serenity icon indicating copy to clipboard operation
serenity copied to clipboard
verified publisher icon SerenityOS

LibWeb: Crash when iterating over `window` properties with `for..in`

Open awesomekling opened this issue 2 years ago • 2 comments

Hit this when messing with the shopping cart on https://twinings.co.uk/

Simplified reduction:

<body><div id="lol"></div>    
<script>    
    for (let p in window) {    
        console.log(p);    
    }        
</script>

cc @ADKaster, seems likely this is fallout from recent LegacyPlatformObject stuff.

awesomekling avatar Jan 28 '24 14:01 awesomekling

This seems to be related to a misalignment with internal_own_property_keys and internal_get_own_property

We claim to have a property key, but then the get own property method falls over and returns an empty optional. I'm not sure if this would have worked before that LegacyPlatformObject refactor, but I'll have to check if it did.

This is in

// 14.7.5.9 EnumerateObjectProperties ( O ), https://tc39.es/ecma262/#sec-enumerate-object-properties
inline ThrowCompletionOr<Object*> get_object_property_iterator(VM& vm, Value value)

in CommonImplementations.h

ADKaster avatar Jan 30 '24 07:01 ADKaster

I've investigated it somewhat, and it seems that this crash started happening after: 2505cecc0f6d8b70b21952c30ee1f885c67debd8

Now just trying to resolve my confusion about where the spec is meant to align these differences for a global object.

Will continue to investigate

shannonbooth avatar Mar 05 '24 08:03 shannonbooth

Thank you @tcl3 for contributing to close this issue! ⭐

The rewards from this issue, totalling $50, has been shared with you.

What now?

  1. Create a Polar account
  2. See incoming rewards & setup Stripe to receive them
  3. Get payouts as backers finalize their payments

If you already have a Polar account setup, you don't need to do anything.

awesomekling avatar Apr 26 '24 18:04 awesomekling