haikuwebkit/LayoutTests/js/window-length-getOwnPropert...

<script src="../resources/js-test-pre.js"></script>
<script>
// Reify the window object.
delete window.name;

var descriptor = Object.getOwnPropertyDescriptor(window, "length");
shouldBeType("descriptor.get", "Function");
shouldBeType("descriptor.set", "Function");
shouldBeTrue("descriptor.configurable");
shouldBeTrue("descriptor.enumerable");
shouldBe("window.length", "0");

// window.length is [Replaceable] so it can be shadowed.
evalAndLog("window.length = 1");
descriptor = Object.getOwnPropertyDescriptor(window, "length");
shouldBe("descriptor.value", "1");
shouldBeTrue("descriptor.configurable");
shouldBeTrue("descriptor.enumerable");
shouldBe("window.length", "1");
</script>
<script src="../resources/js-test-post.js"></script>
SES selftest page crashes on nightly r196694 https://bugs.webkit.org/show_bug.cgi?id=154350 <rdar://problem/24704334> Reviewed by Mark Lam. Source/JavaScriptCore: SES selftest page crashes after r196001 / r196145 when calling Object.getOwnPropertyDescriptor(window, "length") after the window has been reified and "length" has been shadowed by a value property. It was crashing in JSObject::getOwnPropertyDescriptor() because we are getting a slot that has attribute "CustomAccessor" but the property is not a CustomGetterSetter. In this case, since window.length is [Replaceable] and has been set to a numeric value, it makes that the property is not a CustomGetterSetter. However, the "CustomAccessor" attribute should have been dropped from the slot when window.length was shadowed. Therefore, this code path should not be exercised at all when calling getOwnPropertyDescriptor(). The issue was that putDirectInternal() was updating the slot attributes only if the "Accessor" flag has changed, but not the "customAccessor" flag. This patch fixes the issue. * runtime/JSObject.h: (JSC::JSObject::putDirectInternal): LayoutTests: Add test coverage for the crash which happens when shadowing window.length with a value after the window property and then calling Object.getOwnPropertyDescriptor(window, "length"). * js/window-length-getOwnPropertyDescriptor-crash-expected.txt: Added. * js/window-length-getOwnPropertyDescriptor-crash.html: Added. Canonical link: https://commits.webkit.org/172477@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196723 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2016-02-17 22:59:59 +00:00			`<script src="../resources/js-test-pre.js"></script>`
			`<script>`
			`// Reify the window object.`
			`delete window.name;`

			`var descriptor = Object.getOwnPropertyDescriptor(window, "length");`
			`shouldBeType("descriptor.get", "Function");`
			`shouldBeType("descriptor.set", "Function");`
			`shouldBeTrue("descriptor.configurable");`
			`shouldBeTrue("descriptor.enumerable");`
			`shouldBe("window.length", "0");`

			`// window.length is [Replaceable] so it can be shadowed.`
			`evalAndLog("window.length = 1");`
			`descriptor = Object.getOwnPropertyDescriptor(window, "length");`
			`shouldBe("descriptor.value", "1");`
			`shouldBeTrue("descriptor.configurable");`
			`shouldBeTrue("descriptor.enumerable");`
			`shouldBe("window.length", "1");`
			`</script>`
			`<script src="../resources/js-test-post.js"></script>`