Last Comment Bug 633177 - initprop/initelem, sharp variables and duplicated property names
: initprop/initelem, sharp variables and duplicated property names
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
-- normal (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on: 566700
Blocks: 522158
  Show dependency treegraph
Reported: 2011-02-10 06:23 PST by Igor Bukanov
Modified: 2012-01-26 21:25 PST (History)
7 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Igor Bukanov 2011-02-10 06:23:07 PST
The bug #522158 removed CheckRedeclaration checks from the interpreter cases for JSOP_INITPROP and JSOP_INITELEM. The assumption was that the compiler should check for the duplicated property names so the bytecodes would always add unique properties to the object.

But this assumption is wrong in presence of sharp variables. They leak the partially initialized object so a script could add a property to the object that matches not yet executed name or index of JSOP_INITPROP and JSOP_INITELEM, like in the following:

function f() {
    return #1={1:(#1#[1] = 2, #1#)};

On the surface the bug is very mild as CheckRedeclaration only warns without throwing error (unless throw on warning mode is enabled) in such cases. So one way to fix this bug is to acknowledge the regression and add the comments to refer to this corner cases with sharp variables.

On the other hand our defineProperty implementation that iniprop/initelem call currently does not check for all the restrictions stated ES5 8.12.9 [[DefineOwnProperty]]. In particular, it can change some attributes of non-configurable properties. To prevent this we can change the implementation to set the property, not define it, if it exists.

Yet another possibility would be to fix defineProperty to implement all the restrictions from DefineOwnProperty. But that is not easy, see bug 624364 for reasons.
Comment 1 User image Jim Blandy :jimb 2011-02-10 11:24:10 PST
I'm in favor of a more drastic solution; see bug 633278
Comment 2 User image Jeff Walden [:Waldo] (remove +bmo to email) 2012-01-26 21:08:33 PST
Fixed by bug 566700; I'll remove the now-unnecessary checking shortly.

Note You need to log in before you can comment on or make changes to this bug.