Bug 189030

Summary: For-in over a proxy with ownKeys handler hits non-enumerable keys
Product: WebKit Reporter: Kevin Gibbons <bakkot>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: benjamin, caitp, fpizlo, ggaren, gskachkov, keith_miller, mark.lam, msaboff, rmorisset, saam, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   

Description Kevin Gibbons 2018-08-27 16:25:35 PDT 
Consider the following program:

```
if (typeof console === 'undefined') console = { log: print };

let a = Object.create(null, {
  x: { enumerable: false, configurable: true, value: 0 },
});

let handler = {
  ownKeys(target) {
    return Reflect.ownKeys(target);
  },
};

let pa = new Proxy(a, handler);

for (let key in pa) {
  console.log('reached');
}
```

This prints 'reached'. It should not; `pa` reports no enumerable keys. (And no other engine has this behavior.)

This only happens if the `ownKeys` handler is present, even though the one I've specified does the same thing as the default handler.


See also (and please comment on) this open spec bug about more precisely specifying the behavior of for-in, which prompted the investigation which lead me to discovering this issue: https://github.com/tc39/ecma262/issues/1281
Comment 1 Kevin Gibbons 2018-09-10 17:04:06 PDT 
This is probably related, so I'm going to add it as a comment here:

JSC can also print the same key twice. According to Allen Wirfs-Brock [1], "no duplicate names" is the most important property required by the spec, so this seems especially bad.

Sample code:

```
let a = {
  x: 0,
};

let b = {
  x: 0,
};


let pb = new Proxy(b, {
  ownKeys(target) {
    return Reflect.ownKeys(target);
  },
});

Object.setPrototypeOf(a, pb);


for (let key in a) {
  console.log(key);
}
```

This prints `x` twice.



[1] https://github.com/tc39/ecma262/issues/1281#issuecomment-411133580
Comment 2 Radar WebKit Bug Importer 2019-01-20 14:50:25 PST 
<rdar://problem/47417561>
Comment 3 Caitlin Potter (:caitp) 2019-02-22 10:52:52 PST 
This is essentially the same bug as your other one, https://bugs.webkit.org/show_bug.cgi?id=189034 --- isn't it?
Comment 4 Kevin Gibbons 2019-02-22 11:03:03 PST 
Maybe? This one only occurs if you have an `ownKeys` handler - if you remove it from my examples, the engine does the right thing. So I was assuming it was a distinct issue from failing to invoke `getOwnPropertyDescriptor`.
Comment 5 Caitlin Potter (:caitp) 2019-02-22 11:12:35 PST 
(In reply to bakkot from comment #4)
> Maybe? This one only occurs if you have an `ownKeys` handler - if you remove
> it from my examples, the engine does the right thing. So I was assuming it
> was a distinct issue from failing to invoke `getOwnPropertyDescriptor`.

Ah, I see what you mean. This one is a dupe of https://bugs.webkit.org/show_bug.cgi?id=176810, but the GOPD bug still needs to be fixed.
Comment 6 Caitlin Potter (:caitp) 2019-04-18 11:01:45 PDT 
Neither of these test cases are reproducible for me on master now.