[Webkit-unassigned] [Bug 230150] New: [JSC] in-by-val fails inside for-in loop after delete
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 10 06:43:25 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=230150
Bug ID: 230150
Summary: [JSC] in-by-val fails inside for-in loop after delete
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: xan.lopez at gmail.com
Test:
function test2() {
let o = {
a:20,
b:30,
c:40,
d:50
};
for (let p in o) {
delete o[p];
if (p in o)
print("wtf");
}
}
for (let i = 0; i < 1000; i++)
test2();
Execution:
xlopez at bbox-11-armhf:~/WebKit$ ./WebKitBuild/Debug/bin/jsc -f ../js/in-by-test.js
Exception: TypeError: o is not an Object. (evaluating 'p in o')
test2 at ../js/in-by-test.js:11:18
global code at ../js/in-by-test.js:16:10
I believe this is fallout from https://commits.webkit.org/r280760, can be reproduced easily in ToT after the WIP patch in bug #229543 is applied.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210910/28551048/attachment.htm>
More information about the webkit-unassigned
mailing list