[Webkit-unassigned] [Bug 171158] New: Incorrect behavior for array iteration if iterator behavior changes partway through

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 21 21:20:19 PDT 2017


https://bugs.webkit.org/show_bug.cgi?id=171158

            Bug ID: 171158
           Summary: Incorrect behavior for array iteration if iterator
                    behavior changes partway through
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bzbarsky at mit.edu

Consider this (shell; in a browser, replace print with alert) testcase:

  var iter = [][Symbol.iterator]();
  var iterProto = Object.getPrototypeOf(iter);
  var oldNext = iterProto.next;

  function hackedNext() {
    var val = oldNext.call(this);
    if ("value" in val) {
      val.value++;
    }
    return val;
  }

  var arr = [1,,3];
  Object.defineProperty(arr, 1,
                        { get: function() { iterProto.next = hackedNext; return 2 } });
  print([...arr]);

This should print "1,2,4", and does in SpiderMonkey and V8.  In JSC, at least as tested via Safari and WebKit nightlies, it prints "1,2,3".

I believe that this is because isIteratorProtocolFastAndNonObservable() (as called from either operationSpreadGeneric or the slow_path_spread slow path) is true for this array when the spread operation starts.  But it starts being false partway through, when the getter for the property at index 1 runs...

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170422/2ac756a3/attachment.html>


More information about the webkit-unassigned mailing list