Bug 186991
| Summary: | Different output compared with v8 and spidermonkey | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | sunlili |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | ashvayka, nth10sd, sunlili, ysuzuki |
| Priority: | P2 | ||
| Version: | WebKit Local Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: |
https://bugs.webkit.org/show_bug.cgi?id=186993 https://bugs.webkit.org/show_bug.cgi?id=186992 |
||
sunlili
Hello,
The following code behaves incorrectly (inconsistent with the standard and other engines).
arr0 = [ 1, 2, 3 ];
arr1 = [ 4, 5, 6 ];
handler1 = {
get: function (oTarget, sKey) {
print('arg ' + '1' + ':get ' + sKey.toString());
if (sKey.toString() == 'Symbol(Symbol.isConcatSpreadable)') {
arr1['length'] = 4294967294;
}
if (sKey.toString() == 'length') {
arr1['length'] = 10;
}
if (Number(sKey.toString()) != NaN) { ; }
return Reflect.get(oTarget, sKey);
},
has: function (oTarget, sKey) {
print('arg ' + '1' + ':has ' + sKey.toString());
if (Number(sKey.toString()) != NaN) {
return Symbol.search;
}
return Reflect.has(oTarget, sKey);
}
};
var proxy1 = new Proxy(arr1, handler1);
func = Array.prototype.concat.bind(arr0, proxy1);
arr2 = func();
print(arr2);
The output is:
arg 1:get Symbol(Symbol.isConcatSpreadable)
arg 1:get Symbol(Symbol.toPrimitive)
arg 1:get toString
arg 1:get join
arg 1:get length
arg 1:get 0
arg 1:get 1
arg 1:get 2
arg 1:get 3
arg 1:get 4
arg 1:get 5
arg 1:get 6
arg 1:get 7
arg 1:get 8
arg 1:get 9
1,2,3,4,5,6,,,,,,,
However, it should be:
arg 1:get Symbol(Symbol.isConcatSpreadable)
arg 1:get length
arg 1:has 0
arg 1:get 0
arg 1:has 1
arg 1:get 1
arg 1:has 2
arg 1:get 2
arg 1:has 3
arg 1:get 3
arg 1:has 4
arg 1:get 4
arg 1:has 5
arg 1:get 5
arg 1:has 6
arg 1:get 6
arg 1:has 7
arg 1:get 7
arg 1:has 8
arg 1:get 8
arg 1:has 9
arg 1:get 9
1,2,3,4,5,6,,,,,,,
BT group
2018.6.25
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Gary Kwong [:gkw] [:nth10sd]
I re-ran the testcase in comment #0 with git rev eb42a8967d53ebb95bd59b6d89662ac7fdf95a8b and it seems to show the intended output. It shows the wrong output with a build from mid-2017, or rev 011c994d52cc30bdec69aebed8ec1a025966b34a.
I then ran a bisection using robobisect, and it seems to point to the following commit as a possible fix to this bug:
commit e580b9a5fa9b5013b749e72f1c10946cb14af9aa
Author: caitp
Date: Tue May 29 16:56:29 2018 +0000
[JSC] Fix Array.prototype.concat fast case when single argument is Proxy
https://bugs.webkit.org/show_bug.cgi?id=184267
Reviewed by Saam Barati.
</snip>
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232261 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Is bug 184267 a likely fix?
Alexey Shvayka
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1)
> Is bug 184267 a likely fix?
Thank you for tracking it down, Gary!
*** This bug has been marked as a duplicate of bug 184267 ***