16644 2007-12-28 11:42:16 -0800 REGRESSION (r28880-r28886): Global variable access 2008-04-03 12:48:52 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED http://netvibes.com/ InRadar, NeedsReduction, Regression P1 Major --- 1 woody.gilk ggaren abarth cameowood collinj ddkilzer dev+webkit eric ggaren jon nvdtech oliver sam sdimitrovski oldest_to_newest 65476 0 woody.gilk 2007-12-28 11:42:16 -0800 If you visit netvibes.com with WebKit, r28886 or later, it will cause 3 JS "TypeError: value undefined" errors. This regression is not present in r28880 and earlier. 65660 1 ddkilzer 2007-12-29 19:30:19 -0800 The bisect-builds script reports: Works: r28880 Fails: r28886 Revision r28884 looks most suspicious. http://trac.webkit.org/projects/webkit/changeset/28884 65662 2 ddkilzer 2007-12-29 19:31:15 -0800 <rdar://problem/5665251> 65679 3 ddkilzer 2007-12-29 21:32:58 -0800 The initial "TypeError: value undefined" error occurs on this statement: HTMLElement.prototype.htmlElement=function(){}; The cause is that HTMLElement.prototype is undefined. HTMLElement is defined as this when the statement is run: function () { } 65681 4 18176 ddkilzer 2007-12-29 21:49:52 -0800 Created attachment 18176 Reduction This is a reduction of the original JavaScript from the web site. With Safari 3.0.4 (523.12.2) with original WebKit on Mac OS X 10.4.11 (8S165), loading the test case, then loading this URL: javascript:alert(HTMLElement) Produces: [object HTMLElementConstructor] And thus the code in the if() statement never runs. 65682 5 ddkilzer 2007-12-29 21:51:51 -0800 (In reply to comment #4) > With Safari 3.0.4 (523.12.2) with original WebKit on Mac OS X 10.4.11 (8S165), > loading the test case, then loading this URL: > > javascript:alert(HTMLElement) > > Produces: > > [object HTMLElementConstructor] > > And thus the code in the if() statement never runs. Ignore that. The local debug build of WebKit r29032 does this as well. The issue lies somewhere else. 65684 6 18177 ddkilzer 2007-12-29 22:00:08 -0800 Created attachment 18177 Better reduction If the "var HTMLElement = function(){};" statement is removed (or commented out), the test passes. However, having that statement inside the if() block causes the if() condition to return true, which I find to be completely bizarre. 65687 7 oliver 2007-12-29 22:29:50 -0800 This is almost certainly due to r28884 As an educated guess the problem is like to be that in: if (typeof HTMLElement == 'undefined') { var HTMLElement=function(){}; document.write("FAIL"); } else { document.write("PASS"); } the references to HTMLElement are replaced with fast indexed lookups into the symbol table, however when the symbol table is initialised it does not allow for the potential for these variables to be present on the global object, and just assumes that they are all undefined by default.I would guess that the fix would be to have the global symbol table be initalised from the values in the global object if there are any attempts to shadow any of the ghlobal objects properties. 65759 8 ddkilzer 2007-12-30 09:43:47 -0800 The Netvibes site uses Mootools v1.11 as well. See Bug 16605 and Bug 16679. 66031 9 ddkilzer 2008-01-02 07:37:13 -0800 *** Bug 16702 has been marked as a duplicate of this bug. *** 66848 10 dev+webkit 2008-01-10 17:38:17 -0800 This broke Lively Kernel as well - http://research.sun.com/projects/lively/index.xhtml 66919 11 ggaren 2008-01-11 09:58:22 -0800 Great diagnosis, Oliver and Dave. I think it would be best not to make an entry in the symbol table at all. In order to make an entry, you would need to know (a) that the existing property was DontDelete and (b) that it was a permanent property, and not any of the many global properties that come and go and return different values at different times. Maybe we can figure out how to optimize this case down the line, though. 66924 12 mrowe 2008-01-11 10:30:55 -0800 *** Bug 16813 has been marked as a duplicate of this bug. *** 66958 13 ggaren 2008-01-11 13:16:31 -0800 This is a very challenging bug. FF does what I suggested in Comment #11. IE 6 & 7, though, match current TOT, while Opera is somewhere in the middle. It's not clear what correct behavior would be, but I tend to prefer IE's behavior. 66959 14 oliver 2008-01-11 13:25:45 -0800 (In reply to comment #13) > This is a very challenging bug. FF does what I suggested in Comment #11. IE 6 & > 7, though, match current TOT, while Opera is somewhere in the middle. It's not > clear what correct behavior would be, but I tend to prefer IE's behavior. > Remember to check the lively kernel when fixing this :D 66960 15 ddkilzer 2008-01-11 13:54:46 -0800 (In reply to comment #13) > This is a very challenging bug. FF does what I suggested in Comment #11. IE 6 & > 7, though, match current TOT, while Opera is somewhere in the middle. It's not > clear what correct behavior would be, but I tend to prefer IE's behavior. Does Brendan Eich have a bugs.w.o account? ;) On a more serious note, perhaps he hangs out on one of the Mozilla IRC channels on irc.freenode.net? 67009 16 ggaren 2008-01-11 23:20:45 -0800 Committed revision 29428. 67045 17 ddkilzer 2008-01-12 10:52:16 -0800 *** Bug 16605 has been marked as a duplicate of this bug. *** 67047 18 ddkilzer 2008-01-12 10:56:55 -0800 *** Bug 16679 has been marked as a duplicate of this bug. *** 76257 19 eric 2008-04-03 12:48:52 -0700 Ick. FF's behavior seems poor here. Ours is even worse (since we seem to silently fail instead of throwing an exception). CCing myself with the intention of at least re-writing these tests to use the modern JS testing framework so that they run in FF and we can confirm that our behavior matches (which I'm not sure it does 100%). 18176 2007-12-29 21:49:52 -0800 2007-12-29 22:00:08 -0800 Reduction bug-16644-test.html text/html 298 ddkilzer PHNjcmlwdD4Kd2luZG93LndlYmtpdCA9IHRydWU7CmlmKHR5cGVvZiBIVE1MRWxlbWVudD09J3Vu ZGVmaW5lZCcpewogICAgdmFyIEhUTUxFbGVtZW50PWZ1bmN0aW9uKCl7fTsKICAgIGlmKHdpbmRv dy53ZWJraXQpZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiaWZyYW1lIik7CiAgICBIVE1MRWxlbWVu dC5wcm90b3R5cGU9KHdpbmRvdy53ZWJraXQpP3dpbmRvd1siW1tET01FbGVtZW50LnByb3RvdHlw ZV1dIl06e307Cn0KSFRNTEVsZW1lbnQucHJvdG90eXBlLmh0bWxFbGVtZW50PWZ1bmN0aW9uKCl7 fTsKPC9zY3JpcHQ+Cg== 18177 2007-12-29 22:00:08 -0800 2007-12-29 22:00:08 -0800 Better reduction bug-16644-test-v2.html text/html 161 ddkilzer PHNjcmlwdD4KaWYgKHR5cGVvZiBIVE1MRWxlbWVudCA9PSAndW5kZWZpbmVkJykgewogICAgdmFy IEhUTUxFbGVtZW50PWZ1bmN0aW9uKCl7fTsKICAgIGRvY3VtZW50LndyaXRlKCJGQUlMIik7Cn0g ZWxzZSB7CiAgICBkb2N1bWVudC53cml0ZSgiUEFTUyIpOwp9Cjwvc2NyaXB0Pgo=