188794 2018-08-21 06:11:56 -0700 [JSC] Array.prototype.reverse modifies JSImmutableButterfly 2019-07-21 21:51:18 -0700 1 1 1 Unclassified WebKit JavaScriptCore WebKit Local Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 sunlili ysuzuki asmqb7 darin ews-watchlist fpizlo keith_miller ljharb mark.lam msaboff omarandemad saam webkit-bug-importer ysuzuki oldest_to_newest 1452061 0 sunlili 2018-08-21 06:11:56 -0700 Executing following code : ------------------------------------- var a= [1, 2.2, 3.3]; function Test() { +a; a.reverse(); print(a); } Test(); print("BT_FLAG"); ------------------------------------- Output should be : 3.3,2.2,1 BT_FLAG However, output of JavaScriptCore is : 1,2.2,3.3 BT_FLAG BT_GROUP 2018/8/21 1453443 1 348007 ysuzuki 2018-08-24 07:25:22 -0700 Created attachment 348007 Patch 1453471 2 mark.lam 2018-08-24 09:53:25 -0700 <rdar://problem/43637041> 1453488 3 348007 saam 2018-08-24 10:50:14 -0700 Comment on attachment 348007 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=348007&action=review > Source/JavaScriptCore/runtime/JSObject.h:873 > + void ensureWritable(VM& vm) > + { > + if (isCopyOnWrite(indexingMode())) > + convertFromCopyOnWrite(vm); > + } We do this exact pattern in JSObject.cpp a few times. Maybe we can also refactor that code to just call this? 1453668 4 348007 darin 2018-08-24 21:27:51 -0700 Comment on attachment 348007 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=348007&action=review >> Source/JavaScriptCore/runtime/JSObject.h:873 >> + } > > We do this exact pattern in JSObject.cpp a few times. Maybe we can also refactor that code to just call this? Same goes for four functions in JSArray.cpp. 1453669 5 348007 ysuzuki 2018-08-24 23:01:26 -0700 Comment on attachment 348007 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=348007&action=review >>> Source/JavaScriptCore/runtime/JSObject.h:873 >>> + } >> >> We do this exact pattern in JSObject.cpp a few times. Maybe we can also refactor that code to just call this? > > Same goes for four functions in JSArray.cpp. Sounds good. Fixed. 1453825 6 ysuzuki 2018-08-27 01:31:49 -0700 Committed r235356: <https://trac.webkit.org/changeset/235356> 1460927 7 asmqb7 2018-09-19 06:23:50 -0700 Awesome to hear this is fixed. There's currently a (mildly) trending submission on Hacker News regarding this bug: https://news.ycombinator.com/item?id=18021835 It would appear that current releases of Safari (apparently on both iOS and macOS) are still on WebKit revisions from before the fix landing. I'm sure there's lots more detail and discussion in the rdar:// links, but I can't be sure since I cannot view them. It would be great if a quick TL;DR on progress/status/next steps/instructions etc could be released somewhere. (As someone who has never really used macOS/iOS, I'm very curious how the fixes will be rolled out - perhaps silent/automatic patch updates? This breaks JS pretty