Bug 142936 - Array.prototype.shift should check exception after thisObj->get(exec, 0)
Summary: Array.prototype.shift should check exception after thisObj->get(exec, 0)
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-21 05:02 PDT by Yusuke Suzuki
Modified: 2022-10-05 15:43 PDT (History)
1 user (show)

See Also:

Attachments
Patch (2.79 KB, patch)
2015-04-02 05:40 PDT, Yusuke Suzuki 		no flags Details | Formatted Diff | Diff
Patch (4.01 KB, patch)
2015-04-02 05:58 PDT, Yusuke Suzuki 		darin: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yusuke Suzuki 2015-03-21 05:02:57 PDT 
Array.prototype.unshift should check exception after thisObj->get(exec, 0) since it could raise exceptions.
Comment 1 Yusuke Suzuki 2015-04-02 05:40:02 PDT 
Created attachment 249973 [details]
Patch
Comment 2 Yusuke Suzuki 2015-04-02 05:58:41 PDT 
Created attachment 249974 [details]
Patch
Comment 3 Darin Adler 2015-04-02 09:13:25 PDT 
Comment on attachment 249974 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=249974&action=review

I’d like us to find an efficient way to write a lot of tests like this one.

I’m not so happy with the code change because it doesn’t fix anything at this time! But I’ll say r=me since I assume you are trying to get to the point where we can remove the callGetter check.

> Source/JavaScriptCore/ChangeLog:9
> +        Currently, it's not observable.

I don’t understand why we would make the change if we can’t observe any benefit. I think it means we added more code for no reason.

> Source/JavaScriptCore/ChangeLog:11
> +        But I think it's not intended to become unobservable
> +        because this is guarded by callGetter's workaround check noted as FIXME.

Seems that we could deal with this later then. The important part is to write and run the test. I don’t want us to add code that has no observable effect.
Comment 4 Geoffrey Garen 2015-04-02 11:50:17 PDT 
Comment on attachment 249974 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=249974&action=review

> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:616
>          result = thisObj->get(exec, 0);
> +        if (exec->hadException())
> +            return JSValue::encode(jsUndefined());
>          shift<JSArray::ShiftCountForShift>(exec, thisObj, 0, 1, 0, length);

Doesn't the call to shift have observable side effects?
Comment 5 Yusuke Suzuki 2015-04-02 12:54:56 PDT 
Comment on attachment 249974 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=249974&action=review

>> Source/JavaScriptCore/runtime/ArrayPrototype.cpp:616
>>          shift<JSArray::ShiftCountForShift>(exec, thisObj, 0, 1, 0, length);
> 
> Doesn't the call to shift have observable side effects?

Before calling observable side effect like calling getters in the shift function, workaround exception checking in callGetter code works and it immediately returns.
Comment 6 Yusuke Suzuki 2015-04-02 12:55:48 PDT 
In fact, when dropping the workaround check in callGetter, we can see the regression with the attached test cases in this issue.
Comment 7 Ahmad Saleem 2022-10-05 15:43:27 PDT 
I checked the bug ID in Webkit GitHub but it seems this r+ patch didn't landed. But this patch was trying to modify following portion of code +/- few lines:

https://github.com/WebKit/WebKit/blob/3c9c31d0fd7c9a2c6579790319f90dc88f98f4f5/Source/JavaScriptCore/runtime/ArrayPrototype.cpp#L1024

Do we need this or we can land only test or we don't need it at all.

Appreciate if someone can comment and do actions accordingly. Thanks!