Closed Bug 1369680 Opened 6 years ago Closed 6 years ago

Functions and arguments shouldn't use HasProperty to trigger reflection of lazy properties

Categories

(Core :: JavaScript Engine, enhancement)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox55 --- fixed

People

(Reporter: anba, Assigned: anba)

Details

Attachments

(1 file)

bug1369680.patch
5.15 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
Test case:
function enumerateArgs() {
    var a = arguments;
    Object.setPrototypeOf(a, new Proxy(Object.prototype, {
        has(t, pk) {
            print("Has", String(pk));
            return Reflect.has(t, pk)
        }
    }));
    delete a.length;
    for (var k in a);
}
enumerateArgs();


function enumerateFunction() {
    function f() {}
    Object.setPrototypeOf(f, new Proxy(Object.prototype, {
        has(t, pk) {
            print("Has", String(pk));
            return Reflect.has(t, pk)
        }
    }));
    delete f.length;
    for (var k in f);
}
enumerateFunction();
---


Expected: "Has length" is not printed
Actual: "Has length" is printed for both test functions
While looking into bug 1364816 I noticed the browser does something similar for the global object (calling JS_HasUCProperty). It may be nice to overhaul all this stuff at the same time (change the enumerate hook to just return the lazy properties or something).
(In reply to Jan de Mooij [:jandem] from comment #1)
> While looking into bug 1364816 I noticed the browser does something similar
> for the global object (calling JS_HasUCProperty). It may be nice to overhaul
> all this stuff at the same time (change the enumerate hook to just return
> the lazy properties or something).

I was thinking about just replacing HasProperty with HasOwnProperty for the function/arguments case. Is it possible for the browser components to use JSNewEnumerateOp?
(In reply to André Bargull from comment #2)
> I was thinking about just replacing HasProperty with HasOwnProperty for the
> function/arguments case.

Ah yes that makes sense.

> Is it possible for the browser components to use JSNewEnumerateOp?

Yeah I hope we can make that work somehow...
Attached patch bug1369680.patchSplinter Review 
Simply replaces HasProperty with HasOwnProperty in fun_enumerate, MappedArgumentsObject::obj_enumerate, and UnmappedArgumentsObject::obj_enumerate.
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Attachment #8873860 - Flags: review?(jdemooij)
Comment on attachment 8873860 [details] [diff] [review]
bug1369680.patch

Review of attachment 8873860 [details] [diff] [review]:
-----------------------------------------------------------------

Nice find!
Attachment #8873860 - Flags: review?(jdemooij) → review+
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a6aa43c2ff31
Use HasOwnProperty when resolving lazy properties to avoid triggering proxy traps in the proto-chain. r=jandem
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/a6aa43c2ff31
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.