230150 – [JSC][32bit] in-by-val fails inside for-in loop after delete

Bug 230150 - [JSC][32bit] in-by-val fails inside for-in loop after delete

Summary: [JSC][32bit] in-by-val fails inside for-in loop after delete

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-09-10 06:43 PDT by Xan Lopez
Modified:	2021-09-13 10:38 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
v1 (2.08 KB, patch) 2021-09-13 03:04 PDT, Xan Lopez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Xan Lopez 2021-09-10 06:43:25 PDT

Test:

function test2() {
    let o = {
        a:20,
        b:30,
        c:40,
        d:50
    };

    for (let p in o) {
        delete o[p];
        if (p in o)
            print("wtf");
    }
}
for (let i = 0; i < 1000; i++)
    test2();

Execution:

xlopez@bbox-11-armhf:~/WebKit$ ./WebKitBuild/Debug/bin/jsc -f ../js/in-by-test.js 
Exception: TypeError: o is not an Object. (evaluating 'p in o')
test2@../js/in-by-test.js:11:18
global code@../js/in-by-test.js:16:10

I believe this is fallout from https://commits.webkit.org/r280760, can be reproduced easily in ToT after the WIP patch in bug #229543 is applied.

Comment 1 Xan Lopez 2021-09-13 03:04:21 PDT

Created attachment 438025 [details]
v1

This was a very silly mistake in the end.

Comment 2 EWS 2021-09-13 10:37:09 PDT

Committed r282336 (241603@main): <https://commits.webkit.org/241603@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 438025 [details].

Comment 3 Radar WebKit Bug Importer 2021-09-13 10:38:21 PDT

<rdar://problem/83062246>