Bug 291997
| Summary: | For-In can return duplicate keys in JSC | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Yijia Huang <yijia_huang> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | keith_miller, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
EntryHi
Hello, I found a bug in JavaScriptCore.
JSC version: c612e507973fe45e1c71c1893376818803781495
poc.js
```
function getKey(x) {
var arr = [];
for (var i in x) {
arr.push(i);
}
return arr;
}
function opt() {
var x = new String("abc");
function B() {
this.bar = 5;
this[0] = 4;
}
B.prototype = x;
var y = new B();
var elements = getKey(y);
print(elements);
}
opt();
opt();
opt();
```
Run args: ./jsc poc.js --useConcurrentJIT=0 --jitPolicyScale=0.1
Result in JSC:
0,bar,0,1,2
0,bar,0,1,2
0,bar,1,2
Result in V8:
bar,0,1,2
bar,0,1,2
bar,0,1,2
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/150420842>
Yijia Huang
Pull request: https://github.com/WebKit/WebKit/pull/45818
Yijia Huang
Thanks for reporting this issue. Since https://tc39.es/ecma262/#sec-enumerate-object-properties says "The mechanics and order of enumerating the properties is not specified ...". So, the patch fixes duplicate property enumeration.
EWS
Committed 295350@main (0a1e72158c24): <https://commits.webkit.org/295350@main>
Reviewed commits have been landed. Closing PR #45818 and removing active labels.