[Webkit-unassigned] [Bug 136961] New: JSC fails to check object property in prototype sometimes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 19 14:27:02 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=136961

           Summary: JSC fails to check object property in prototype
                    sometimes
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: igor at kiselev.spb.ru


Created an attachment (id=238389)
 --> (https://bugs.webkit.org/attachment.cgi?id=238389&action=review)
Test case for bug reproducing

Under certain conditions JSC fails to look in prototype chain. I've attached test case to reproduce such behavior. It uses JSIL libraries, but example is pretty simple:

function clone(kvp){
  return kvp.MemberwiseClone();
}

function runMain() {
  var kvp = JSIL.CreateInstanceOfType(System.Collections.Generic.KeyValuePair$b2.Of($jsilcore.System.Int32, $jsilcore.System.String).__Type__);
  for (var i=0; i<40; i++) {
    clone(kvp);
  }

  kvp = JSIL.CreateInstanceOfType(System.Collections.Generic.KeyValuePair$b2.Of($jsilcore.System.Int32, $jsilcore.System.Int32).__Type__)
  for (var i=0; i<2; i++) {
    clone(kvp);
  }
}

JSIL calls runMain(), that call clone function 42 times. On last call, kvp.MemberwiseClone call fails with: "'undefined' is not a function". Nothing has been changed in object on which it was called between 41st an 42nd call. Note: previous 40 calls was on another object. If we lower first cycle upper bound from 40 to lower value, problem will be not reproducible. until recent changes in Webkit (before Safari 7.1/8.0 release) problem was reproducible even with 8 as upper bound in first cycle. 

Problem is also not reproducible if clone function will be rewritten in next form:
function clone(kvp){
  return kvp['MemberwiseClone']();
}

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list