impressively, so I can't see this being slated for the next iOS/macOS major release.) NB. I found this thread because the bug submitter linked to it - thanks! - https://news.ycombinator.com/item?id=18023508 348007 2018-08-24 07:25:22 -0700 2018-08-24 07:51:42 -0700 Patch bug-188794-20180824232521.patch text/plain 4053 ysuzuki U3VidmVyc2lvbiBSZXZpc2lvbjogMjM1MzE2CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlw dENvcmUvQ2hhbmdlTG9nIGIvU291cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwppbmRleCA0 YTI2ZDM3Mzc4Yzc5ZWM3ZjJkMjllMzU3MzBkY2ZkNjM0OGI2MDUyLi5mZDE0YTEwZGFkYjU3MzJm ODdhZDdlMTY1M2JmYmQ2MTJhYjRkOTEyIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENv cmUvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwyMCBAQAorMjAxOC0wOC0yNCAgWXVzdWtlIFN1enVraSAgPHl1c3VrZXN1enVraUBzbG93 c3RhcnQub3JnPgorCisgICAgICAgIFtKU0NdIEFycmF5LnByb3RvdHlwZS5yZXZlcnNlIG1vZGlm aWVzIEpTSW1tdXRhYmxlQnV0dGVyZmx5CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3Jn L3Nob3dfYnVnLmNnaT9pZD0xODg3OTQKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICBXaGlsZSBBcnJheS5wcm90b3R5cGUucmV2ZXJzZSBtb2RpZmllcyB0 aGUgYnV0dGVyZmx5IG9mIHRoZSBnaXZlbiBBcnJheSwKKyAgICAgICAgaXQgZG9lcyBub3QgYWNj b3VudCBKU0ltbXV0YWJsZUJ1dHRlcmZseSBjYXNlLiBTbyBpdCBhY2NpZGVudGFsbHkgbW9kaWZp ZXMKKyAgICAgICAgdGhlIGNvbnRlbnQgb2YgSlNJbW11dGFibGVCdXR0ZXJmbHkuCisgICAgICAg IFRoaXMgcGF0Y2ggY29udmVydHMgQ29XIGFycmF5cyB0byB3cml0YWJsZSBhcnJheXMgYmVmb3Jl IHJldmVyc2luZy4KKworICAgICAgICAqIHJ1bnRpbWUvQXJyYXlQcm90b3R5cGUuY3BwOgorICAg ICAgICAoSlNDOjphcnJheVByb3RvRnVuY1JldmVyc2UpOgorICAgICAgICAqIHJ1bnRpbWUvSlNP YmplY3QuaDoKKyAgICAgICAgKEpTQzo6SlNPYmplY3Q6OmVuc3VyZVdyaXRhYmxlKToKKwogMjAx OC0wOC0yMyAgU2ltb24gRnJhc2VyICA8c2ltb24uZnJhc2VyQGFwcGxlLmNvbT4KIAogICAgICAg ICBBZGQgc3VwcG9ydCBmb3IgZHVtcGluZyBHQyBoZWFwIHNuYXBzaG90cywgYW5kIGEgdmlld2Vy CmRpZmYgLS1naXQgYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9BcnJheVByb3RvdHlw ZS5jcHAgYi9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9BcnJheVByb3RvdHlwZS5jcHAK aW5kZXggNzY0ODcxYzgwZDBhYmRkNWY0ZTRjYjQ5ZDhkNzZiMTljNDk0Y2I1Yi4uY2JmM2Q3MjRk YjYwOTYyZjdmNjZlMmQwMTJlMjQyNTAxM2YyN2YyMSAxMDA2NDQKLS0tIGEvU291cmNlL0phdmFT Y3JpcHRDb3JlL3J1bnRpbWUvQXJyYXlQcm90b3R5cGUuY3BwCisrKyBiL1NvdXJjZS9KYXZhU2Ny aXB0Q29yZS9ydW50aW1lL0FycmF5UHJvdG90eXBlLmNwcApAQCAtODU1LDYgKzg1NSw4IEBAIEVu Y29kZWRKU1ZhbHVlIEpTQ19IT1NUX0NBTEwgYXJyYXlQcm90b0Z1bmNSZXZlcnNlKEV4ZWNTdGF0 ZSogZXhlYykKICAgICB1bnNpZ25lZCBsZW5ndGggPSB0b0xlbmd0aChleGVjLCB0aGlzT2JqZWN0 KTsKICAgICBSRVRVUk5fSUZfRVhDRVBUSU9OKHNjb3BlLCBlbmNvZGVkSlNWYWx1ZSgpKTsKIAor ICAgIHRoaXNPYmplY3QtPmVuc3VyZVdyaXRhYmxlKHZtKTsKKwogICAgIHN3aXRjaCAodGhpc09i amVjdC0+aW5kZXhpbmdUeXBlKCkpIHsKICAgICBjYXNlIEFMTF9DT05USUdVT1VTX0lOREVYSU5H X1RZUEVTOgogICAgIGNhc2UgQUxMX0lOVDMyX0lOREVYSU5HX1RZUEVTOiB7CmRpZmYgLS1naXQg YS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9KU09iamVjdC5oIGIvU291cmNlL0phdmFT Y3JpcHRDb3JlL3J1bnRpbWUvSlNPYmplY3QuaAppbmRleCA5NmNjYzA0MGU3ODQ5Mzg2ZWQ5NTc1 