WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
149811
Iterator loops over key twice after delete
https://bugs.webkit.org/show_bug.cgi?id=149811
Summary
Iterator loops over key twice after delete
Timon Orawski
Reported
2015-10-05 10:29:13 PDT
Created
attachment 262446
[details]
reproducible test case The following code iterates twice over the key "0" in the object cols - despite it only existing in the object once. <html> <head> <script> var f = function() { "use strict"; var cols = {"col":{"title":" ","type":"sys","events":[],"name":0,"id":0,"_i":0}}; var len = 0; var remapcols = ['col']; for (var i = 0; i < remapcols.length; i++) { cols[cols[remapcols[i]].name] = cols[remapcols[i]]; delete cols[remapcols[i]]; } var count = 0; console.group("object:") console.log(cols); console.groupEnd(); console.group("This group should only contain one line"); for (var col2 in cols) { console.log("" + count++ +": Iterating over key: " + col2); } console.groupEnd(); }; f();</script> </head> <body> Check console log, expected output is a single log entry "0: Iterating over key: 0" </body> </html>
Attachments
reproducible test case
(753 bytes, text/html)
2015-10-05 10:29 PDT
,
Timon Orawski
no flags
Details
Patch
(3.98 KB, patch)
2015-10-11 09:24 PDT
,
Yusuke Suzuki
no flags
Details
Formatted Diff
Diff
Patch
(4.06 KB, patch)
2015-10-11 09:26 PDT
,
Yusuke Suzuki
ggaren
: review+
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2015-10-06 11:04:08 PDT
<
rdar://problem/22993722
>
Yusuke Suzuki
Comment 2
2015-10-11 06:11:54 PDT
Still investigating. But possible fix is, setting indexedLength = 0; for non-generic JSPropertyNameEnumerator creation case.
Yusuke Suzuki
Comment 3
2015-10-11 09:24:34 PDT
Created
attachment 262862
[details]
Patch
Yusuke Suzuki
Comment 4
2015-10-11 09:26:51 PDT
Created
attachment 262863
[details]
Patch
Geoffrey Garen
Comment 5
2015-10-12 12:06:56 PDT
Comment on
attachment 262863
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=262863&action=review
r=me
> Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h:128 > + // So disabling indexed property enumeration phase by setting |indexedLength| to 0.
disabling => disable
Yusuke Suzuki
Comment 6
2015-10-12 20:23:23 PDT
Comment on
attachment 262863
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=262863&action=review
>> Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h:128 >> + // So disabling indexed property enumeration phase by setting |indexedLength| to 0. > > disabling => disable
Thanks. Fixed.
Yusuke Suzuki
Comment 7
2015-10-12 20:24:39 PDT
Committed
r190923
: <
http://trac.webkit.org/changeset/190923
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug