783829 - Using for-in on a proxy should call the enumerate trap, not the iterate trap

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Eddy Bruel [:ejpbruel]]

The for-in statement doesn't actually call Proxy::enumerate, as per spec. Instead, it calls Proxy::iterate (see jsiter.cpp:683). This should be fixed.

Comment 1

[David Bruant]

Mentionned in https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Global_Objects/Proxy#Handler_API
Update the doc when this bug is fixed

Comment 2

[Peter Kehl]

Actually, in both Firefox 22 and 23b02 (on CentOS 6.2 x64), for( .. in .. ) doesn't invoke neither enumerate() nor iterate() of a Proxy object - the for( .. in .. ) trap doesn't work at all. See attached Load2.html.

The only workaround is to have an iterator/generator on the target object (not on the Proxy itself), as per https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Iterators_and_Generators

Comment 3

[Peter Kehl]

Attachment: a showcase that for( .. in .. ) is not handed over to a Proxy handler at all

See my comment just a moment ago

Comment 4

[Tom S [:evilpie]]

Interesting, I came around this bug yesterday as well. I was trying to figure out when the Proxy::enumerate trap is invoked and I wasn't really able to find any solution to that.

Comment 5

[Tom S [:evilpie]]

I believe this still needs to be fixed. Eric is that something you would be interested in?

Comment 7

[Tom S [:evilpie]]

Attachment: Rename enumerate to getEnumerablePropertyKeys

Our implementation of enumerate is not what expects today. So rename it to something better.

Comment 8

[Eric Faust [:efaust]]

Comment on attachment 8522508 [details] [diff] [review]
Rename enumerate to getEnumerablePropertyKeys

Review of attachment 8522508 [details] [diff] [review]:
-----------------------------------------------------------------

Yes. This is a better name, and leaves enumerate free to write the actual [[Enumerate]] work. r=me with question below answered. Otherwise, this should land immediately, I would think.

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +760,5 @@
>  }
>  
>  // ES6 (22 May, 2014) 9.5.11 Proxy.[[Enumerate]]
>  bool
> +ScriptedDirectProxyHandler::getEnumerablePropertyKeys(JSContext *cx, HandleObject proxy, AutoIdVector &props) const

We are going to want to do something about this when the rest of this bug lands, right? This function should eventually not directly invoke the JS callback, and instead stub out to the [[Enumerate]] that does, or there'll be a helper or something?

Comment 9

[Tom S [:evilpie]]

Attachment: preview, gets stuff working in the shell

Comment 10

[Tom S [:evilpie]]

I missed some trivial pieces in the patch that I uploaded, sorry! I renamed an overload of "enumerate" to the better fitting "getPropertyKeys" in XrayWrapper.
https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=b57e073e6fb2
https://hg.mozilla.org/integration/mozilla-inbound/rev/494c68e8fe37

Comment 11

[Tom S [:evilpie]]

Attachment: shim-legacy-generator

We are introducing a new iterator protocol, which works like that of "for .. of". i.e. return an object with {done, value}. So we invoke the same code that is called for @@iterator on those.

Comment 12

[Tom S [:evilpie]]

Attachment: shim-legacy-iterator

The objects that were used with __iterator__ obviously used the old iterator protocol, so wrap those as well. I really hope we can remove this in the future.

Comment 13

[Tom S [:evilpie]]

Attachment: new-iter-proto

Introduce the new ES6 iteration protocol. Also changes PropertyIteratorObject.next to the new way of returning done/value. Most of the time however nothing really changes, because we still directly poke at the NativeIterator.

Comment 14

[Tom S [:evilpie]]

Attachment: change-iterate-to-enumerate

Renames the iterate trap to enumerate. Drops the now necessary flags argument, because this is only supposed to be used in [[Enumerate]] case. This makes the enumerate trap mandatory, because this is one of the basic ES6 traps. I think we maintain backwards-compatibility with both direct and indirect proxies.

Comment 15

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/494c68e8fe37

Comment 16

[Tom S [:evilpie]]

Now that we pass around LegacyGeneratorObjects as a JS shim the code in CloseIterator that tests for is<LegacyGenerator> won't work. Is that a big deal?
Andy I asked you for review, because I think you probably have the most experience with Iterators and all that shimming business. However feel free to cancel and I am going to ask somebody else.

Comment 17

[Tom S [:evilpie]]

Okay, I probably have to adjust the wrapping a little bit. Right now we also do the wrapping for Iterator(), but we should only do it when we are going to use for .. in on the object. This should fix a few test failures.

