Using for-in on a proxy should call the enumerate trap, not the iterate trap

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: ejpbruel, Assigned: evilpie)

Tracking

({dev-doc-complete})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js:t])

Attachments

(8 attachments, 10 obsolete attachments)

3.14 KB, text/plain
Details
31.58 KB, patch
efaust
: review+
evilpie
: checkin+
Details | Diff | Splinter Review
4.25 KB, patch
efaust
: review+
Details | Diff | Splinter Review
2.67 KB, patch
efaust
: review+
Details | Diff | Splinter Review
2.52 KB, patch
mak
: review+
Details | Diff | Splinter Review
64.34 KB, patch
efaust
: review+
bholley
: review+
Details | Diff | Splinter Review
44.42 KB, patch
bholley
: review+
efaust
: review+
Details | Diff | Splinter Review
3.59 KB, patch
efaust
: review+
Details | Diff | Splinter Review
(Reporter)

Description

5 years ago
The for-in statement doesn't actually call Proxy::enumerate, as per spec. Instead, it calls Proxy::iterate (see jsiter.cpp:683). This should be fixed.

Updated

5 years ago
Blocks: 703537

Comment 1

5 years ago
Mentionned in https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Global_Objects/Proxy#Handler_API
Update the doc when this bug is fixed
Keywords: dev-doc-needed
Whiteboard: [js:t]

Comment 2

4 years ago
Actually, in both Firefox 22 and 23b02 (on CentOS 6.2 x64), for( .. in .. ) doesn't invoke neither enumerate() nor iterate() of a Proxy object - the for( .. in .. ) trap doesn't work at all. See attached Load2.html.

The only workaround is to have an iterator/generator on the target object (not on the Proxy itself), as per https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Iterators_and_Generators

Comment 3

4 years ago
Created attachment 771226 [details]
a showcase that for( .. in .. ) is not handed over to a Proxy handler at all

See my comment just a moment ago
Interesting, I came around this bug yesterday as well. I was trying to figure out when the Proxy::enumerate trap is invoked and I wasn't really able to find any solution to that.
Assignee: general → nobody
I believe this still needs to be fixed. Eric is that something you would be interested in?
Flags: needinfo?(efaustbmo)
Blocks: 978228
Assignee: nobody → evilpies
Flags: needinfo?(efaustbmo)
Duplicate of this bug: 783826
Depends on: 1091900
Created attachment 8522508 [details] [diff] [review]
Rename enumerate to getEnumerablePropertyKeys

Our implementation of enumerate is not what expects today. So rename it to something better.
Attachment #8522508 - Flags: review?(efaustbmo)

Comment 8

3 years ago
Comment on attachment 8522508 [details] [diff] [review]
Rename enumerate to getEnumerablePropertyKeys

Review of attachment 8522508 [details] [diff] [review]:
-----------------------------------------------------------------

Yes. This is a better name, and leaves enumerate free to write the actual [[Enumerate]] work. r=me with question below answered. Otherwise, this should land immediately, I would think.

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +760,5 @@
>  }
>  
>  // ES6 (22 May, 2014) 9.5.11 Proxy.[[Enumerate]]
>  bool
> +ScriptedDirectProxyHandler::getEnumerablePropertyKeys(JSContext *cx, HandleObject proxy, AutoIdVector &props) const

We are going to want to do something about this when the rest of this bug lands, right? This function should eventually not directly invoke the JS callback, and instead stub out to the [[Enumerate]] that does, or there'll be a helper or something?
Attachment #8522508 - Flags: review?(efaustbmo) → review+
Created attachment 8522530 [details] [diff] [review]
preview, gets stuff working in the shell
I missed some trivial pieces in the patch that I uploaded, sorry! I renamed an overload of "enumerate" to the better fitting "getPropertyKeys" in XrayWrapper.
https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=b57e073e6fb2
https://hg.mozilla.org/integration/mozilla-inbound/rev/494c68e8fe37
Keywords: leave-open
Created attachment 8523198 [details] [diff] [review]
shim-legacy-generator

We are introducing a new iterator protocol, which works like that of "for .. of". i.e. return an object with {done, value}. So we invoke the same code that is called for @@iterator on those.
Created attachment 8523200 [details] [diff] [review]
shim-legacy-iterator

