Bug 145358
| Summary: | [JSC] indexed property doesn't work well | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Yusuke Suzuki <ysuzuki> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | benjamin, darin, fpizlo, ggaren, joepeck, rniwa |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | 145360, 144252 | ||
| Bug Blocks: | |||
Yusuke Suzuki
STEP TO REPRODUCE:
var object = {
length: 5,
0: 0,
get 1() {
return 1;
},
set 1(value) {
print(value);
throw new Error(2);
},
2: 2,
3: 3,
};
print(JSON.stringify(Object.getOwnPropertyDescriptor(object, 1)));
EXPECTED:
'{"enumerable":true,"configurable":true}'
ACTUAL:
undefined
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Yusuke Suzuki
The following issue might be related to this issue.
var object = {
get 2() {
return 1;
},
set 2(value) {
throw new Error(2);
},
2: 2, // Throw new Error(2)
};
Is this expected behavior?
Yusuke Suzuki
The following code will fail with assertions.
(function () {
Object.defineProperty(Object.prototype, 0, {
get() {
print("Get");
},
set() {
print("Set");
}
});
var object = {
length: 5,
0: 0,
get 1() {
return 1;
},
set 1(value) {
throw new Error(2);
},
2: 2,
3: 3,
};
}());
Yusuke Suzuki
The following should throw an error, but don't.
Object.defineProperty(Object.prototype, 2, {
set: function () {
throw new Error("out");
}
});
var obj = {};
obj[2] = 'hello';
Yusuke Suzuki
Hm, it seems that current JSC has serious issues about indexed properties.
Yusuke Suzuki
(In reply to comment #1)
> The following issue might be related to this issue.
>
> var object = {
> get 2() {
> return 1;
> },
> set 2(value) {
> throw new Error(2);
> },
> 2: 2, // Throw new Error(2)
> };
>
> Is this expected behavior?
https://bugs.webkit.org/show_bug.cgi?id=145360 fixes it.
But the other 3 issues remain.
Yusuke Suzuki
Make the first step :D
https://bugs.webkit.org/show_bug.cgi?id=145360
And change it to meta bug.
Yusuke Suzuki
After investigating the issue, I found that storage type is accidentally changed.
I'll investigate more to fix it.
Yusuke Suzuki
https://bugs.webkit.org/show_bug.cgi?id=144252 this also fixes the one of the issue listed in this bug.
Yusuke Suzuki
(In reply to comment #2)
> The following code will fail with assertions.
>
> (function () {
> Object.defineProperty(Object.prototype, 0, {
> get() {
> print("Get");
> },
> set() {
> print("Set");
> }
> });
> var object = {
> length: 5,
> 0: 0,
> get 1() {
> return 1;
> },
> set 1(value) {
> throw new Error(2);
> },
> 2: 2,
> 3: 3,
> };
> }());
The remaining issue is this.
1. JSObject has 2 storage, vector and map. And map has 2 types, non-sparse and sparse (dictionary mode)
2. If the JSObject is the dictionary mode, there's no vector
3. If the map of the JSObject is non-sparse, there may be the vector. But the ranges of these storages are not overlapped.
4. And JSObject stores the accessor into the map that is not marked as the sparse.
5. But in the other place (like JSArray), they assume that the map does not contain the accessors if the map is not marked as the sparse.
The simplest solution is, "when storing the indexed accessor, always make the object the dictionary mode". But one concern is the performance regression.