Comment 18

[Tom S [:evilpie]]

Attachment: shim-legacy-generator v2

Comment 19

[Tom S [:evilpie]]

Attachment: shim-legacy-iterator v2

Comment 20

[Tom S [:evilpie]]

Attachment: Fix JS tests

Most of these is just a slight change in behavior, mostly caused by not invoking close properly and changes to how try .. finally works. I doubt this is big issue, it's kind of an edge case. Two tests fail because next() doesn't throw StopIterator anymore. One test fails, because we don't invoke the ::iterate trap anymore unless you use for .. in directly.
All in all surprising little actual problems.

Comment 21

[Tom S [:evilpie]]

There are still quite a few test failures that aren't fun to debug https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=120a30ddb9fe. During some of that investigation I found out about /toolkit/components/osfile, seems like that code use __iterator__, legacy generators & co. quite a bit. And it looks like it uses .close to close file handles?! http://mxr.mozilla.org/mozilla-central/search?string=DirectoryIterator_prototype_close

Comment 22

[Andy Wingo [:wingo]]

Comment on attachment 8523441 [details] [diff] [review]
shim-legacy-generator v2

Review of attachment 8523441 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the late review.  I must be thick this morning but I am missing the big picture.  What is the problem, and what is being fixed?  If it is user-visible, where are the test cases?

::: js/src/jsiter.cpp
@@ +705,5 @@
> +        return true;
> +    }
> +
> +    if (obj->is<LegacyGeneratorObject>()) {
> +        // Only shim when the Iterator is used for "for .. in" directly

I don't understand what the intention is.  What are you trying to do? :)

Comment 23

[Tom S [:evilpie]]

Consider, something like this:
var f = function() { yield 1;}
var i = Iterator(f())
for (x in i) {}

I want to avoid shimming the generator that is returned from Iterator, and instead just shim it when we will actually use "for .. in" to iterate over it.

Comment 24

[Andy Wingo [:wingo]]

(In reply to Tom Schuster [:evilpie] from comment #23)
> Consider, something like this:
> var f = function() { yield 1;}
> var i = Iterator(f())
> for (x in i) {}
> 
> I want to avoid shimming the generator that is returned from Iterator, and
> instead just shim it when we will actually use "for .. in" to iterate over
> it.

Why?

Also, why are you using for-in in this way?  This is legacy syntax.  The way forward is to use for-of instead.

Comment 25

[Tom S [:evilpie]]

(In reply to Andy Wingo [:wingo] from comment #24)
> (In reply to Tom Schuster [:evilpie] from comment #23)
> > Consider, something like this:
> > var f = function() { yield 1;}
> > var i = Iterator(f())
> > for (x in i) {}
> > 
> > I want to avoid shimming the generator that is returned from Iterator, and
> > instead just shim it when we will actually use "for .. in" to iterate over
> > it.
> 
> Why?
> 
> Also, why are you using for-in in this way?  This is legacy syntax.  The way
> forward is to use for-of instead.
Well I don't, but tons of Firefox/add-on code does. I am not really interested in fixing that myself.

Comment 26

[Tom S [:evilpie]]

I am going to try a new approach here. Instead of shimming we will just support both the old and new style iteration protocol in js::IteratorMore. But we should really have a plan to fix this properly soonish.

Comment 27

[Tom S [:evilpie]]

Attachment: v1 - Factor out NativeIteratorNext

Not really necessary now, but makes the code easier to understand.

Comment 28

[Tom S [:evilpie]]

Attachment: v1 - Change from iterate to [[enumerate]]

Only calls the Proxy::enumerate trap when GetIterator is called in a for-in context, or from the DirectProxyHandler. Instead of shimming when now just allow both the old and new iterator protocol in IteratorMore. This seems to yield basically perfect backwards-compatibility. If we go ahead with remvoing __iterator__, we could just check for PropertyIterator and LegacyGenerator and totally move to the new protocol. I am not sure about SandboxProxyHandler::enumerate.

Comment 29

[Tom S [:evilpie]]

Attachment: v1 - Some tests

Comment 30

[Tom S [:evilpie]]

Attachment: v1 - Fix a single thing in the browser

Honestly I don't really understand what is going to wrong here. Using 'for each' with generators is kind of confusing anyway.

Comment 31

[Bobby Holley (:bholley)]

Comment on attachment 8535609 [details] [diff] [review]
v1 - Change from iterate to [[enumerate]]

Review of attachment 8535609 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/src/Sandbox.cpp
@@ +742,3 @@
>  {
> +    // ??
> +    return DirectProxyHandler::enumerate(cx, proxy, objp);

The point here is that this operation needs to be implemented in terms of the other fundamental traps that are overridden for this proxy handler. IIUC, bouncing to DirectProxyHandler is just going to forward to the underlying object, which doesn't take the other traps into account.

