132872 2014-05-13 10:30:03 -0700 Getter on prototype is called even though property is also defined on instance 2014-10-28 14:49:34 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Mac (Intel) OS X 10.9 NEW P2 Normal --- 1 sebastian webkit-unassigned barraclough fpizlo kildyt mhahnenberg oliver trev zan oldest_to_newest 1008988 0 sebastian 2014-05-13 10:30:03 -0700 If you define a getter on the prototype and cache its value by defining a property with the same name on the instance, sometimes the getter is called a second time, when the property is accessed. This can be reproduced on Safari 7.0.3 with the attached HTML page. A "TypeError: Attempting to change value of a readonly property" is thrown when the getter is called the second time and calls Object.defineProperty() again. The expected behavior would be that the getter is executed only once per instance. 1008989 1 231392 sebastian 2014-05-13 10:31:01 -0700 Created attachment 231392 test case 1009027 2 trev 2014-05-13 11:40:41 -0700 Note that the issue only happens if there are at least 9 objects created (the testcase creates 1000 of them, just in case). It seems that the issue here is a wrong optimization when the JIT compiler processes method Class.bar() - it will call the getter on the prototype directly, without checking whether the same property exists on the object instance. The issue is only reproducible in Safari, neither Firefox nor Chrome show this behavior. 1009042 3 oliver 2014-05-13 12:30:30 -0700 getter cache misoptimization? 231392 2014-05-13 10:31:01 -0700 2014-05-13 10:31:01 -0700 test case url.txt text/plain 82 sebastian aHR0cHM6Ly9pc3N1ZXMuYWRibG9ja3BsdXMub3JnL3Jhdy1hdHRhY2htZW50L3RpY2tldC80MTkv cHJvcGVydHlfcGVyc2lzdGFuY2UuaHRtbA==