[Webkit-unassigned] [Bug 33450] New: property access (. operator) incorrectly returning prototype value not instance value

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Jan 10 08:41:25 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=33450

           Summary: property access (. operator) incorrectly returning
                    prototype value not instance value
           Product: WebKit
           Version: 312.x
          Platform: Macintosh Intel
        OS/Version: Mac OS X 10.6
            Status: UNCONFIRMED
          Severity: Critical
          Priority: P1
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ptw at pobox.com


Created an attachment (id=46233)
 --> (https://bugs.webkit.org/attachment.cgi?id=46233)
.zip file of application demonstrating bug in Safari Version 4.0.4 (6531.21.10)

We have a large/complex Javascript system that appears to be triggering a
(possibly storage or timing-dependent) error in the Javascript engine.  The
symptoms are that an object property is being accessed using the `.` operator
and the value being returned is _not_ the value in the object, but instead the
value in the object's __proto__.  If we replace the failing case by rewriting
`x.prop` to `x['prop']`, the code works as expected.  We have not been able to
create a small test case that exhibits this error.  We do see this error appear
in a number of applications generated by our system, but the error is not
always in the same location, and a test case that is failing in the current
Safari release Version 4.0.4 (6531.21.10), may not fail in the Webkit Nightly
build.

I have attached the smallest example that I can make as a .zip file.  If you
unpack the .zip file and open the .html within, it will halt on a null
dereference in the current Safari release.  It works correctly in Firefox.

The erroneous evaluation occurs in the file lps/includes/lfc/LFCdhtml.js on
line 667.  If the expression `$2.defaultplacement` is rewritten as
`$2['defaultplacement']`, then the application behaves correctly.

This same test application does _not_ fail in the current Webkit nightly
r52978, but we still see failures of a similar nature with other programs in
the nightly build, so I do not believe that this bug has been fixed, just that
it is an intermittent bug that is triggered by particular storage or timing
patterns.  I can try to create an additional test that demonstrates the failure
on the nightly build if that will help.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list