That being said, it doesn't look like any of the special logic we do in getPropertyDescriptor would actually affect enumerate here (it doesn't change the existence of properties or their enumerability - just their values).

If I'm right, we can kill this override entirely for SandboxProxyHandler, but it should happen in a separate patch.

Comment 32

[Tom S [:evilpie]]

So should I call BaseProxyHandler::enumerate? I made ::enumerate pure virtual so it has to be implemented, and if we also don't want want DirectProxyHandler::enumerate. BaseProxyHandler::enumerate would call getEnumerablePropertyKeys which is interestingly also not overridden.

Comment 33

[Bobby Holley (:bholley)]

(In reply to Tom Schuster [:evilpie] from comment #32)
> So should I call BaseProxyHandler::enumerate? I made ::enumerate pure
> virtual so it has to be implemented, and if we also don't want want
> DirectProxyHandler::enumerate. BaseProxyHandler::enumerate would call
> getEnumerablePropertyKeys which is interestingly also not overridden.

My point was that we don't need to be overriding this at for this handler.

Comment 34

[Eric Faust [:efaust]]

Comment on attachment 8535609 [details] [diff] [review]
v1 - Change from iterate to [[enumerate]]

Review of attachment 8535609 [details] [diff] [review]:
-----------------------------------------------------------------

I cannot speak to the Sandbox stuff, but we should fix the getEnumerablePropertyKeys thing before this goes in. Most of it looks good, but I would like to see the resolution again.

::: js/ipc/WrapperOwner.cpp
@@ +271,5 @@
>  bool
> +CPOWProxyHandler::enumerate(JSContext *cx, HandleObject proxy, MutableHandleObject objp) const
> +{
> +    // Using a CPOW for the Iterator would slow down for .. in performance, instead
> +    // call the base hook, that will us our implementation of getEnumerablePropertyKeys.

typo: that will us

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +801,5 @@
> +}
> +
> +// Non-standard, try to convert iterator result to ids
> +bool
> +ScriptedDirectProxyHandler::getEnumerablePropertyKeys(JSContext *cx, HandleObject proxy, AutoIdVector &props) const

As per IRC discussion, this is incorrect because of its invocation for proxies on the prototype chain of native objects, and thus, if I understand correctly, this is no case in which we should have this function.

Comment 35

[Eric Faust [:efaust]]

Comment on attachment 8535611 [details] [diff] [review]
v1 - Some tests

Review of attachment 8535611 [details] [diff] [review]:
-----------------------------------------------------------------

When we're ready, we should add a test for proxies on the prototype chain of native objects in for-in interators. As discussed, that can live in the followup, though.

Comment 36

[Tom S [:evilpie]]

Attachment: WIP - Remove getEnumerablePropertyKeys

Comment 37

[Tom S [:evilpie]]

Attachment: v2 - Change from iterate to [[enumerate]]

Sorry Bobby, but you answer is still don't grasp your answer. I switched to BaseProxyHandler::enumerate now. Can you please explicitly say what you want me to do, thanks.

Comment 38

[Tom S [:evilpie]]

Attachment: v1 - Remove getEnumerablePropertyKeys

I am not sure if it appropriate to call js::GetPropertyKeys in the BaseProxyHandler?

Comment 39

[Tom S [:evilpie]]

Attachment: v1 - Fix for enumerating enumerable symbols

I believe this was broken before already. We should also call ownkeys when we want symbols, because getOwnEnumerablePropertyKeys doesn't return them.
Could be a followup if you want.

Comment 40

[Eric Faust [:efaust]]

Comment on attachment 8536022 [details] [diff] [review]
v2 - Change from iterate to [[enumerate]]

Review of attachment 8536022 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsiter.cpp
@@ +670,5 @@
>      }
>  
> +    // We should only call the enumerate trap for "for-in".
> +    // Or when we call GetIterator from the Proxy [[Enumerate]] hook.
> +    // In the future also for Reflect.enumerate.

Can we add a "sleeper-test" a la Jorendorff for this, where we test if Reflect.enumerate is a function, throw if it is, and leave the test we want to replace it with commented out in the file?

