[Webkit-unassigned] [Bug 142792] New: Objects with numeric properties intermittently get a phantom 'length' property

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 17 14:53:56 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=142792

            Bug ID: 142792
           Summary: Objects with numeric properties intermittently get a
                    phantom 'length' property
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: iOS
                OS: iOS 8.1
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: osolo at wndtabs.com

There is a timing bug in iOS8 that causes mobile Safari to incorrectly report a 'length' on objects that don't have one.

To the best of my knowledge, this happens on iOS8+, possibly only on 64-bit systems. The bug is triggered for objects that have only numeric properties. For example:

  foo = { 1: 'a', 2: 'b', 3: 'c' } 

In this case, if you query foo.length then mobile Safari will sometimes return 4 (the highest property + 1).

This causes strange failures in functions like jQuery's $.each() or Underscore's _.each() since the appearance of the '.length' property makes them believe the object is an array.

When the bug manifests itself, the following be true:
  a = foo.length;
  b = typeof a;
  c = foo.hasOwnProperty('length')
-->
  a == 4         // should have been undefined
  b == 'number'  // should have been 'undefined'
  c == false     // correct

Both jQuery and Underscore to use the 'typeof' test on the length property, and I have advised them to add an 'hasOwnProperty' check as well.

You can see more background and some repro steps at the following Stack Overflow discussion: http://stackoverflow.com/questions/28155841/misterious-failure-of-jquery-each-and-underscore-each-on-ios

The Underscore team have apparently managed to create an automated test for this: https://github.com/jashkenas/underscore/issues/2081

The jQuery issue is here: https://github.com/jquery/jquery/issues/2145

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150317/ee891d3f/attachment-0002.html>

More information about the webkit-unassigned mailing list