[Webkit-unassigned] [Bug 177772] New: many properties appearing on object when assigning numeric keys and values
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 2 13:25:04 PDT 2017
https://bugs.webkit.org/show_bug.cgi?id=177772
Bug ID: 177772
Summary: many properties appearing on object when assigning
numeric keys and values
Product: WebKit
Version: Safari 10
Hardware: Macintosh
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: craft at soe.ucsc.edu
Sometimes when assigning numeric values to numeric keys, an object abruptly acquires hundreds of keys with value NaN.
I'm unable to reproduce this outside of a large application, however here is a cut & paste from the debugger. The
breakpoint is in underscore's _.object() method, on the condition that Object.keys(result) is larger than list.length.
> var result2 = {}
< undefined
> for (var k = 0; k < 6; ++k) { result2[list[k]] = values[k]; }
< 5
> JSON.stringify(result2)
< "{\"134\":1,\"180\":3,\"202\":2,\"213\":4,\"332\":5,\"832\":0}"
> result2[list[6]]=values[6]
< 6
> JSON.stringify(result2).slice(0, 100)
< "{\"0\":null,\"1\":null,\"2\":null,\"3\":null,\"4\":null,\"5\":null,\"6\":null,\"7\":null,\"8\":null,\"9\":null,\"10\":null"
> JSON.stringify(list.slice(0, 7))
< "[832,134,202,180,213,332,1154]"
> JSON.stringify(values.slice(0, 7))
< "[0,1,2,3,4,5,6]"
> result2[0]
< NaN
It looks very much like an optimization that changes the backing store to a dense array of integers (hence the NaN values), that is leaking into the exposed properties of the object. Similar to the earlier 'phantom length' problem, perhaps.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171002/e42d9715/attachment.html>
More information about the webkit-unassigned
mailing list