Bug 230150

Summary:

[JSC][32bit] in-by-val fails inside for-in loop after delete

Product:

WebKit

Reporter:

Xan Lopez <xan.lopez>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cgarcia, ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, xan.lopez

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
v1	none

Xan Lopez

Reported 2021-09-10 06:43:25 PDT

Test: function test2() { let o = { a:20, b:30, c:40, d:50 }; for (let p in o) { delete o[p]; if (p in o) print("wtf"); } } for (let i = 0; i < 1000; i++) test2(); Execution: xlopez@bbox-11-armhf:~/WebKit$ ./WebKitBuild/Debug/bin/jsc -f ../js/in-by-test.js Exception: TypeError: o is not an Object. (evaluating 'p in o') test2@../js/in-by-test.js:11:18 global code@../js/in-by-test.js:16:10 I believe this is fallout from https://commits.webkit.org/r280760, can be reproduced easily in ToT after the WIP patch in bug #229543 is applied.

Attachments
v1 (2.08 KB, patch) 2021-09-13 03:04 PDT, Xan Lopez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Xan Lopez

Comment 1 2021-09-13 03:04:21 PDT

Created attachment 438025 [details] v1 This was a very silly mistake in the end.

EWS

Comment 2 2021-09-13 10:37:09 PDT

Committed r282336 (241603@main): <https://commits.webkit.org/241603@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438025 [details].

Radar WebKit Bug Importer

Comment 3 2021-09-13 10:38:21 PDT

<rdar://problem/83062246>

Note You need to log in before you can comment on or make changes to this bug.