[Webkit-unassigned] [Bug 171158] New: Incorrect behavior for array iteration if iterator behavior changes partway through
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Apr 21 21:20:19 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=171158
Bug ID: 171158
Summary: Incorrect behavior for array iteration if iterator
behavior changes partway through
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: bzbarsky at mit.edu
Consider this (shell; in a browser, replace print with alert) testcase:
var iter = [][Symbol.iterator]();
var iterProto = Object.getPrototypeOf(iter);
var oldNext = iterProto.next;
function hackedNext() {
var val = oldNext.call(this);
if ("value" in val) {
val.value++;
}
return val;
}
var arr = [1,,3];
Object.defineProperty(arr, 1,
{ get: function() { iterProto.next = hackedNext; return 2 } });
print([...arr]);
This should print "1,2,4", and does in SpiderMonkey and V8. In JSC, at least as tested via Safari and WebKit nightlies, it prints "1,2,3".
I believe that this is because isIteratorProtocolFastAndNonObservable() (as called from either operationSpreadGeneric or the slow_path_spread slow path) is true for this array when the spread operation starts. But it starts being false partway through, when the getter for the property at index 1 runs...
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170422/2ac756a3/attachment.html>
More information about the webkit-unassigned
mailing list