[webkit-help] Odd behavior with instrumentation of WebKit

[Gregor Richards]

We maintain an instrumented branch of WebKit to do various dynamic measurements of JavaScript. One of our changes which should have no semantic effect on the behavior of JS is actually causing a visible change in the behavior of (at least) http://about.com/ . The visible difference is that the menus don't work, and the underlying reason seems to be that Array.prototype.slice is (rather inexplicably) being rewritten to undefined, causing further code to fail. I've worked the issue down to a single line, namely

baseValue.toObject(callFrame)->hasOwnProperty(callFrame, property);

A patch is attached giving context. This is under a baseValue.isObject() check, and this is simply a hasOwnProperty check (not getting the value, which could call a getter, or even using prototypes), so to my knowledge this should not effect the behavior of the program in any way. This line is of course useless on its own, it's just the culprit expression I've extracted from the rest of the instrumentation.

Is there a WebKit guru who can enlighten us on this odd behavior?

The patch is against WebKit r80431, but the behavior is the same on older versions. I haven't tried newer versions simply because our branch is synchronized on a weekly basis, but I don't expect that anything relevant has changed this week.

 - Gregor Richards

PS: I've sent this to the webkit-help at lists group rather than the webkit-dev at lists group since our patches really aren't relevant to send back upstream. If it makes more sense, I'll redirect this to that list.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: webkit-hasownproperty-odd.diff
Type: text/x-patch
Size: 1258 bytes
Desc: not available
URL: <http://lists.webkit.org/pipermail/webkit-help/attachments/20110311/64a014fd/attachment.bin>