[Webkit-unassigned] [Bug 95073] New: WindowShell and global registers break IC
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Aug 27 04:46:43 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=95073
Summary: WindowShell and global registers break IC
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: utatane.tea at gmail.com
Scripts can add newly created JSGlobalObject register variables to JSGlobalObject.
But, JSGlobalObject structure is not reflect this change.
So if this variable hides property of global.[[Prototype]] or upper object, IC fails to load valid property.
For example,
// t001.js
Object.prototype.T = 3000; // point for proto ICvar global = this;
function test(len, func) {
for (var i = 0; i < len; ++i) {
func(global.T);
}
}
test(100, function() { }); // make test function compiled by baseline JIT (for proto IC)
load('t002.js'); // make global register in other script
print(T); // of cource, function defined in t002.js
print(global.T); // of cource, function defined in t002.js
test(1, print); // Oops!
// t002.js
function T() { } // this should hides Object.prototype.T
and
$ jsc t001.js
And, window proxy (WindowShell) implementation is simple proxy of JSGlobalObject.
But its structure doesn't reflect global variable changes. So this also breaks IC (see appended test html)
To fix this, when new global register is added, refresh structure of JSGlobalObject and invalidate IC.
And we should not cache proxy lookup result.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list