189030 – For-in over a proxy with ownKeys handler hits non-enumerable keys

Bug 189030 - For-in over a proxy with ownKeys handler hits non-enumerable keys

Summary: For-in over a proxy with ownKeys handler hits non-enumerable keys

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Safari Technology Preview
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-08-27 16:25 PDT by Kevin Gibbons
Modified:	2019-04-18 11:01 PDT (History)
CC List:	14 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kevin Gibbons 2018-08-27 16:25:35 PDT

Consider the following program:

```
if (typeof console === 'undefined') console = { log: print };

let a = Object.create(null, {
  x: { enumerable: false, configurable: true, value: 0 },
});

let handler = {
  ownKeys(target) {
    return Reflect.ownKeys(target);
  },
};

let pa = new Proxy(a, handler);

for (let key in pa) {
  console.log('reached');
}
```

This prints 'reached'. It should not; `pa` reports no enumerable keys. (And no other engine has this behavior.)

This only happens if the `ownKeys` handler is present, even though the one I've specified does the same thing as the default handler.


See also (and please comment on) this open spec bug about more precisely specifying the behavior of for-in, which prompted the investigation which lead me to discovering this issue: https://github.com/tc39/ecma262/issues/1281

Comment 1 Kevin Gibbons 2018-09-10 17:04:06 PDT

This is probably related, so I'm going to add it as a comment here:

JSC can also print the same key twice. According to Allen Wirfs-Brock [1], "no duplicate names" is the most important property required by the spec, so this seems especially bad.

Sample code:

```
let a = {
  x: 0,
};

let b = {
  x: 0,
};


let pb = new Proxy(b, {
  ownKeys(target) {
    return Reflect.ownKeys(target);
  },
});

Object.setPrototypeOf(a, pb);


for (let key in a) {
  console.log(key);
}
```

This prints `x` twice.



[1] https://github.com/tc39/ecma262/issues/1281#issuecomment-411133580

Comment 2 Radar WebKit Bug Importer 2019-01-20 14:50:25 PST

<rdar://problem/47417561>

Comment 3 Caitlin Potter (:caitp) 2019-02-22 10:52:52 PST

This is essentially the same bug as your other one, https://bugs.webkit.org/show_bug.cgi?id=189034 --- isn't it?

Comment 4 Kevin Gibbons 2019-02-22 11:03:03 PST

Maybe? This one only occurs if you have an `ownKeys` handler - if you remove it from my examples, the engine does the right thing. So I was assuming it was a distinct issue from failing to invoke `getOwnPropertyDescriptor`.

Comment 5 Caitlin Potter (:caitp) 2019-02-22 11:12:35 PST

(In reply to bakkot from comment #4)
> Maybe? This one only occurs if you have an `ownKeys` handler - if you remove
> it from my examples, the engine does the right thing. So I was assuming it
> was a distinct issue from failing to invoke `getOwnPropertyDescriptor`.

Ah, I see what you mean. This one is a dupe of https://bugs.webkit.org/show_bug.cgi?id=176810, but the GOPD bug still needs to be fixed.

Comment 6 Caitlin Potter (:caitp) 2019-04-18 11:01:45 PDT

Neither of these test cases are reproducible for me on master now.