Google Git
Sign in
webkit / WebKit / 0eb814e8516b5fc2385656771ee77851fce98167^! / .
commit0eb814e8516b5fc2385656771ee77851fce98167[log] [tgz]
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Jul 16 04:26:06 2019 +0000
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Jul 16 04:26:06 2019 +0000
treec3b6949dc94e8d59e3bffbcce41e8f993673cc2f
parentc1a746f4c26e177d4b12df739577d723b30e5674 [diff]
A Possible Issue of Object.create method
https://bugs.webkit.org/show_bug.cgi?id=199744

Reviewed by Yusuke Suzuki.

JSTests:

* stress/object-create-non-object-properties-parameter.js: Added.
(catch):

Source/JavaScriptCore:

We should call toObject on the properties argument if it was not undefined.
See: https://tc39.es/ecma262/#sec-object.create

* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorCreate):

LayoutTests:

Rebaseline error message due to change of error point.

* js/Object-create-expected.txt:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@247471 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index 0d2e94b..d771e10 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog

@@ -1,5 +1,15 @@
 2019-07-15  Keith Miller  <keith_miller@apple.com>
 
+        A Possible Issue of Object.create method
+        https://bugs.webkit.org/show_bug.cgi?id=199744
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/object-create-non-object-properties-parameter.js: Added.
+        (catch):
+
+2019-07-15  Keith Miller  <keith_miller@apple.com>
+
         Update test262
         https://bugs.webkit.org/show_bug.cgi?id=199801
 

diff --git a/JSTests/stress/object-create-non-object-properties-parameter.js b/JSTests/stress/object-create-non-object-properties-parameter.js
new file mode 100644
index 0000000..629a9e0
--- /dev/null
+++ b/JSTests/stress/object-create-non-object-properties-parameter.js

@@ -0,0 +1,18 @@
+//@ requireOptions('--useBigInt=1')
+
+let toObjectablePrimitives = [true, false, 1, 2, "", Symbol(), BigInt(1)];
+
+for (let primitive of toObjectablePrimitives)
+    Object.create({}, primitive);
+
+function shouldThrow(props) {
+    try {
+        Object.create({}, props);
+    } catch (e) {
+        if (!(e instanceof TypeError))
+            throw e;
+    }
+}
+
+shouldThrow("hello");
+shouldThrow(null);

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 365a177..730e1a7 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog

@@ -1,3 +1,14 @@
+2019-07-15  Keith Miller  <keith_miller@apple.com>
+
+        A Possible Issue of Object.create method
+        https://bugs.webkit.org/show_bug.cgi?id=199744
+
+        Reviewed by Yusuke Suzuki.
+
+        Rebaseline error message due to change of error point.
+
+        * js/Object-create-expected.txt:
+
 2019-07-15  Saam Barati  <sbarati@apple.com>
 
         [WHLSL] Matrix memory layout should match HLSL by laying out columns linearly

diff --git a/LayoutTests/js/Object-create-expected.txt b/LayoutTests/js/Object-create-expected.txt
index 7eb4cf9..aec9e23 100644
--- a/LayoutTests/js/Object-create-expected.txt
+++ b/LayoutTests/js/Object-create-expected.txt

@@ -5,8 +5,8 @@
 
 PASS Object.create() threw exception TypeError: Object prototype may only be an Object or null..
 PASS Object.create('a string') threw exception TypeError: Object prototype may only be an Object or null..
-PASS Object.create({}, 'a string') threw exception TypeError: Property descriptor list must be an Object..
-PASS Object.create(null, 'a string') threw exception TypeError: Property descriptor list must be an Object..
+PASS Object.create({}, 'a string') threw exception TypeError: Property description must be an object..
+PASS Object.create(null, 'a string') threw exception TypeError: Property description must be an object..
 PASS JSON.stringify(Object.create(null,{property:{value:'foo', enumerable:true}, property2:{value:'foo', enumerable:true}})) is '{"property":"foo","property2":"foo"}'
 PASS JSON.stringify(Object.create({},{property:{value:'foo', enumerable:true}, property2:{value:'foo', enumerable:true}})) is '{"property":"foo","property2":"foo"}'
 PASS JSON.stringify(Object.create({},{property:{value:'foo'}, property2:{value:'foo', enumerable:true}})) is '{"property2":"foo"}'

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 88e9523..56f24d9 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,16 @@
+2019-07-15  Keith Miller  <keith_miller@apple.com>
+
+        A Possible Issue of Object.create method
+        https://bugs.webkit.org/show_bug.cgi?id=199744
+
+        Reviewed by Yusuke Suzuki.
+
+        We should call toObject on the properties argument if it was not undefined.
+        See: https://tc39.es/ecma262/#sec-object.create
+
+        * runtime/ObjectConstructor.cpp:
+        (JSC::objectConstructorCreate):
+
 2019-07-15  Saagar Jha  <saagarjha@apple.com>
 
         Keyword lookup can use memcmp to get around unaligned load undefined behavior

diff --git a/Source/JavaScriptCore/runtime/ObjectConstructor.cpp b/Source/JavaScriptCore/runtime/ObjectConstructor.cpp
index aecdb93..472f110 100644
--- a/Source/JavaScriptCore/runtime/ObjectConstructor.cpp
+++ b/Source/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -669,9 +669,10 @@
         : constructEmptyObject(exec, exec->lexicalGlobalObject()->nullPrototypeObjectStructure());
     if (exec->argument(1).isUndefined())
         return JSValue::encode(newObject);
-    if (!exec->argument(1).isObject())
-        return throwVMTypeError(exec, scope, "Property descriptor list must be an Object."_s);
-    RELEASE_AND_RETURN(scope, JSValue::encode(defineProperties(exec, newObject, asObject(exec->argument(1)))));
+    JSObject* properties = exec->uncheckedArgument(1).toObject(exec);
+    RETURN_IF_EXCEPTION(scope, { });
+
+    RELEASE_AND_RETURN(scope, JSValue::encode(defineProperties(exec, newObject, properties)));
 }
 
 enum class IntegrityLevel {