MTMwYTMzNjZkNDhkNjUxZTM5Li41NjhiMjY2ODM4OTUzZWRmYjBjNjFkMDNkYWMyMTYwYTE4NzQ2 YzdjIDEwMDY0NAotLS0gYS9Tb3VyY2UvSmF2YVNjcmlwdENvcmUvcnVudGltZS9KU09iamVjdC5o CisrKyBiL1NvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1lL0pTT2JqZWN0LmgKQEAgLTg2NSw2 ICs4NjUsMTIgQEAgY2xhc3MgSlNPYmplY3QgOiBwdWJsaWMgSlNDZWxsIHsKIAogICAgICAgICBy ZXR1cm4gZW5zdXJlQXJyYXlTdG9yYWdlU2xvdyh2bSk7CiAgICAgfQorCisgICAgdm9pZCBlbnN1 cmVXcml0YWJsZShWTSYgdm0pCisgICAgeworICAgICAgICBpZiAoaXNDb3B5T25Xcml0ZShpbmRl eGluZ01vZGUoKSkpCisgICAgICAgICAgICBjb252ZXJ0RnJvbUNvcHlPbldyaXRlKHZtKTsKKyAg ICB9CiAgICAgICAgIAogICAgIHN0YXRpYyBzaXplX3Qgb2Zmc2V0T2ZJbmxpbmVTdG9yYWdlKCk7 CiAgICAgICAgIApkaWZmIC0tZ2l0IGEvSlNUZXN0cy9DaGFuZ2VMb2cgYi9KU1Rlc3RzL0NoYW5n ZUxvZwppbmRleCBhMTlhYjU3YzE5ZmVlNTU5NDU1NTgzMzk2MGY2YTI2MGY4YTMxNzU0Li5mNTlm YjkyZWYwMWQ2YWRmYmZkNmU1N2E5NmQ4YzNhNjJkN2M4YjYxIDEwMDY0NAotLS0gYS9KU1Rlc3Rz L0NoYW5nZUxvZworKysgYi9KU1Rlc3RzL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDE4 LTA4LTI0ICBZdXN1a2UgU3V6dWtpICA8eXVzdWtlc3V6dWtpQHNsb3dzdGFydC5vcmc+CisKKyAg ICAgICAgW0pTQ10gQXJyYXkucHJvdG90eXBlLnJldmVyc2UgbW9kaWZpZXMgSlNJbW11dGFibGVC dXR0ZXJmbHkKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTE4ODc5NAorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg ICogc3RyZXNzL3JldmVyc2Utd2l0aC1pbW11dGFibGUtYnV0dGVyZmx5LmpzOiBBZGRlZC4KKyAg ICAgICAgKHNob3VsZEJlKToKKyAgICAgICAgKHJldmVyc2VJbnQpOgorICAgICAgICAocmV2ZXJz ZURvdWJsZSk6CisgICAgICAgIChyZXZlcnNlQ29udGlndW91cyk6CisKIDIwMTgtMDgtMjIgIFNh YW0gYmFyYXRpICA8c2JhcmF0aUBhcHBsZS5jb20+CiAKICAgICAgICAgTWFrZSBkYXRhLXZpZXct YWNjZXNzLmpzIHJ1biBsZXNzIHRpbWUgdG8gcHJldmVudCB0aW1lb3V0cyBvbiAzMi1iaXQKZGlm ZiAtLWdpdCBhL0pTVGVzdHMvc3RyZXNzL3JldmVyc2Utd2l0aC1pbW11dGFibGUtYnV0dGVyZmx5 LmpzIGIvSlNUZXN0cy9zdHJlc3MvcmV2ZXJzZS13aXRoLWltbXV0YWJsZS1idXR0ZXJmbHkuanMK bmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMC4uOGY1ZDQyOGNlZWM3ZDI1ZDA2N2JiZjc0ZTM0NzQwMzIzMWVhN2Y3NAotLS0g L2Rldi9udWxsCisrKyBiL0pTVGVzdHMvc3RyZXNzL3JldmVyc2Utd2l0aC1pbW11dGFibGUtYnV0 dGVyZmx5LmpzCkBAIC0wLDAgKzEsMjggQEAKK2Z1bmN0aW9uIHNob3VsZEJlKGFjdHVhbCwgZXhw ZWN0ZWQpIHsKKyAgICBpZiAoYWN0dWFsICE9PSBleHBlY3RlZCkKKyAgICAgICAgdGhyb3cgbmV3 IEVycm9yKCdiYWQgdmFsdWU6ICcgKyBhY3R1YWwpOworfQorCitmdW5jdGlvbiByZXZlcnNlSW50 KCkKK3sKKyAgICB2YXIgYXJyYXkgPSBbMCwgMSwgMiwgM107CisgICAgcmV0dXJuIGFycmF5LnJl dmVyc2UoKTsKK30KKworZnVuY3Rpb24gcmV2ZXJzZURvdWJsZSgpCit7CisgICAgdmFyIGFycmF5 ID0gWzAuMCwgMS4xLCAyLjIsIDMuM107CisgICAgcmV0dXJuIGFycmF5LnJldmVyc2UoKTsKK30K KworZnVuY3Rpb24gcmV2ZXJzZUNvbnRpZ3VvdXMoKQoreworICAgIHZhciBhcnJheSA9IFswLjAs IDEuMSwgMi4yLCAnaGVsbG8nXTsKKyAgICByZXR1cm4gYXJyYXkucmV2ZXJzZSgpOworfQorCitm b3IgKHZhciBpID0gMDsgaSA8IDFlNDsgKytpKSB7CisgICAgc2hvdWxkQmUoSlNPTi5zdHJpbmdp ZnkocmV2ZXJzZUludCgpKSwgYFszLDIsMSwwXWApOworICAgIHNob3VsZEJlKEpTT04uc3RyaW5n aWZ5KHJldmVyc2VEb3VibGUoKSksIGBbMy4zLDIuMiwxLjEsMF1gKTsKKyAgICBzaG91bGRCZShK U09OLnN0cmluZ2lmeShyZXZlcnNlQ29udGlndW91cygpKSwgYFsiaGVsbG8iLDIuMiwxLjEsMF1g KTsKK30K