RESOLVED FIXED Bug 230150
[JSC][32bit] in-by-val fails inside for-in loop after delete 
https://bugs.webkit.org/show_bug.cgi?id=230150
Summary [JSC][32bit] in-by-val fails inside for-in loop after delete
Xan Lopez
Reported 2021-09-10 06:43:25 PDT
Test: function test2() { let o = { a:20, b:30, c:40, d:50 }; for (let p in o) { delete o[p]; if (p in o) print("wtf"); } } for (let i = 0; i < 1000; i++) test2(); Execution: xlopez@bbox-11-armhf:~/WebKit$ ./WebKitBuild/Debug/bin/jsc -f ../js/in-by-test.js Exception: TypeError: o is not an Object. (evaluating 'p in o') test2@../js/in-by-test.js:11:18 global code@../js/in-by-test.js:16:10 I believe this is fallout from https://commits.webkit.org/r280760, can be reproduced easily in ToT after the WIP patch in bug #229543 is applied.
Attachments
v1 (2.08 KB, patch)
2021-09-13 03:04 PDT, Xan Lopez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Xan Lopez
Comment 1 2021-09-13 03:04:21 PDT
Created attachment 438025 [details] v1 This was a very silly mistake in the end.
EWS
Comment 2 2021-09-13 10:37:09 PDT
Committed r282336 (241603@main): <https://commits.webkit.org/241603@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438025 [details].
Radar WebKit Bug Importer
Comment 3 2021-09-13 10:38:21 PDT
<rdar://problem/83062246>
Note You need to log in before you can comment on or make changes to this bug.