The objects that were used with __iterator__ obviously used the old iterator protocol, so wrap those as well. I really hope we can remove this in the future.
Created attachment 8523203 [details] [diff] [review]
new-iter-proto

Introduce the new ES6 iteration protocol. Also changes PropertyIteratorObject.next to the new way of returning done/value. Most of the time however nothing really changes, because we still directly poke at the NativeIterator.
Created attachment 8523206 [details] [diff] [review]
change-iterate-to-enumerate

Renames the iterate trap to enumerate. Drops the now necessary flags argument, because this is only supposed to be used in [[Enumerate]] case. This makes the enumerate trap mandatory, because this is one of the basic ES6 traps. I think we maintain backwards-compatibility with both direct and indirect proxies.
OS: Mac OS X → All
Hardware: x86 → All
Blocks: 1099399
https://hg.mozilla.org/mozilla-central/rev/494c68e8fe37
Now that we pass around LegacyGeneratorObjects as a JS shim the code in CloseIterator that tests for is<LegacyGenerator> won't work. Is that a big deal?
Andy I asked you for review, because I think you probably have the most experience with Iterators and all that shimming business. However feel free to cancel and I am going to ask somebody else.
Attachment #8522530 - Attachment is obsolete: true
Attachment #8522508 - Flags: checkin+
Attachment #8523198 - Flags: review?(wingo)
Attachment #8523200 - Flags: review?(wingo)
Attachment #8523203 - Flags: review?(wingo)
Okay, I probably have to adjust the wrapping a little bit. Right now we also do the wrapping for Iterator(), but we should only do it when we are going to use for .. in on the object. This should fix a few test failures.
Created attachment 8523441 [details] [diff] [review]
shim-legacy-generator v2
Attachment #8523198 - Attachment is obsolete: true
Attachment #8523198 - Flags: review?(wingo)
Attachment #8523441 - Flags: review?(wingo)
Created attachment 8523442 [details] [diff] [review]
shim-legacy-iterator v2
Attachment #8523442 - Flags: review?(wingo)
Attachment #8523200 - Attachment is obsolete: true
Attachment #8523200 - Flags: review?(wingo)
Created attachment 8523444 [details] [diff] [review]
Fix JS tests

Most of these is just a slight change in behavior, mostly caused by not invoking close properly and changes to how try .. finally works. I doubt this is big issue, it's kind of an edge case. Two tests fail because next() doesn't throw StopIterator anymore. One test fails, because we don't invoke the ::iterate trap anymore unless you use for .. in directly.
All in all surprising little actual problems.
There are still quite a few test failures that aren't fun to debug https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=120a30ddb9fe. During some of that investigation I found out about /toolkit/components/osfile, seems like that code use __iterator__, legacy generators & co. quite a bit. And it looks like it uses .close to close file handles?! http://mxr.mozilla.org/mozilla-central/search?string=DirectoryIterator_prototype_close

Comment 22

3 years ago
Comment on attachment 8523441 [details] [diff] [review]
shim-legacy-generator v2

Review of attachment 8523441 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the late review.  I must be thick this morning but I am missing the big picture.  What is the problem, and what is being fixed?  If it is user-visible, where are the test cases?

::: js/src/jsiter.cpp
@@ +705,5 @@
> +        return true;
> +    }
> +
> +    if (obj->is<LegacyGeneratorObject>()) {
> +        // Only shim when the Iterator is used for "for .. in" directly

I don't understand what the intention is.  What are you trying to do? :)
Consider, something like this:
var f = function() { yield 1;}
var i = Iterator(f())
for (x in i) {}

I want to avoid shimming the generator that is returned from Iterator, and instead just shim it when we will actually use "for .. in" to iterate over it.

Comment 24

3 years ago
(In reply to Tom Schuster [:evilpie] from comment #23)
> Consider, something like this:
> var f = function() { yield 1;}
> var i = Iterator(f())
> for (x in i) {}
> 
> I want to avoid shimming the generator that is returned from Iterator, and
> instead just shim it when we will actually use "for .. in" to iterate over
> it.

Why?

