563597 - for-in loop can be tricked into enumerating the same index value more than once

Status: RESOLVED WONTFIX

(Tamarin Graveyard :: Virtual Machine, defect, P3)

Description

[Lars T Hansen]

The trick is to insert objects into the hash table during enumeration: Rehashing reorganizes the hash table, and since the implementation of enumeration has a goldfish memory (it remembers only the 'index', which happens to be the actual index in the actual hash table, which is irrelevant/wrong following a rehash) it may reach an already-enumerated index in its new location.

This may be the same problem as in bug #513016, but the test cases are sufficiently different that it seemed to warrant a new bug.

Elaborate test case:

var vs = [["0--", 5],
	  ["bloons", 3],
	  ["abra", 4],
	  ["snigger", 6],
	  ["alert", 7],
	  ["boy", 8]];

function f() {
    var v = {"xit": 1, "cadabra": 2};
    var niter = 5;
    var previous = {};
    var j = 0;
    for ( var i in v ) {
	print(j + ":  " + i + " " + v[i] + 
             (i in previous ? (" *** " + previous[i]) : ""));
	previous[i] = j;
	j++;
	if (niter-- > 0) {
	    for ( var k=0 ; k < vs.length ; k++ )
		v[vs[k][0] + niter] = vs[k][1];
	}
    }
}
f();

Actual output based on RD build of TR 4601:1fe31e1ff4e7, MacOS 10.6.2:

0:  xit 1
1:  bloons4 3
2:  0--3 5
3:  bloons2 3
4:  bloons3 3
5:  0--1 5
6:  abra3 4
7:  bloons1 3
8:  snigger3 6
9:  abra1 4
10:  xit 1 *** 0
11:  snigger1 6
12:  cadabra 2
13:  alert1 7
14:  boy1 8
15:  alert3 7
16:  boy3 8
17:  0--2 5
18:  bloons2 3 *** 3
19:  0--4 5
20:  abra2 4
21:  bloons4 3 *** 1
22:  snigger2 6
23:  abra4 4
24:  alert2 7
25:  snigger4 6
26:  boy2 8
27:  alert4 7
28:  abra0 4
29:  boy4 8

Comment 1

[Sylvestre Ledru [:Sylvestre]]

Tamarin is a dead project now. Mass WONTFIX.

Comment 2

[Sylvestre Ledru [:Sylvestre]]

Tamarin isn't maintained anymore. WONTFIX remaining bugs.