Bug 230150

Summary: [JSC][32bit] in-by-val fails inside for-in loop after delete
Product: WebKit Reporter: Xan Lopez <xan.lopez>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: cgarcia, ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, xan.lopez
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
v1 none

Description Xan Lopez 2021-09-10 06:43:25 PDT 
Test:

function test2() {
    let o = {
        a:20,
        b:30,
        c:40,
        d:50
    };

    for (let p in o) {
        delete o[p];
        if (p in o)
            print("wtf");
    }
}
for (let i = 0; i < 1000; i++)
    test2();

Execution:

xlopez@bbox-11-armhf:~/WebKit$ ./WebKitBuild/Debug/bin/jsc -f ../js/in-by-test.js 
Exception: TypeError: o is not an Object. (evaluating 'p in o')
test2@../js/in-by-test.js:11:18
global code@../js/in-by-test.js:16:10

I believe this is fallout from https://commits.webkit.org/r280760, can be reproduced easily in ToT after the WIP patch in bug #229543 is applied.
Comment 1 Xan Lopez 2021-09-13 03:04:21 PDT 
Created attachment 438025 [details]
v1

This was a very silly mistake in the end.
Comment 2 EWS 2021-09-13 10:37:09 PDT 
Committed r282336 (241603@main): <https://commits.webkit.org/241603@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 438025 [details].
Comment 3 Radar WebKit Bug Importer 2021-09-13 10:38:21 PDT 
<rdar://problem/83062246>