Also, why are you using for-in in this way?  This is legacy syntax.  The way forward is to use for-of instead.
(In reply to Andy Wingo [:wingo] from comment #24)
> (In reply to Tom Schuster [:evilpie] from comment #23)
> > Consider, something like this:
> > var f = function() { yield 1;}
> > var i = Iterator(f())
> > for (x in i) {}
> > 
> > I want to avoid shimming the generator that is returned from Iterator, and
> > instead just shim it when we will actually use "for .. in" to iterate over
> > it.
> 
> Why?
> 
> Also, why are you using for-in in this way?  This is legacy syntax.  The way
> forward is to use for-of instead.
Well I don't, but tons of Firefox/add-on code does. I am not really interested in fixing that myself.
I am going to try a new approach here. Instead of shimming we will just support both the old and new style iteration protocol in js::IteratorMore. But we should really have a plan to fix this properly soonish.
Attachment #8523444 - Attachment is obsolete: true
Attachment #8523442 - Attachment is obsolete: true
Attachment #8523442 - Flags: review?(wingo)
Attachment #8523441 - Attachment is obsolete: true
Attachment #8523441 - Flags: review?(wingo)
Attachment #8523206 - Attachment is obsolete: true
Attachment #8523203 - Flags: review?(wingo)
Blocks: 1110457
Attachment #8523203 - Attachment is obsolete: true
Created attachment 8535607 [details] [diff] [review]
v1 - Factor out NativeIteratorNext

Not really necessary now, but makes the code easier to understand.
Attachment #8535607 - Flags: review?(efaustbmo)
Created attachment 8535609 [details] [diff] [review]
v1 - Change from iterate to [[enumerate]]

Only calls the Proxy::enumerate trap when GetIterator is called in a for-in context, or from the DirectProxyHandler. Instead of shimming when now just allow both the old and new iterator protocol in IteratorMore. This seems to yield basically perfect backwards-compatibility. If we go ahead with remvoing __iterator__, we could just check for PropertyIterator and LegacyGenerator and totally move to the new protocol. I am not sure about SandboxProxyHandler::enumerate.
Attachment #8535609 - Flags: review?(efaustbmo)
Attachment #8535609 - Flags: review?(bobbyholley)
Created attachment 8535611 [details] [diff] [review]
v1 - Some tests
Attachment #8535611 - Flags: review?(efaustbmo)
Created attachment 8535664 [details] [diff] [review]
v1 - Fix a single thing in the browser

Honestly I don't really understand what is going to wrong here. Using 'for each' with generators is kind of confusing anyway.
Attachment #8535664 - Flags: review?(mak77)
Comment on attachment 8535609 [details] [diff] [review]
v1 - Change from iterate to [[enumerate]]

Review of attachment 8535609 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/src/Sandbox.cpp
@@ +742,3 @@
>  {
> +    // ??
> +    return DirectProxyHandler::enumerate(cx, proxy, objp);

The point here is that this operation needs to be implemented in terms of the other fundamental traps that are overridden for this proxy handler. IIUC, bouncing to DirectProxyHandler is just going to forward to the underlying object, which doesn't take the other traps into account.

That being said, it doesn't look like any of the special logic we do in getPropertyDescriptor would actually affect enumerate here (it doesn't change the existence of properties or their enumerability - just their values).

If I'm right, we can kill this override entirely for SandboxProxyHandler, but it should happen in a separate patch.
Attachment #8535609 - Flags: review?(bobbyholley) → review-

Updated

3 years ago
Attachment #8535607 - Flags: review?(efaustbmo) → review+
So should I call BaseProxyHandler::enumerate? I made ::enumerate pure virtual so it has to be implemented, and if we also don't want want DirectProxyHandler::enumerate. BaseProxyHandler::enumerate would call getEnumerablePropertyKeys which is interestingly also not overridden.
(In reply to Tom Schuster [:evilpie] from comment #32)
> So should I call BaseProxyHandler::enumerate? I made ::enumerate pure
> virtual so it has to be implemented, and if we also don't want want
> DirectProxyHandler::enumerate. BaseProxyHandler::enumerate would call
> getEnumerablePropertyKeys which is interestingly also not overridden.

