<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - JSGlobalObject::addFunction should call deleteProperty rather than removeDirect"
href="https://bugs.webkit.org/show_bug.cgi?id=158295">158295</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>JSGlobalObject::addFunction should call deleteProperty rather than removeDirect
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>barraclough@apple.com
</td>
</tr></table>
<p>
<div>
<pre>The fact we're calling removeDirect here means that there is dependency that JSGlobalObject symbol table properties mush have higher precedence than JSDOMWindow static properties. As a part of cleaning up & encapsulating static table lookup within JSObject (<a class="bz_bug_link
bz_status_NEW "
title="NEW - Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead."
href="show_bug.cgi?id=158178">bug #158178</a>) this order is going to change; reacting to be able to support this.
When program code is executed, and that program code declares functions, upon entry symbol table entries on the global object are created for those functions. Any conflicting existing properties are removed from the global object's property storage. There should not ever be duplicate entries in property storage and the symbol table. However because we currently use removeDirect to remove conflicts, this fails to delete any copies of the property in the static table (deleteProperty would).
Precedence of property lookup for global objects is currently something like:
1) JSObject property storage array
2) JSObject static property map
3) JSGlobalObject static property map
4) Symbol table
5) JSDOMWindow static property map
We get away with failing to remove entries from static tables because (a) currently neither JSObject nor JSGlobalObject actually have any static table properties, and (b) since symbol table lookup currently takes precedence over the JSDOMWindow static table we get away with leaving a stale value in it.
As a part of <a class="bz_bug_link
bz_status_NEW "
title="NEW - Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead."
href="show_bug.cgi?id=158178">bug #158178</a> access order will be more like:
1) JSObject property storage array
2) JSDOMWindow static property map
3) JSGlobalObject static property map
4) JSObject static property map
5) Symbol table
(Static table properties performed at a consistent time, and with most derived type having greatest precedence such that it can override values.) Post <a class="bz_bug_link
bz_status_NEW "
title="NEW - Deprecate remaining uses of Lookup getStatic*, use HasStaticPropertyTable instead."
href="show_bug.cgi?id=158178">bug #158178</a>, this issue will have testing coverage from existing tests (e.g. fast/encoding/parser-tests-50.html replaces alert).</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>