RESOLVED FIXED154475
Builtins that should not rely on iteration do. 
https://bugs.webkit.org/show_bug.cgi?id=154475
Summary Builtins that should not rely on iteration do.
Mark S. Miller
Reported 2016-02-19 14:52:11 PST
Created attachment 271806 [details] Open this web page in Safari and Webkit Nightly, and open the console Now that the latest WebKit seems to mostly work again on the SES selftest page https://rawgit.com/tvcutsem/es-lab/master/src/ses/contract.html I was seeing some new failures. But this time I was able to debug (thanks!) and isolate the problem. The new problem is that the builtins used by http://wiki.ecmascript.org/doku.php?id=conventions:safe_meta_programming all of which redate ES6 now depend on iterator.next behavior in violation of the ES6 spec. You can see it yourself by opening the badbind.html in Safari and Webkit Nightly, opening the console, and seeing what's there. Works fine on Safari and on every other browser I tested. Fails on the latest WebKit nightly. Note that I'll be updating the SES selftest page to stop removing .next, because of this bug, so the SES selftest page will stop being a good test.
Attachments
Open this web page in Safari and Webkit Nightly, and open the console (1.47 KB, text/html)
2016-02-19 14:52 PST, Mark S. Miller 		no flags
Details
Screenshot showing Safari working and WebKit failing the badbind.html test for this bug (1.18 MB, image/png)
2016-02-19 14:53 PST, Mark S. Miller 		no flags
Details
Patch (2.98 KB, patch)
2016-02-22 09:41 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Benchmark results (64.81 KB, text/plain)
2016-02-22 11:08 PST, Keith Miller 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Mark S. Miller
Comment 1 2016-02-19 14:53:57 PST
Created attachment 271807 [details] Screenshot showing Safari working and WebKit failing the badbind.html test for this bug
Keith Miller
Comment 2 2016-02-19 15:09:14 PST
I think this is because of my patch (http://trac.webkit.org/changeset/196734). I didn't realize that arguments iterator was observable from outside it's scope. Working on this now.
Mark S. Miller
Comment 3 2016-02-19 15:58:36 PST
Although this specific test passes on all other browsers, note that Chrome50 Canary has a similar but different problem: https://bugs.chromium.org/p/v8/issues/detail?id=4769
Keith Miller
Comment 4 2016-02-22 09:41:37 PST
Created attachment 271926 [details] Patch
Keith Miller
Comment 5 2016-02-22 11:08:36 PST
Created attachment 271931 [details] Benchmark results
Geoffrey Garen
Comment 6 2016-02-22 11:38:07 PST
Comment on attachment 271926 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=271926&action=review r=me > Source/JavaScriptCore/builtins/FunctionPrototype.js:33 > + @putByValDirect(argumentValues, i-1, arguments[i]); Spacing around - 1.
WebKit Commit Bot
Comment 7 2016-02-22 11:42:58 PST
Comment on attachment 271926 [details] Patch Clearing flags on attachment: 271926 Committed r196949: <http://trac.webkit.org/changeset/196949>
WebKit Commit Bot
Comment 8 2016-02-22 11:43:03 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.