Title: [272411] trunk
- Revision
- 272411
- Author
- [email protected]
- Date
- 2021-02-05 06:26:44 -0800 (Fri, 05 Feb 2021)
Log Message
Object.assign should throw for property creation on non-extensible `target`
https://bugs.webkit.org/show_bug.cgi?id=220712
Reviewed by Ross Kirsling.
JSTests:
* stress/object-assign-fast-path.js:
Source/_javascript_Core:
This performance-neutral change precludes Object.assign from taking the
fast path if `target` is a non-extensible JSFinalObject, which ensures
a TypeError is thrown for property creation via [[Set]].
Aligns JSC with the spec [1], V8, and SpiderMonkey.
[1]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor (step 2.a)
* runtime/ObjectConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
Modified Paths
Diff
Modified: trunk/JSTests/ChangeLog (272410 => 272411)
--- trunk/JSTests/ChangeLog 2021-02-05 13:23:55 UTC (rev 272410)
+++ trunk/JSTests/ChangeLog 2021-02-05 14:26:44 UTC (rev 272411)
@@ -1,3 +1,12 @@
+2021-02-05 Alexey Shvayka <[email protected]>
+
+ Object.assign should throw for property creation on non-extensible `target`
+ https://bugs.webkit.org/show_bug.cgi?id=220712
+
+ Reviewed by Ross Kirsling.
+
+ * stress/object-assign-fast-path.js:
+
2021-02-05 Yusuke Suzuki <[email protected]>
[JSC] JSImmutableButterfly's toString cache should not happen for generic join
Modified: trunk/JSTests/stress/object-assign-fast-path.js (272410 => 272411)
--- trunk/JSTests/stress/object-assign-fast-path.js 2021-02-05 13:23:55 UTC (rev 272410)
+++ trunk/JSTests/stress/object-assign-fast-path.js 2021-02-05 14:26:44 UTC (rev 272411)
@@ -163,3 +163,19 @@
shouldBe(result.hello, 0);
shouldBe(setterCalledWithValue, "world");
}
+{
+ let object = Object.freeze({ foo: 1 });
+ shouldBe(Object.assign(object, {}), object);
+}
+{
+ let object = Object.preventExtensions({ foo: 1 });
+ shouldBe(Object.assign(object, { foo: 2 }), object);
+ shouldBe(object.foo, 2);
+}
+{
+ let object = Object.preventExtensions({ foo: 1 });
+ shouldThrow(() => {
+ Object.assign(object, { bar: 2 });
+ }, `TypeError: Attempted to assign to readonly property.`);
+ shouldBe(object.bar, undefined);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (272410 => 272411)
--- trunk/Source/_javascript_Core/ChangeLog 2021-02-05 13:23:55 UTC (rev 272410)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-02-05 14:26:44 UTC (rev 272411)
@@ -1,3 +1,21 @@
+2021-02-05 Alexey Shvayka <[email protected]>
+
+ Object.assign should throw for property creation on non-extensible `target`
+ https://bugs.webkit.org/show_bug.cgi?id=220712
+
+ Reviewed by Ross Kirsling.
+
+ This performance-neutral change precludes Object.assign from taking the
+ fast path if `target` is a non-extensible JSFinalObject, which ensures
+ a TypeError is thrown for property creation via [[Set]].
+
+ Aligns JSC with the spec [1], V8, and SpiderMonkey.
+
+ [1]: https://tc39.es/ecma262/#sec-validateandapplypropertydescriptor (step 2.a)
+
+ * runtime/ObjectConstructor.cpp:
+ (JSC::JSC_DEFINE_HOST_FUNCTION):
+
2021-02-05 Yusuke Suzuki <[email protected]>
[JSC] JSImmutableButterfly's toString cache should not happen for generic join
Modified: trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp (272410 => 272411)
--- trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2021-02-05 13:23:55 UTC (rev 272410)
+++ trunk/Source/_javascript_Core/runtime/ObjectConstructor.cpp 2021-02-05 14:26:44 UTC (rev 272411)
@@ -273,7 +273,7 @@
// FIXME: Extend this for non JSFinalObject. For example, we would like to use this fast path for function objects too.
// https://bugs.webkit.org/show_bug.cgi?id=185358
- bool targetCanPerformFastPut = jsDynamicCast<JSFinalObject*>(vm, target) && target->canPerformFastPutInlineExcludingProto(vm);
+ bool targetCanPerformFastPut = jsDynamicCast<JSFinalObject*>(vm, target) && target->canPerformFastPutInlineExcludingProto(vm) && target->isStructureExtensible(vm);
Vector<RefPtr<UniquedStringImpl>, 8> properties;
MarkedArgumentBuffer values;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
