[Webkit-unassigned] [Bug 145358] [JSC] indexed property doesn't work well

Tue Aug 11 23:57:32 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=145358

--- Comment #9 from Yusuke Suzuki <utatane.tea at gmail.com> ---
(In reply to comment #2)
> The following code will fail with assertions.
> 
> (function () {
>     Object.defineProperty(Object.prototype, 0, {
>         get() {
>             print("Get");
>         },
>         set() {
>             print("Set");
>         }
>     });
>     var object = {
>         length: 5,
>         0: 0,
>         get 1() {
>             return 1;
>         },
>         set 1(value) {
>             throw new Error(2);
>         },
>         2: 2,
>         3: 3,
>     };
> }());

The remaining issue is this.

1. JSObject has 2 storage, vector and map. And map has 2 types, non-sparse and sparse (dictionary mode)
2. If the JSObject is the dictionary mode, there's no vector
3. If the map of the JSObject is non-sparse, there may be the vector. But the ranges of these storages are not overlapped.
4. And JSObject stores the accessor into the map that is not marked as the sparse.
5. But in the other place (like JSArray), they assume that the map does not contain the accessors if the map is not marked as the sparse.

The simplest solution is, "when storing the indexed accessor, always make the object the dictionary mode". But one concern is the performance regression.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150812/ed71a343/attachment.html>