Closed Bug 783829 Opened 8 years ago Closed 6 years ago

Using for-in on a proxy should call the enumerate trap, not the iterate trap

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: ejpbruel, Assigned: evilpie)

References

Details

(Keywords: dev-doc-complete, Whiteboard: [js:t])

Attachments

(8 files, 10 obsolete files)

3.14 KB, text/plain
Details
31.58 KB, patch
efaust
: review+
evilpie
: checkin+
Details | Diff | Splinter Review
4.25 KB, patch
efaust
: review+
Details | Diff | Splinter Review
2.67 KB, patch
efaust
: review+
Details | Diff | Splinter Review
2.52 KB, patch
mak
: review+
Details | Diff | Splinter Review
64.34 KB, patch
efaust
: review+
bholley
: review+
Details | Diff | Splinter Review
44.42 KB, patch
bholley
: review+
efaust
: review+
Details | Diff | Splinter Review
3.59 KB, patch
efaust
: review+
Details | Diff | Splinter Review
The for-in statement doesn't actually call Proxy::enumerate, as per spec. Instead, it calls Proxy::iterate (see jsiter.cpp:683). This should be fixed.
Blocks: 703537
Whiteboard: [js:t]
Actually, in both Firefox 22 and 23b02 (on CentOS 6.2 x64), for( .. in .. ) doesn't invoke neither enumerate() nor iterate() of a Proxy object - the for( .. in .. ) trap doesn't work at all. See attached Load2.html.

The only workaround is to have an iterator/generator on the target object (not on the Proxy itself), as per https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Iterators_and_Generators
Interesting, I came around this bug yesterday as well. I was trying to figure out when the Proxy::enumerate trap is invoked and I wasn't really able to find any solution to that.
Assignee: general → nobody
I believe this still needs to be fixed. Eric is that something you would be interested in?
Flags: needinfo?(efaustbmo)
Blocks: 978228
Assignee: nobody → evilpies
Flags: needinfo?(efaustbmo)
Duplicate of this bug: 783826
Depends on: 1091900
Our implementation of enumerate is not what expects today. So rename it to something better.
Attachment #8522508 - Flags: review?(efaustbmo)
Comment on attachment 8522508 [details] [diff] [review]
Rename enumerate to getEnumerablePropertyKeys

Review of attachment 8522508 [details] [diff] [review]:
-----------------------------------------------------------------

Yes. This is a better name, and leaves enumerate free to write the actual [[Enumerate]] work. r=me with question below answered. Otherwise, this should land immediately, I would think.

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +760,5 @@
>  }
>  
>  // ES6 (22 May, 2014) 9.5.11 Proxy.[[Enumerate]]
>  bool
> +ScriptedDirectProxyHandler::getEnumerablePropertyKeys(JSContext *cx, HandleObject proxy, AutoIdVector &props) const

