Array.prototype.reverse should call Set, and throw when [[Set]] fails.

RESOLVED FIXED in Firefox 51

Status

()

Core
JavaScript Engine
P1
normal
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: emilio, Assigned: emilio)

Tracking

({regression})

51 Branch
mozilla52
regression
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox49 unaffected, firefox50 unaffected, firefox51+ fixed, firefox52+ fixed)

Details

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(9 attachments)

58 bytes, text/x-review-board-request
nbp
: review+
Details | Review
58 bytes, text/x-review-board-request
nbp
: review+
Details | Review
58 bytes, text/x-review-board-request
nbp
: review+
Details | Review
58 bytes, text/x-review-board-request
nbp
: review+
Details | Review
58 bytes, text/x-review-board-request
nbp
: review+
Details | Review
58 bytes, text/x-review-board-request
nbp
: review+
Details | Review
58 bytes, text/x-review-board-request
nbp
: review+
Details | Review
58 bytes, text/x-review-board-request
nbp
: review+
Details | Review
58 bytes, text/x-review-board-request
jandem
: review+
nbp
: review+
Details | Review
(Assignee)

Description

2 years ago
Test case:

var a = Object.freeze([5, 4]);
a.reverse();

Expected: TypeError per https://tc39.github.io/ecma262/#sec-array.prototype.reverse
Actual result: The array is reversed.
This is actually kind of bad, because it allows to overwrite non-configurable, non-writable properties. And it's also regression, because it's not reproducible in Firefox 49. I wonder if it's caused by bug 1283334...?
status-firefox49: --- → unaffected
status-firefox50: --- → ?
status-firefox51: --- → ?
status-firefox52: --- → affected
Keywords: regression
Keywords: regressionwindow-wanted
Confirmed that 51 is the first affected version. Will try to track down a more specific range.
status-firefox50: ? → unaffected
status-firefox51: ? → affected
(In reply to André Bargull from comment #1)
> I wonder if it's caused by bug 1283334...?

Good call, confirmed with mozregression :)
Blocks: 1283334
Flags: needinfo?(leo)
Keywords: regressionwindow-wanted
Flags: in-testsuite?
(Assignee)

Comment 4

2 years ago
Yeah, in general I feel we should assert !getElementsHeader()->isFrozen() in setDenseElement and pretty much every call in NativeObject where we assert !denseElementsAreCopyOnWrite().

I can try to find some time this week to track this down, since I think this is not exclusive of Array.prototype.reverse, but I can't promise anything just yet.
Yes we should have added these asserts. Emilio, if you don't have time please let us know, someone else will have to take this then.
tracking-firefox51: --- → ?
tracking-firefox52: --- → ?
Priority: -- → P1
Recent javascript regression, tracking for 51
tracking-firefox51: ? → +
tracking-firefox52: ? → +
(Assignee)

Comment 7

2 years ago
I'm trying to fix this.
Assignee: nobody → ecoal95
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
(Assignee)

Comment 17

2 years ago
Sorry for the storm of review requests, Nicolas, I asked you for review since you reviewed bug 1283334.

Comment 18

2 years ago
mozreview-review
Comment on attachment 8802657 [details]
Bug 1310744: Revert "Bug 1300193: Make existing assertion that no longer holds more flexible. ", but keep the test.

https://reviewboard.mozilla.org/r/86996/#review86186

Thanks!
Attachment #8802657 - Flags: review?(jdemooij) → review+

Comment 19

2 years ago
mozreview-review
Comment on attachment 8802649 [details]
Bug 1310744: Add NativeObject::denseElementsAreFrozen.

https://reviewboard.mozilla.org/r/86980/#review86188
Attachment #8802649 - Flags: review?(nicolas.b.pierron) → review+

Comment 20

2 years ago
mozreview-review
Comment on attachment 8802650 [details]
Bug 1310744: A frozen element has no writable length.

https://reviewboard.mozilla.org/r/86982/#review86190
Attachment #8802650 - Flags: review?(nicolas.b.pierron) → review+

Comment 21

2 years ago
mozreview-review
Comment on attachment 8802652 [details]
Bug 1310744: Bail out from SetOrExtendBoxedOrUnboxedDenseElements if the elements are frozen.

https://reviewboard.mozilla.org/r/86986/#review86192
Attachment #8802652 - Flags: review?(nicolas.b.pierron) → review+

Comment 22

2 years ago
mozreview-review
Comment on attachment 8802651 [details]
Bug 1310744: Allow MoveBoxedOrUnboxedDenseElements to bail out if the elements are frozen.

https://reviewboard.mozilla.org/r/86984/#review86194
Attachment #8802651 - Flags: review?(nicolas.b.pierron) → review+

Comment 23

2 years ago
mozreview-review
Comment on attachment 8802653 [details]
Bug 1310744: Make ArrayReverseDenseKernel frozenness-aware.

https://reviewboard.mozilla.org/r/86988/#review86196
Attachment #8802653 - Flags: review?(nicolas.b.pierron) → review+

Comment 24

2 years ago
mozreview-review
Comment on attachment 8802654 [details]
Bug 1310744: Don't enter in the fast path for DeleteArrayElement for frozen arrays.

https://reviewboard.mozilla.org/r/86990/#review86198
Attachment #8802654 - Flags: review?(nicolas.b.pierron) → review+

Comment 25

2 years ago
mozreview-review
Comment on attachment 8802655 [details]
Bug 1310744: Add missing assertions in NativeObject.h

https://reviewboard.mozilla.org/r/86992/#review86202
Attachment #8802655 - Flags: review?(nicolas.b.pierron) → review+

Comment 26

2 years ago
mozreview-review
Comment on attachment 8802656 [details]
Bug 1310744: Regression test.

https://reviewboard.mozilla.org/r/86994/#review86204

r=me with the following nit fixed.

