Open Bug 1800062 Opened 2 years ago Updated 2 years ago

Object with `Symbol.toPrimitive` property being used as property access key of undefined

Tracking

()

Status:

UNCONFIRMED

People

(Reporter: f52985, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

f52985

Reporter

Description

•

2 years ago

Steps to reproduce:

Execute the following program using jsshell

undefined [ { [ Symbol.toPrimitive ] : () => { REF_ERR; } } ] ;

Actual results:

TypeError: undefined has no properties
is thrown

Expected results:

ReferenceError: REF_ERR is not defined
should be thrown.

According to the ECMA-262 Specification, the EvaluatePropertyAccessWithExpressionKey algorithm calls the algorithm ToPropertyKey at step 3, which eventually calls the method [Symbol . toPrimitive] and throws reference error. This should happen before checking if the base object is undefined or not.

Bryan Thrall [:bthrall]

Updated

•

2 years ago

Blocks: sm-runtime

Severity: -- → S3

Priority: -- → P3

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

2 years ago

Blocks: js-lang
No longer blocks: sm-runtime

URL: https://github.com/tc39/ecma262/issue...

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Object with `Symbol.toPrimitive` property being used as property access key of undefined

Categories

(Core :: JavaScript Engine, defect, P3)

Tracking

()

People

(Reporter: f52985, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

Crash Data

Security

(public)

User Story

Description

Updated

Updated