[Webkit-unassigned] [Bug 161534] Regression(r197648): JSObject::setPrototypeWithCycleCheck() allows for cycles but the rest of the code base does not
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 2 12:25:05 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=161534
--- Comment #1 from Saam Barati <sbarati at apple.com> ---
(In reply to comment #0)
> JSObject::setPrototypeWithCycleCheck() allows for cycles but the rest of the
> code base does not deal properly with cycles.
>
> This is because of the following check that was added:
> if (UNLIKELY(asObject(nextPrototype)->methodTable(vm)->getPrototype !=
> defaultGetPrototype))
> break;
>
> This was added to match the EcmaScript spec:
> - https://tc39.github.io/ecma262/#sec-ordinarysetprototypeof (step 8)
>
> However, if you create a cycles, we end up with an infinite loop later on
> under:
> Structure::anyObjectInChainMayInterceptIndexedAccesses()
>
> This is likely not the only place we traverse the prototype chain and except
> there is no cycle.
>
> I noticed this when running
> html/browsers/history/the-location-interface/
> allow_prototype_cycle_through_location.sub.html with the patch for Bug
> 161455 applied.
Yeah, we should teach the rest of the engine that it's OK to have cycles
in the "getPrototypeDirect" chain.
Currently, inside JSC itself, this will never happen. However, I guess we need to
teach it this w.r.t the HTML spec.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160902/969bbe84/attachment.html>
More information about the webkit-unassigned
mailing list