Phabricator will be unavailable due to database maintenance from 14:00 UTC until 18:00 UTC on Saturday, October 13, 2018.
Bugzilla will remain up during this time. All users have been logged out of Bugzilla
Bugzilla will remain up during this time. All users have been logged out of Bugzilla
Status
()
People
(Reporter: anba, Unassigned)
Tracking
(Blocks: 1 bug)
Firefox Tracking Flags
(firefox44 affected)
Details
Test case for [[Get]]:
---
Object.prototype[1] = "inherited";
assertEq(Reflect.get(new Int8Array([10]), 0), 10);
assertEq(Reflect.get(new Int8Array([10]), 1), undefined);
assertEq(Reflect.get(new Int8Array([10]), 0, {}), 10);
assertEq(Reflect.get(new Int8Array([10]), 1, {}), "inherited");
---
Expected: No error thrown
Actual: Error thrown 'Assertion failed: got (void 0), expected "inherited"'
Test case for [[Set]]:
---
Object.defineProperty(Object.prototype, 1, {set(v){ this.result = v }, configurable: true});
var obj = {}, ta = new Int8Array([10]);
assertEq(Reflect.set(ta, 1, 20, obj), true);
assertEq(obj.result, 20);
---
Expected: No error thrown
Actual: Error thrown 'Assertion failed: got (void 0), expected 20"'
Spec:
ES2015 9.4.5.4 [[Get]] and 9.4.5.5 [[Set]] check SameValue(O, Receiver) and only if that test passes all integer indexed accesses go directly to the typed array. A similar check is probably required in LookupOwnPropertyInline [1] (LookupOwnPropertyInline is called by NativeGetPropertyInline and NativeSetProperty)?
[1] https://dxr.mozilla.org/mozilla-central/rev/9605da94e75d61598d3c00f01a12d1b6bc427a6c/js/src/vm/NativeObject-inl.h#450
|
||
Comment 1•3 years ago
|
||
https://github.com/tc39/ecma262/commit/a5af3a626160db63bda2cfd1e797269c3394e905
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•