We are going to want to do something about this when the rest of this bug lands, right? This function should eventually not directly invoke the JS callback, and instead stub out to the [[Enumerate]] that does, or there'll be a helper or something?
Attachment #8522508 - Flags: review?(efaustbmo) → review+
I missed some trivial pieces in the patch that I uploaded, sorry! I renamed an overload of "enumerate" to the better fitting "getPropertyKeys" in XrayWrapper.
https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=b57e073e6fb2
https://hg.mozilla.org/integration/mozilla-inbound/rev/494c68e8fe37
Keywords: leave-open
Attached patch shim-legacy-generator (obsolete) — Splinter Review
We are introducing a new iterator protocol, which works like that of "for .. of". i.e. return an object with {done, value}. So we invoke the same code that is called for @@iterator on those.
Attached patch shim-legacy-iterator (obsolete) — Splinter Review
The objects that were used with __iterator__ obviously used the old iterator protocol, so wrap those as well. I really hope we can remove this in the future.
Attached patch new-iter-proto (obsolete) — Splinter Review
Introduce the new ES6 iteration protocol. Also changes PropertyIteratorObject.next to the new way of returning done/value. Most of the time however nothing really changes, because we still directly poke at the NativeIterator.
Attached patch change-iterate-to-enumerate (obsolete) — Splinter Review
Renames the iterate trap to enumerate. Drops the now necessary flags argument, because this is only supposed to be used in [[Enumerate]] case. This makes the enumerate trap mandatory, because this is one of the basic ES6 traps. I think we maintain backwards-compatibility with both direct and indirect proxies.
OS: Mac OS X → All
Hardware: x86 → All
Blocks: 1099399
Now that we pass around LegacyGeneratorObjects as a JS shim the code in CloseIterator that tests for is<LegacyGenerator> won't work. Is that a big deal?
Andy I asked you for review, because I think you probably have the most experience with Iterators and all that shimming business. However feel free to cancel and I am going to ask somebody else.
Attachment #8522530 - Attachment is obsolete: true
Attachment #8522508 - Flags: checkin+
Attachment #8523198 - Flags: review?(wingo)
Attachment #8523200 - Flags: review?(wingo)
Attachment #8523203 - Flags: review?(wingo)
Okay, I probably have to adjust the wrapping a little bit. Right now we also do the wrapping for Iterator(), but we should only do it when we are going to use for .. in on the object. This should fix a few test failures.
Attached patch shim-legacy-generator v2 (obsolete) — Splinter Review
Attachment #8523198 - Attachment is obsolete: true
Attachment #8523198 - Flags: review?(wingo)
Attachment #8523441 - Flags: review?(wingo)
Attached patch shim-legacy-iterator v2 (obsolete) — Splinter Review
Attachment #8523442 - Flags: review?(wingo)
Attachment #8523200 - Attachment is obsolete: true
Attachment #8523200 - Flags: review?(wingo)
Attached patch Fix JS tests (obsolete) — Splinter Review
Most of these is just a slight change in behavior, mostly caused by not invoking close properly and changes to how try .. finally works. I doubt this is big issue, it's kind of an edge case. Two tests fail because next() doesn't throw StopIterator anymore. One test fails, because we don't invoke the ::iterate trap anymore unless you use for .. in directly.
All in all surprising little actual problems.
There are still quite a few test failures that aren't fun to debug https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=120a30ddb9fe. During some of that investigation I found out about /toolkit/components/osfile, seems like that code use __iterator__, legacy generators & co. quite a bit. And it looks like it uses .close to close file handles?! http://mxr.mozilla.org/mozilla-central/search?string=DirectoryIterator_prototype_close
Comment on attachment 8523441 [details] [diff] [review]
shim-legacy-generator v2

Review of attachment 8523441 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the late review.  I must be thick this morning but I am missing the big picture.  What is the problem, and what is being fixed?  If it is user-visible, where are the test cases?

::: js/src/jsiter.cpp
@@ +705,5 @@
> +        return true;
> +    }
> +
> +    if (obj->is<LegacyGeneratorObject>()) {
> +        // Only shim when the Iterator is used for "for .. in" directly

I don't understand what the intention is.  What are you trying to do? :)
Consider, something like this:
var f = function() { yield 1;}
var i = Iterator(f())
for (x in i) {}

I want to avoid shimming the generator that is returned from Iterator, and instead just shim it when we will actually use "for .. in" to iterate over it.
(In reply to Tom Schuster [:evilpie] from comment #23)
> Consider, something like this:
> var f = function() { yield 1;}
> var i = Iterator(f())
> for (x in i) {}
> 
> I want to avoid shimming the generator that is returned from Iterator, and
> instead just shim it when we will actually use "for .. in" to iterate over
> it.

Why?

Also, why are you using for-in in this way?  This is legacy syntax.  The way forward is to use for-of instead.
(In reply to Andy Wingo [:wingo] from comment #24)
> (In reply to Tom Schuster [:evilpie] from comment #23)
> > Consider, something like this:
> > var f = function() { yield 1;}
> > var i = Iterator(f())
> > for (x in i) {}
> > 
> > I want to avoid shimming the generator that is returned from Iterator, and
> > instead just shim it when we will actually use "for .. in" to iterate over
> > it.
> 
> Why?
> 
> Also, why are you using for-in in this way?  This is legacy syntax.  The way
> forward is to use for-of instead.
Well I don't, but tons of Firefox/add-on code does. I am not really interested in fixing that myself.
I am going to try a new approach here. Instead of shimming we will just support both the old and new style iteration protocol in js::IteratorMore. But we should really have a plan to fix this properly soonish.
Attachment #8523444 - Attachment is obsolete: true
Attachment #8523442 - Attachment is obsolete: true
Attachment #8523442 - Flags: review?(wingo)
Attachment #8523441 - Attachment is obsolete: true
Attachment #8523441 - Flags: review?(wingo)
Attachment #8523206 - Attachment is obsolete: true
Attachment #8523203 - Flags: review?(wingo)
Attachment #8523203 - Attachment is obsolete: true
Not really necessary now, but makes the code easier to understand.
Attachment #8535607 - Flags: review?(efaustbmo)
Only calls the Proxy::enumerate trap when GetIterator is called in a for-in context, or from the DirectProxyHandler. Instead of shimming when now just allow both the old and new iterator protocol in IteratorMore. This seems to yield basically perfect backwards-compatibility. If we go ahead with remvoing __iterator__, we could just check for PropertyIterator and LegacyGenerator and totally move to the new protocol. I am not sure about SandboxProxyHandler::enumerate.
Attachment #8535609 - Flags: review?(efaustbmo)
Attachment #8535609 - Flags: review?(bobbyholley)
Attached patch v1 - Some testsSplinter Review
Attachment #8535611 - Flags: review?(efaustbmo)
Honestly I don't really understand what is going to wrong here. Using 'for each' with generators is kind of confusing anyway.
Attachment #8535664 - Flags: review?(mak77)
Comment on attachment 8535609 [details] [diff] [review]
v1 - Change from iterate to [[enumerate]]

