var isExtensible = Object.isExtensible;
/*
- * Fixes both FUNCTION_PROTOTYPE_DESCRIPTOR_LIES and
- * DEFINING_READ_ONLY_PROTO_FAILS_SILENTLY.
+ * Fixes FUNCTION_PROTOTYPE_DESCRIPTOR_LIES,
+ * DEFINING_READ_ONLY_PROTO_FAILS_SILENTLY and
+ * DEFINE_PROPERTY_CONFUSES_FUNC_PROTO.
*/
function repair_DEFINE_PROPERTY() {
function repairedDefineProperty(base, name, desc) {
@@ -4399,6 +4425,20 @@
// TODO(kpreid): link Microsoft info page when available
sections: ['8.12.6'],
tests: [] // TODO(kpreid): contribute tests
+ },
+ {
+ id: 'DEFINE_PROPERTY_CONFUSES_FUNC_PROTO',
+ description: 'Setting a function\'s prototype with defineProperty ' +
+ 'doesn\'t change its value',
+ test: test_DEFINE_PROPERTY_CONFUSES_FUNC_PROTO,
+ repair: repair_DEFINE_PROPERTY,
+ preSeverity: severities.UNSAFE_SPEC_VIOLATION,
+ canRepair: true,
+ urls:
+ ['https://code.google.com/p/chromium/issues/detail?id=374327',
+ 'https://gist.github.com/getify/22ac00ba029e707f19f5'],
+ sections: [],
+ tests: [] // TODO(kpreid): contribute tests
}
];
@@ -4449,7 +4489,7 @@
strictForEachFn(supportedProblems, ses._repairer.registerProblem);
ses._repairer.testAndRepair();
}
-
+
var reports = ses._repairer.getReports();
// Made available to allow for later code reusing our diagnoses to work
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