My point was that we don't need to be overriding this at for this handler.
Comment on attachment 8535609 [details] [diff] [review]
v1 - Change from iterate to [[enumerate]]

Review of attachment 8535609 [details] [diff] [review]:
-----------------------------------------------------------------

I cannot speak to the Sandbox stuff, but we should fix the getEnumerablePropertyKeys thing before this goes in. Most of it looks good, but I would like to see the resolution again.

::: js/ipc/WrapperOwner.cpp
@@ +271,5 @@
>  bool
> +CPOWProxyHandler::enumerate(JSContext *cx, HandleObject proxy, MutableHandleObject objp) const
> +{
> +    // Using a CPOW for the Iterator would slow down for .. in performance, instead
> +    // call the base hook, that will us our implementation of getEnumerablePropertyKeys.

typo: that will us

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +801,5 @@
> +}
> +
> +// Non-standard, try to convert iterator result to ids
> +bool
> +ScriptedDirectProxyHandler::getEnumerablePropertyKeys(JSContext *cx, HandleObject proxy, AutoIdVector &props) const

As per IRC discussion, this is incorrect because of its invocation for proxies on the prototype chain of native objects, and thus, if I understand correctly, this is no case in which we should have this function.
Attachment #8535609 - Flags: review?(efaustbmo)
Comment on attachment 8535611 [details] [diff] [review]
v1 - Some tests

Review of attachment 8535611 [details] [diff] [review]:
-----------------------------------------------------------------

When we're ready, we should add a test for proxies on the prototype chain of native objects in for-in interators. As discussed, that can live in the followup, though.
Attachment #8535611 - Flags: review?(efaustbmo) → review+
Created attachment 8535900 [details] [diff] [review]
WIP - Remove getEnumerablePropertyKeys
Created attachment 8536022 [details] [diff] [review]
v2 - Change from iterate to [[enumerate]]

Sorry Bobby, but you answer is still don't grasp your answer. I switched to BaseProxyHandler::enumerate now. Can you please explicitly say what you want me to do, thanks.
Attachment #8536022 - Flags: review?(efaustbmo)
Attachment #8536022 - Flags: review?(bobbyholley)
Attachment #8535609 - Attachment is obsolete: true
Created attachment 8536023 [details] [diff] [review]
v1 - Remove getEnumerablePropertyKeys

I am not sure if it appropriate to call js::GetPropertyKeys in the BaseProxyHandler?
Attachment #8536023 - Flags: review?(efaustbmo)
Attachment #8536023 - Flags: review?(bobbyholley)
Created attachment 8536024 [details] [diff] [review]
v1 - Fix for enumerating enumerable symbols

I believe this was broken before already. We should also call ownkeys when we want symbols, because getOwnEnumerablePropertyKeys doesn't return them.
Could be a followup if you want.
Attachment #8536024 - Flags: review?(efaustbmo)
Comment on attachment 8536022 [details] [diff] [review]
v2 - Change from iterate to [[enumerate]]

Review of attachment 8536022 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsiter.cpp
@@ +670,5 @@
>      }
>  
> +    // We should only call the enumerate trap for "for-in".
> +    // Or when we call GetIterator from the Proxy [[Enumerate]] hook.
> +    // In the future also for Reflect.enumerate.

Can we add a "sleeper-test" a la Jorendorff for this, where we test if Reflect.enumerate is a function, throw if it is, and leave the test we want to replace it with commented out in the file?

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +801,5 @@
> +}
> +
> +// Non-standard, try to convert iterator result to ids
> +bool
> +ScriptedDirectProxyHandler::getEnumerablePropertyKeys(JSContext *cx, HandleObject proxy, AutoIdVector &props) const

Complained about previously. There's now a patch to remove this later in this stack. OK by me :)
Attachment #8536022 - Flags: review?(efaustbmo) → review+
Comment on attachment 8536022 [details] [diff] [review]
v2 - Change from iterate to [[enumerate]]

Review of attachment 8536022 [details] [diff] [review]:
-----------------------------------------------------------------

My suggestion was to just get rid of the override in Sandbox altogether, but this is also fine.
Attachment #8536022 - Flags: review?(bobbyholley) → review+
Comment on attachment 8536023 [details] [diff] [review]
v1 - Remove getEnumerablePropertyKeys

Review of attachment 8536023 [details] [diff] [review]:
-----------------------------------------------------------------

This looks great! Thanks for taking care of the inherited scripted proxy case :)

::: js/src/jsiter.cpp
@@ +327,5 @@
>  
>          if (flags & JSITER_OWNONLY)
>              break;
>  
> +        if (!JSObject::getProto(cx, pobj, &pobj))

OK, this site is prepared for getPrototypeOf to get called on scripted direct proxy handlers, right? Even if they change objects lower on the prototype chain, the algorithm is very clear. If it creates a circular prototype chain, then this spins, but that's unavoidable.