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +801,5 @@
> +}
> +
> +// Non-standard, try to convert iterator result to ids
> +bool
> +ScriptedDirectProxyHandler::getEnumerablePropertyKeys(JSContext *cx, HandleObject proxy, AutoIdVector &props) const

Complained about previously. There's now a patch to remove this later in this stack. OK by me :)

Comment 41

[Bobby Holley (:bholley)]

Comment on attachment 8536022 [details] [diff] [review]
v2 - Change from iterate to [[enumerate]]

Review of attachment 8536022 [details] [diff] [review]:
-----------------------------------------------------------------

My suggestion was to just get rid of the override in Sandbox altogether, but this is also fine.

Comment 42

[Eric Faust [:efaust]]

Comment on attachment 8536023 [details] [diff] [review]
v1 - Remove getEnumerablePropertyKeys

Review of attachment 8536023 [details] [diff] [review]:
-----------------------------------------------------------------

This looks great! Thanks for taking care of the inherited scripted proxy case :)

::: js/src/jsiter.cpp
@@ +327,5 @@
>  
>          if (flags & JSITER_OWNONLY)
>              break;
>  
> +        if (!JSObject::getProto(cx, pobj, &pobj))

OK, this site is prepared for getPrototypeOf to get called on scripted direct proxy handlers, right? Even if they change objects lower on the prototype chain, the algorithm is very clear. If it creates a circular prototype chain, then this spins, but that's unavoidable.

::: js/src/proxy/BaseProxyHandler.cpp
@@ +239,2 @@
>      AutoIdVector props(cx);
> +    if (!GetPropertyKeys(cx, proxy, 0, &props))

I am really happy that you shared code here, rather than writing another re-implementation.

::: js/src/proxy/Proxy.cpp
@@ +378,5 @@
> +
> +    AutoIdVector protoProps(cx);
> +    return GetPropertyKeys(cx, proto, 0, &protoProps) &&
> +           AppendUnique(cx, props, protoProps) &&
> +           EnumeratedIdVectorToIterator(cx, proxy, 0, props, objp);

Nice.

Comment 43

[Eric Faust [:efaust]]

Comment on attachment 8536024 [details] [diff] [review]
v1 - Fix for enumerating enumerable symbols

Review of attachment 8536024 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.

::: js/src/jsiter.cpp
@@ +319,5 @@
> +
> +                    // We need to filter, if the caller just wants enumerable
> +                    // symbols.
> +                    if (!(flags & JSITER_HIDDEN)) {
> +                        if (!Proxy::getOwnPropertyDescriptor(cx, pobj, proxyProps[n], &desc))

This matches spec observability of *2* getOwnPropertyDescriptor calls per returned OwnPropertyKey. We should have some notion of how many times the trap is called in the above or a separate test.

Comment 44

[Bobby Holley (:bholley)]

Comment on attachment 8536023 [details] [diff] [review]
v1 - Remove getEnumerablePropertyKeys

Review of attachment 8536023 [details] [diff] [review]:
-----------------------------------------------------------------

r=me on the XPConnect bits.

Comment 45

[Tom S [:evilpie]]

First try push didn't include the reviewed fix for the browser test failures. (bc1 and oth)
https://treeherder.mozilla.org/#/jobs?repo=try&revision=e415de7174bc
Just a linux try push with that applied
https://treeherder.mozilla.org/#/jobs?repo=try&revision=38c5fb773df8

https://hg.mozilla.org/integration/mozilla-inbound/rev/c62a61e75fb1
https://hg.mozilla.org/integration/mozilla-inbound/rev/2e24211fa51c
https://hg.mozilla.org/integration/mozilla-inbound/rev/b1346d860227
https://hg.mozilla.org/integration/mozilla-inbound/rev/c9d488c5e0f4
https://hg.mozilla.org/integration/mozilla-inbound/rev/44ee1d899c87
https://hg.mozilla.org/integration/mozilla-inbound/rev/ca7f64b51c06

Comment 46

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/c62a61e75fb1
https://hg.mozilla.org/mozilla-central/rev/2e24211fa51c
https://hg.mozilla.org/mozilla-central/rev/b1346d860227
https://hg.mozilla.org/mozilla-central/rev/c9d488c5e0f4
https://hg.mozilla.org/mozilla-central/rev/44ee1d899c87
https://hg.mozilla.org/mozilla-central/rev/ca7f64b51c06

Comment 47

[Tom S [:evilpie]]

I had to fix tests/js1_8_5/regress/regress-620376-{1,2}.js, because these tests use Proxy.create and wanted "enumerate" to be called, however we now always call "keys".

Comment 48

[Tooru Fujisawa [:arai]]

Updated following pages:
  https://developer.mozilla.org/en-US/Firefox/Releases/37
  https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy/handler
  https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Proxy/handler/enumerate

Comment 49

[Florian Scholz (Open Web Docs)]

Thanks!