::: js/src/tests/ecma_5/Array/frozen-dense-array.js:27
(Diff revision 1)
> +// Shouldn't throw, since this is not strict mode, but shouldn't change the
> +// value of the property.
> +a.length = 5;

nit: Add the following test:

assertThrowsInstanceOf(() => { "use strict"; a.length = 5; }, TypeError);
Attachment #8802656 - Flags: review?(nicolas.b.pierron) → review+

Comment 27

2 years ago
mozreview-review
Comment on attachment 8802657 [details]
Bug 1310744: Revert "Bug 1300193: Make existing assertion that no longer holds more flexible. ", but keep the test.

https://reviewboard.mozilla.org/r/86996/#review86208

Thanks!

These changes are really nice.
Splitting in so many tiny patches to fix it incrementally is nice too, but make it harder to review.
Attachment #8802657 - Flags: review?(nicolas.b.pierron) → review+
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)
(Assignee)

Comment 37

2 years ago
(In reply to Nicolas B. Pierron [:nbp] from comment #27)
> These changes are really nice.
> Splitting in so many tiny patches to fix it incrementally is nice too, but
> make it harder to review.

Sorry, the intent was the exact opposite! :D

I'll try to find a better balance between throwing a single monolithic patch and this next time :)

I added test for strict and non-strict mode deletion of properties too, added a few more assertions (and fixed one related with lengthIsWritable, which assumed lengthIsWritable == lengthShape->writable() and was hitting on ecma_5/Array/redefine-length-frozen-dictionarymode-array.js). I don't think any of these changes are major enough to request a re-review, but feel free to take a look at them if needed.

Waiting for try now: https://treeherder.mozilla.org/#/jobs?repo=try&revision=11c8ec0ffb1144f27e1fe5575cd3e4150d05ba85 (current) and https://treeherder.mozilla.org/#/jobs?repo=try&revision=9c8d6bbb0e24 (without the latest assertions I added).

Comment 38

2 years ago
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/888c35d3e472
Add NativeObject::denseElementsAreFrozen. r=nbp
https://hg.mozilla.org/integration/autoland/rev/9cf4fb2f956a
A frozen element has no writable length. r=nbp
https://hg.mozilla.org/integration/autoland/rev/01d6130f6cb5
Allow MoveBoxedOrUnboxedDenseElements to bail out if the elements are frozen. r=nbp
https://hg.mozilla.org/integration/autoland/rev/8ee1bce84ad8
Bail out from SetOrExtendBoxedOrUnboxedDenseElements if the elements are frozen. r=nbp
https://hg.mozilla.org/integration/autoland/rev/eceaa41aebae
Make ArrayReverseDenseKernel frozenness-aware. r=nbp
https://hg.mozilla.org/integration/autoland/rev/d0d4f9792c6b
Don't enter in the fast path for DeleteArrayElement for frozen arrays. r=nbp
https://hg.mozilla.org/integration/autoland/rev/4839dd5d7d96
Add missing assertions in NativeObject.h r=nbp
https://hg.mozilla.org/integration/autoland/rev/3d81f34050a4
Regression test. r=nbp
https://hg.mozilla.org/integration/autoland/rev/c1fa65bccbd1
Revert "Bug 1300193: Make existing assertion that no longer holds more flexible. r=jandem,nbp", but keep the test.
Please request aurora uplift when this is on m-c.

Comment 40

2 years ago
backoutbugherder
https://hg.mozilla.org/mozilla-central/rev/c1fa65bccbd1
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox52: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
(Assignee)

Comment 42

2 years ago
Comment on attachment 8802649 [details]
Bug 1310744: Add NativeObject::denseElementsAreFrozen.

This request is for all the patches in this bug.

Approval Request Comment
[Feature/regressing bug #]: bug 1283334
[User impact if declined]: Javascript regression that allows overriding non-configurable properties.
[Describe test coverage new/current, TreeHerder]: Automated regression test added in this PR.
[Risks and why]: Low: small changeset that prevents some fast-paths from being taken incorrectly.
[String/UUID change made/needed]: None
Attachment #8802649 - Flags: approval-mozilla-aurora?

Updated

2 years ago
Flags: needinfo?(leo)
Comment on attachment 8802649 [details]
Bug 1310744: Add NativeObject::denseElementsAreFrozen.

Fix a regression. Take it in 51 aurora.
Attachment #8802649 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Comment 44

2 years ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-aurora/rev/dfc5582077ae
status-firefox51: affected → fixed
Depends on: 1312948
Depends on: 1312485
Version: unspecified → 51 Branch
You need to log in before you can comment on or make changes to this bug.