[Webkit-unassigned] [Bug 164372] New: [DOMJIT] Make getElementsByTagName Read/Write
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 3 11:25:19 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=164372
Bug ID: 164372
Summary: [DOMJIT] Make getElementsByTagName Read/Write
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: utatane.tea at gmail.com
Basically, it caches the results. But if GC happens, the cache can be cleared.
The following can happen.
var c1 = document.getElementsByTagName('div');
var c2 = document.getElementsByTagName('div');
c1 === c2; // true
c1.hello = 42;
c1 = null;
c2 = null;
gc();
var c3 = document.getElementsByTagName('div');
c3.hello; // undefined
So, while getElementById always returns the same object while DOMState is not changed,
getElementsByTagName can return some different thing even if DOMState is not changed.
So, now, let's make it safe. Drop annotation and make it read(World), write(Heap) in the meantime.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161103/7a0fe127/attachment-0001.html>
More information about the webkit-unassigned
mailing list