Bug 149811

Summary: Iterator loops over key twice after delete
Product: WebKit Reporter: Timon Orawski <timon>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Critical CC: fpizlo, ggaren, keith_miller, mark.lam, msaboff, saam, timon, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: Unspecified   
Attachments:
Description Flags
reproducible test case
none
Patch
none
Patch ggaren: review+

Timon Orawski
Reported 2015-10-05 10:29:13 PDT
Created attachment 262446 [details] reproducible test case The following code iterates twice over the key "0" in the object cols - despite it only existing in the object once. <html> <head> <script> var f = function() { "use strict"; var cols = {"col":{"title":"&nbsp;","type":"sys","events":[],"name":0,"id":0,"_i":0}}; var len = 0; var remapcols = ['col']; for (var i = 0; i < remapcols.length; i++) { cols[cols[remapcols[i]].name] = cols[remapcols[i]]; delete cols[remapcols[i]]; } var count = 0; console.group("object:") console.log(cols); console.groupEnd(); console.group("This group should only contain one line"); for (var col2 in cols) { console.log("" + count++ +": Iterating over key: " + col2); } console.groupEnd(); }; f();</script> </head> <body> Check console log, expected output is a single log entry "0: Iterating over key: 0" </body> </html>
Attachments
reproducible test case (753 bytes, text/html)
2015-10-05 10:29 PDT, Timon Orawski
no flags
Patch (3.98 KB, patch)
2015-10-11 09:24 PDT, Yusuke Suzuki
no flags
Patch (4.06 KB, patch)
2015-10-11 09:26 PDT, Yusuke Suzuki
ggaren: review+
Radar WebKit Bug Importer
Comment 1 2015-10-06 11:04:08 PDT
Yusuke Suzuki
Comment 2 2015-10-11 06:11:54 PDT
Still investigating. But possible fix is, setting indexedLength = 0; for non-generic JSPropertyNameEnumerator creation case.
Yusuke Suzuki
Comment 3 2015-10-11 09:24:34 PDT
Yusuke Suzuki
Comment 4 2015-10-11 09:26:51 PDT
Geoffrey Garen
Comment 5 2015-10-12 12:06:56 PDT
Comment on attachment 262863 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=262863&action=review r=me > Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h:128 > + // So disabling indexed property enumeration phase by setting |indexedLength| to 0. disabling => disable
Yusuke Suzuki
Comment 6 2015-10-12 20:23:23 PDT
Comment on attachment 262863 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=262863&action=review >> Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h:128 >> + // So disabling indexed property enumeration phase by setting |indexedLength| to 0. > > disabling => disable Thanks. Fixed.
Yusuke Suzuki
Comment 7 2015-10-12 20:24:39 PDT
Note You need to log in before you can comment on or make changes to this bug.