Bug 171158 - Incorrect behavior for array iteration if iterator behavior changes partway through
Summary: Incorrect behavior for array iteration if iterator behavior changes partway t...
Status: RESOLVED DUPLICATE of bug 171150
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-21 21:20 PDT by Boris Zbarsky
Modified: 2017-04-24 12:35 PDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Boris Zbarsky 2017-04-21 21:20:19 PDT 
Consider this (shell; in a browser, replace print with alert) testcase:

  var iter = [][Symbol.iterator]();
  var iterProto = Object.getPrototypeOf(iter);
  var oldNext = iterProto.next;

  function hackedNext() {
    var val = oldNext.call(this);
    if ("value" in val) {
      val.value++;
    }
    return val;
  }
  
  var arr = [1,,3];
  Object.defineProperty(arr, 1,
                        { get: function() { iterProto.next = hackedNext; return 2 } });
  print([...arr]);

This should print "1,2,4", and does in SpiderMonkey and V8.  In JSC, at least as tested via Safari and WebKit nightlies, it prints "1,2,3".

I believe that this is because isIteratorProtocolFastAndNonObservable() (as called from either operationSpreadGeneric or the slow_path_spread slow path) is true for this array when the spread operation starts.  But it starts being false partway through, when the getter for the property at index 1 runs...
Comment 1 Saam Barati 2017-04-24 12:35:00 PDT 

*** This bug has been marked as a duplicate of bug 171150 ***