Review of attachment 8535609 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/src/Sandbox.cpp
@@ +742,3 @@
>  {
> +    // ??
> +    return DirectProxyHandler::enumerate(cx, proxy, objp);

The point here is that this operation needs to be implemented in terms of the other fundamental traps that are overridden for this proxy handler. IIUC, bouncing to DirectProxyHandler is just going to forward to the underlying object, which doesn't take the other traps into account.

That being said, it doesn't look like any of the special logic we do in getPropertyDescriptor would actually affect enumerate here (it doesn't change the existence of properties or their enumerability - just their values).

If I'm right, we can kill this override entirely for SandboxProxyHandler, but it should happen in a separate patch.
Attachment #8535609 - Flags: review?(bobbyholley) → review-
Attachment #8535607 - Flags: review?(efaustbmo) → review+
So should I call BaseProxyHandler::enumerate? I made ::enumerate pure virtual so it has to be implemented, and if we also don't want want DirectProxyHandler::enumerate. BaseProxyHandler::enumerate would call getEnumerablePropertyKeys which is interestingly also not overridden.
(In reply to Tom Schuster [:evilpie] from comment #32)
> So should I call BaseProxyHandler::enumerate? I made ::enumerate pure
> virtual so it has to be implemented, and if we also don't want want
> DirectProxyHandler::enumerate. BaseProxyHandler::enumerate would call
> getEnumerablePropertyKeys which is interestingly also not overridden.

My point was that we don't need to be overriding this at for this handler.
Comment on attachment 8535609 [details] [diff] [review]
v1 - Change from iterate to [[enumerate]]

Review of attachment 8535609 [details] [diff] [review]:
-----------------------------------------------------------------

I cannot speak to the Sandbox stuff, but we should fix the getEnumerablePropertyKeys thing before this goes in. Most of it looks good, but I would like to see the resolution again.

::: js/ipc/WrapperOwner.cpp
@@ +271,5 @@
>  bool
> +CPOWProxyHandler::enumerate(JSContext *cx, HandleObject proxy, MutableHandleObject objp) const
> +{
> +    // Using a CPOW for the Iterator would slow down for .. in performance, instead
> +    // call the base hook, that will us our implementation of getEnumerablePropertyKeys.

typo: that will us

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +801,5 @@
> +}
> +
> +// Non-standard, try to convert iterator result to ids
> +bool
> +ScriptedDirectProxyHandler::getEnumerablePropertyKeys(JSContext *cx, HandleObject proxy, AutoIdVector &props) const

As per IRC discussion, this is incorrect because of its invocation for proxies on the prototype chain of native objects, and thus, if I understand correctly, this is no case in which we should have this function.
Attachment #8535609 - Flags: review?(efaustbmo)
Comment on attachment 8535611 [details] [diff] [review]
v1 - Some tests

Review of attachment 8535611 [details] [diff] [review]:
-----------------------------------------------------------------

When we're ready, we should add a test for proxies on the prototype chain of native objects in for-in interators. As discussed, that can live in the followup, though.
Attachment #8535611 - Flags: review?(efaustbmo) → review+
Sorry Bobby, but you answer is still don't grasp your answer. I switched to BaseProxyHandler::enumerate now. Can you please explicitly say what you want me to do, thanks.
Attachment #8536022 - Flags: review?(efaustbmo)
Attachment #8536022 - Flags: review?(bobbyholley)
Attachment #8535609 - Attachment is obsolete: true
I am not sure if it appropriate to call js::GetPropertyKeys in the BaseProxyHandler?
Attachment #8536023 - Flags: review?(efaustbmo)
Attachment #8536023 - Flags: review?(bobbyholley)
I believe this was broken before already. We should also call ownkeys when we want symbols, because getOwnEnumerablePropertyKeys doesn't return them.
Could be a followup if you want.
Attachment #8536024 - Flags: review?(efaustbmo)
Comment on attachment 8536022 [details] [diff] [review]
v2 - Change from iterate to [[enumerate]]

Review of attachment 8536022 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsiter.cpp
@@ +670,5 @@
>      }
>  
> +    // We should only call the enumerate trap for "for-in".
> +    // Or when we call GetIterator from the Proxy [[Enumerate]] hook.
> +    // In the future also for Reflect.enumerate.

