[Webkit-unassigned] [Bug 138038] New: iOS8 non-64bit optimized Object.create in 'use strict' context sometimes breaks.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 23 21:13:06 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=138038

            Bug ID: 138038
           Summary: iOS8 non-64bit optimized Object.create in 'use strict'
                    context sometimes breaks.
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: iOS
                OS: Other
            Status: NEW
          Severity: Critical
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: stefan.penner at gmail.com

(iOS8 seems to be missing from the OS dropdown, so I labeled it as other).


It some that in sometimes (appears only when optimized, but not always) the new instance produced by `Object.create` somehow fails to be a proper instance, and setting properties results in a thrown exception.

Example:

```js
var a = Object.create(other);
a.foo = 1; // => throws: TypeError Attempted to assign to readonly property
```

Interestingly, if the exception is caught and `a` inspected: `a.__proto__.foo` was set to `5`, not `a.foo`

My suspicion is that it appears to be JIT related issue, as it manifests only in hot-sots and not specifically tied to any one occurrence of `Object.create`.


affected:
---------

iOS 8.1 (12B411) on iPhone 5.
iPhone 4S iOS 8 
iPhone 4
iPhone 5 Simulator
iPhone 5c iOS 8

not-affected:
-------------

iOS 8.0 (12A365) Simulator
iPhone 6 iOS8
iPhone 5s iOS 8
iPad Retina Mini iOS 8

Demo: 
-----

(unfortunately I was not able to isolated further)

http://emberjs.jsbin.com/vecuz/1/ all iOS 8 non-64bit devices
http://jsbin.com/kegiya/6 (one scenario patched, but another creeps up when the page is added to the home screen)

Workaround:
-----------

* remove 'use strict' from the context using the `Object.create`
* another option, although poor is to set build of the new object as a pojo, and then set __proto__ after the fact (https://github.com/emberjs/ember.js/issues/5629)

related issues:
---------------

http://stackoverflow.com/questions/25174594/typeerror-attempted-to-assign-to-readonly-property-on-ios8-safari
https://github.com/emberjs/ember.js/issues/5606
https://github.com/emberjs/ember.js/issues/5629 (same as above, one early workaround)
https://github.com/mozilla/pdf.js/issues/5341


Similar symptoms but I believe to not be the same:
-----------------------------------------
as our issue is specific to non-64bit architectures and doesn't appear to have anything to do with WebIDL
https://bugs.webkit.org/show_bug.cgi?id=49739
https://github.com/Polymer/platform/issues/66
https://github.com/uhop/dcl/issues/15
https://github.com/angular/angular.js/issues/9128
https://github.com/ibm-js/delite/issues/259

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141024/ee16dd8e/attachment-0002.html>

More information about the webkit-unassigned mailing list