::: js/src/proxy/BaseProxyHandler.cpp
@@ +239,2 @@
>      AutoIdVector props(cx);
> +    if (!GetPropertyKeys(cx, proxy, 0, &props))

I am really happy that you shared code here, rather than writing another re-implementation.

::: js/src/proxy/Proxy.cpp
@@ +378,5 @@
> +
> +    AutoIdVector protoProps(cx);
> +    return GetPropertyKeys(cx, proto, 0, &protoProps) &&
> +           AppendUnique(cx, props, protoProps) &&
> +           EnumeratedIdVectorToIterator(cx, proxy, 0, props, objp);

Nice.
Attachment #8536023 - Flags: review?(efaustbmo) → review+
Comment on attachment 8536024 [details] [diff] [review]
v1 - Fix for enumerating enumerable symbols

Review of attachment 8536024 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.

::: js/src/jsiter.cpp
@@ +319,5 @@
> +
> +                    // We need to filter, if the caller just wants enumerable
> +                    // symbols.
> +                    if (!(flags & JSITER_HIDDEN)) {
> +                        if (!Proxy::getOwnPropertyDescriptor(cx, pobj, proxyProps[n], &desc))

This matches spec observability of *2* getOwnPropertyDescriptor calls per returned OwnPropertyKey. We should have some notion of how many times the trap is called in the above or a separate test.
Attachment #8536024 - Flags: review?(efaustbmo) → review+
Comment on attachment 8536023 [details] [diff] [review]
v1 - Remove getEnumerablePropertyKeys

Review of attachment 8536023 [details] [diff] [review]:
-----------------------------------------------------------------

r=me on the XPConnect bits.
Attachment #8536023 - Flags: review?(bobbyholley) → review+

Updated

3 years ago
Attachment #8535664 - Flags: review?(mak77) → review+
Attachment #8535900 - Attachment is obsolete: true
First try push didn't include the reviewed fix for the browser test failures. (bc1 and oth)
https://treeherder.mozilla.org/#/jobs?repo=try&revision=e415de7174bc
Just a linux try push with that applied
https://treeherder.mozilla.org/#/jobs?repo=try&revision=38c5fb773df8

https://hg.mozilla.org/integration/mozilla-inbound/rev/c62a61e75fb1
https://hg.mozilla.org/integration/mozilla-inbound/rev/2e24211fa51c
https://hg.mozilla.org/integration/mozilla-inbound/rev/b1346d860227
https://hg.mozilla.org/integration/mozilla-inbound/rev/c9d488c5e0f4
https://hg.mozilla.org/integration/mozilla-inbound/rev/44ee1d899c87
https://hg.mozilla.org/integration/mozilla-inbound/rev/ca7f64b51c06
https://hg.mozilla.org/mozilla-central/rev/c62a61e75fb1
https://hg.mozilla.org/mozilla-central/rev/2e24211fa51c
https://hg.mozilla.org/mozilla-central/rev/b1346d860227
https://hg.mozilla.org/mozilla-central/rev/c9d488c5e0f4
https://hg.mozilla.org/mozilla-central/rev/44ee1d899c87
https://hg.mozilla.org/mozilla-central/rev/ca7f64b51c06
I had to fix tests/js1_8_5/regress/regress-620376-{1,2}.js, because these tests use Proxy.create and wanted "enumerate" to be called, however we now always call "keys".
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Keywords: leave-open
Resolution: --- → FIXED

Updated

3 years ago
Blocks: 1114070
Depends on: 1115844
Blocks: 986294
Updated following pages:
  https://developer.mozilla.org/en-US/Firefox/Releases/37
  https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy/handler
  https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy/handler/enumerate
Thanks!
Keywords: dev-doc-needed → dev-doc-complete
You need to log in before you can comment on or make changes to this bug.