Properties without DontEnum are sometimes not enumerated



9 years ago
4 years ago


(Reporter: heycam, Assigned: Attila Szegedi)


Bug Flags:
in-testsuite +



(1 attachment)



9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20081214 Minefield/3.2a1pre
Build Identifier: Rhino 1.7 release 3 PRERELEASE 2008 12 17

Certain sequences of operations on an object can cause a property to be not placed in the ordered linked list of properties.  Specifically this happens when:

  * A property p1 with slot index X is created
  * A property p2 with slot index Y (where X != Y) is created
  * Property p2 is deleted
  * The object's properties are enumerated
  * A property p3 with slot index Y is created

After this, p3 is on the object, but won't be enumerated.

Reproducible: Always

Steps to Reproduce:
Evaluate the following script:

o = { }
o.PageLeft = 1
o.Rect2 = 6
delete o.Rect2
for (var p in o);
o.Rect3 = 7
found = false
for (var p in o) if (p == 'Rect3') found = true
java.lang.System.out.println("found = " + found)

Actual Results:  
Prints out "found = false".

Expected Results:  
Print out "found = true".

Comment 1

9 years ago
Created attachment 353354 [details] [diff] [review]
Patch for the bug

The bug is that lastAdded is not updated when the final slot of the ordered property linked list is removed due to it having wasDeleted == true.  If this happens, then when a property slot is created after this, it will be assigned to lastAdded.orderedNext inside accessSlot(), resulting in it not being reached when traversing the list starting from firstAdded the next time the properties are enumerated.

The patch updates getIds(boolean) to ensure lastAdded remains pointing to the last slot in the list.
Attachment #353354 - Flags: review?

Comment 2

9 years ago
Actually, disregard the stuff about the slot indexes in the first comment, that's a red herring.  The situation the bug occurs in is just:

  * Start with an object that has at least one property and which hasn't had
    its most recently added property (or properties) deleted
  * Create a property p1
  * Delete property p1
  * Enumerate the object's properties
  * Create property p2 (where p2 ! p1)

Then p2 won't be enumerated.

Comment 3

9 years ago
Committed to CVS HEAD; also added a unit test (confirmed that it failed before the patch and it passes after the patch).

cvs ci -m "Fix (and testcase) for Bug #469937 "Properties without DontEnum are sometimes not enumerated"" -l "/tests/ecma_3/Regress/regress-469937.js"
    RCS file: /cvsroot/mozilla/js/tests/ecma_3/Regress/regress-469937.js,v
    Checking in ecma_3/Regress/regress-469937.js;
    /cvsroot/mozilla/js/tests/ecma_3/Regress/regress-469937.js,v  <--  regress-469937.js
    initial revision: 1.1
ok (took 0:11.235)

cvs ci -m "Fix (and testcase) for Bug #469937 "Properties without DontEnum are sometimes not enumerated"" -l "/Rhino/src/org/mozilla/javascript/"
    Checking in src/org/mozilla/javascript/;
    /cvsroot/mozilla/js/rhino/src/org/mozilla/javascript/,v  <--
    new revision: 1.142; previous revision: 1.141
ok (took 0:05.722)
Last Resolved: 9 years ago
Resolution: --- → FIXED


9 years ago
Assignee: nobody → szegedia

Comment 4

9 years ago
Fix propagated to 1.7R2 release branch

Comment 5

9 years ago
Flags: in-testsuite+


4 years ago
Attachment #353354 - Flags: review?
You need to log in before you can comment on or make changes to this bug.