Bug 171158
| Summary: | Incorrect behavior for array iteration if iterator behavior changes partway through | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Boris Zbarsky <bzbarsky> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | saam, sam |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Boris Zbarsky
Consider this (shell; in a browser, replace print with alert) testcase:
var iter = [][Symbol.iterator]();
var iterProto = Object.getPrototypeOf(iter);
var oldNext = iterProto.next;
function hackedNext() {
var val = oldNext.call(this);
if ("value" in val) {
val.value++;
}
return val;
}
var arr = [1,,3];
Object.defineProperty(arr, 1,
{ get: function() { iterProto.next = hackedNext; return 2 } });
print([...arr]);
This should print "1,2,4", and does in SpiderMonkey and V8. In JSC, at least as tested via Safari and WebKit nightlies, it prints "1,2,3".
I believe that this is because isIteratorProtocolFastAndNonObservable() (as called from either operationSpreadGeneric or the slow_path_spread slow path) is true for this array when the spread operation starts. But it starts being false partway through, when the getter for the property at index 1 runs...
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Saam Barati
*** This bug has been marked as a duplicate of bug 171150 ***