[Webkit-unassigned] [Bug 261815] New: Bugs in negated `in` and `instanceof` expressions

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 20 04:33:52 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=261815

            Bug ID: 261815
           Summary: Bugs in negated `in` and `instanceof` expressions
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: pablo.gobe at gmail.com

`in` and `instanceof` expressions in JS
```js
a in obj;
a instanceof C;
```
can be negated by grouping them and applying the `!` operator, i.e.

```js
!(a in obj);
!(a instanceof C);
```

Applying the `!` operator incorrectly (on the LHS operand) leads to bugs:
```js
!a in obj; // will evaluate to false, unless obj has a "true" or "false" key
!a instanceof C; // will evaluate to false, unless C overrides instanceof with a @@hasInstance method
```
For more information, please see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/instanceof#not_an_instanceof and the no-unsafe-negation recommended Eslint rule, https://eslint.org/docs/latest/rules/no-unsafe-negation.

I have found several potentially problematic instances of the above bugs in your codebase:

`in` bugs:
https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/WebKit/WebKit%24+lang:javascript+/%5C%21%5B%5B:alnum:%5D%5C%27%5C%22%5D%2B+in+%5B%5B:alnum:%5D%5D%2B/+-file:%5C.min%5C.js%24+count:all&patternType=standard&sm=1&groupBy=repo

`instanceof` bugs:
https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/WebKit/WebKit%24+lang:javascript+/%5C%21%5B%5B:alnum:%5D%5D%2B+instanceof+%5B%5B:alnum:%5D%5D%2B/+-file:%5C.min%5C.js%24+count:all&patternType=standard&sm=1&groupBy=repo

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230920/e9e667a8/attachment-0001.htm>

More information about the webkit-unassigned mailing list