Created attachment 262446 [details] reproducible test case The following code iterates twice over the key "0" in the object cols - despite it only existing in the object once. <html> <head> <script> var f = function() { "use strict"; var cols = {"col":{"title":" ","type":"sys","events":[],"name":0,"id":0,"_i":0}}; var len = 0; var remapcols = ['col']; for (var i = 0; i < remapcols.length; i++) { cols[cols[remapcols[i]].name] = cols[remapcols[i]]; delete cols[remapcols[i]]; } var count = 0; console.group("object:") console.log(cols); console.groupEnd(); console.group("This group should only contain one line"); for (var col2 in cols) { console.log("" + count++ +": Iterating over key: " + col2); } console.groupEnd(); }; f();</script> </head> <body> Check console log, expected output is a single log entry "0: Iterating over key: 0" </body> </html>
<rdar://problem/22993722>
Still investigating. But possible fix is, setting indexedLength = 0; for non-generic JSPropertyNameEnumerator creation case.
Created attachment 262862 [details] Patch
Created attachment 262863 [details] Patch
Comment on attachment 262863 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=262863&action=review r=me > Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h:128 > + // So disabling indexed property enumeration phase by setting |indexedLength| to 0. disabling => disable
Comment on attachment 262863 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=262863&action=review >> Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h:128 >> + // So disabling indexed property enumeration phase by setting |indexedLength| to 0. > > disabling => disable Thanks. Fixed.
Committed r190923: <http://trac.webkit.org/changeset/190923>