Can we add a "sleeper-test" a la Jorendorff for this, where we test if Reflect.enumerate is a function, throw if it is, and leave the test we want to replace it with commented out in the file?

::: js/src/proxy/ScriptedDirectProxyHandler.cpp
@@ +801,5 @@
> +}
> +
> +// Non-standard, try to convert iterator result to ids
> +bool
> +ScriptedDirectProxyHandler::getEnumerablePropertyKeys(JSContext *cx, HandleObject proxy, AutoIdVector &props) const

Complained about previously. There's now a patch to remove this later in this stack. OK by me :)
Attachment #8536022 - Flags: review?(efaustbmo) → review+
Comment on attachment 8536022 [details] [diff] [review]
v2 - Change from iterate to [[enumerate]]

Review of attachment 8536022 [details] [diff] [review]:
-----------------------------------------------------------------

My suggestion was to just get rid of the override in Sandbox altogether, but this is also fine.
Attachment #8536022 - Flags: review?(bobbyholley) → review+
Comment on attachment 8536023 [details] [diff] [review]
v1 - Remove getEnumerablePropertyKeys

Review of attachment 8536023 [details] [diff] [review]:
-----------------------------------------------------------------

This looks great! Thanks for taking care of the inherited scripted proxy case :)

::: js/src/jsiter.cpp
@@ +327,5 @@
>  
>          if (flags & JSITER_OWNONLY)
>              break;
>  
> +        if (!JSObject::getProto(cx, pobj, &pobj))

OK, this site is prepared for getPrototypeOf to get called on scripted direct proxy handlers, right? Even if they change objects lower on the prototype chain, the algorithm is very clear. If it creates a circular prototype chain, then this spins, but that's unavoidable.

::: js/src/proxy/BaseProxyHandler.cpp
@@ +239,2 @@
>      AutoIdVector props(cx);
> +    if (!GetPropertyKeys(cx, proxy, 0, &props))

I am really happy that you shared code here, rather than writing another re-implementation.

::: js/src/proxy/Proxy.cpp
@@ +378,5 @@
> +
> +    AutoIdVector protoProps(cx);
> +    return GetPropertyKeys(cx, proto, 0, &protoProps) &&
> +           AppendUnique(cx, props, protoProps) &&
> +           EnumeratedIdVectorToIterator(cx, proxy, 0, props, objp);

Nice.
Attachment #8536023 - Flags: review?(efaustbmo) → review+
Comment on attachment 8536024 [details] [diff] [review]
v1 - Fix for enumerating enumerable symbols

Review of attachment 8536024 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good.

::: js/src/jsiter.cpp
@@ +319,5 @@
> +
> +                    // We need to filter, if the caller just wants enumerable
> +                    // symbols.
> +                    if (!(flags & JSITER_HIDDEN)) {
> +                        if (!Proxy::getOwnPropertyDescriptor(cx, pobj, proxyProps[n], &desc))

This matches spec observability of *2* getOwnPropertyDescriptor calls per returned OwnPropertyKey. We should have some notion of how many times the trap is called in the above or a separate test.
Attachment #8536024 - Flags: review?(efaustbmo) → review+
Comment on attachment 8536023 [details] [diff] [review]
v1 - Remove getEnumerablePropertyKeys

Review of attachment 8536023 [details] [diff] [review]:
-----------------------------------------------------------------

r=me on the XPConnect bits.
Attachment #8536023 - Flags: review?(bobbyholley) → review+
Attachment #8535664 - Flags: review?(mak77) → review+
Attachment #8535900 - Attachment is obsolete: true
I had to fix tests/js1_8_5/regress/regress-620376-{1,2}.js, because these tests use Proxy.create and wanted "enumerate" to be called, however we now always call "keys".
Status: NEW → RESOLVED
Closed: 6 years ago
Keywords: leave-open
Resolution: --- → FIXED
Blocks: 1114070
You need to log in before you can comment on or make changes to this bug.