[Webkit-unassigned] [Bug 149811] New: Iterator loops over key twice after delete
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 5 10:29:13 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=149811
Bug ID: 149811
Summary: Iterator loops over key twice after delete
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: All
OS: Unspecified
Status: NEW
Severity: Critical
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: timon at orawski.com
Created attachment 262446
--> https://bugs.webkit.org/attachment.cgi?id=262446&action=review
reproducible test case
The following code iterates twice over the key "0" in the object cols - despite it only existing in the object once.
<html>
<head>
<script>
var f = function() {
"use strict";
var cols = {"col":{"title":" ","type":"sys","events":[],"name":0,"id":0,"_i":0}};
var len = 0;
var remapcols = ['col'];
for (var i = 0; i < remapcols.length; i++) {
cols[cols[remapcols[i]].name] = cols[remapcols[i]];
delete cols[remapcols[i]];
}
var count = 0;
console.group("object:")
console.log(cols);
console.groupEnd();
console.group("This group should only contain one line");
for (var col2 in cols) { console.log("" + count++ +": Iterating over key: " + col2); }
console.groupEnd();
};
f();</script>
</head>
<body>
Check console log, expected output is a single log entry "0: Iterating over key: 0"
</body>
</html>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20151005/ed3a10f7/attachment.html>
More information about the webkit-unassigned
mailing list