Summary: | [JSC] indexed property doesn't work well | ||
---|---|---|---|
Product: | WebKit | Reporter: | Yusuke Suzuki <ysuzuki> |
Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
Status: | NEW --- | ||
Severity: | Normal | CC: | benjamin, darin, fpizlo, ggaren, joepeck, rniwa |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Bug Depends on: | 145360, 144252 | ||
Bug Blocks: |
Description
Yusuke Suzuki
2015-05-24 10:39:33 PDT
The following issue might be related to this issue. var object = { get 2() { return 1; }, set 2(value) { throw new Error(2); }, 2: 2, // Throw new Error(2) }; Is this expected behavior? The following code will fail with assertions. (function () { Object.defineProperty(Object.prototype, 0, { get() { print("Get"); }, set() { print("Set"); } }); var object = { length: 5, 0: 0, get 1() { return 1; }, set 1(value) { throw new Error(2); }, 2: 2, 3: 3, }; }()); The following should throw an error, but don't. Object.defineProperty(Object.prototype, 2, { set: function () { throw new Error("out"); } }); var obj = {}; obj[2] = 'hello'; Hm, it seems that current JSC has serious issues about indexed properties. (In reply to comment #1) > The following issue might be related to this issue. > > var object = { > get 2() { > return 1; > }, > set 2(value) { > throw new Error(2); > }, > 2: 2, // Throw new Error(2) > }; > > Is this expected behavior? https://bugs.webkit.org/show_bug.cgi?id=145360 fixes it. But the other 3 issues remain. Make the first step :D https://bugs.webkit.org/show_bug.cgi?id=145360 And change it to meta bug. After investigating the issue, I found that storage type is accidentally changed. I'll investigate more to fix it. https://bugs.webkit.org/show_bug.cgi?id=144252 this also fixes the one of the issue listed in this bug. (In reply to comment #2) > The following code will fail with assertions. > > (function () { > Object.defineProperty(Object.prototype, 0, { > get() { > print("Get"); > }, > set() { > print("Set"); > } > }); > var object = { > length: 5, > 0: 0, > get 1() { > return 1; > }, > set 1(value) { > throw new Error(2); > }, > 2: 2, > 3: 3, > }; > }()); The remaining issue is this. 1. JSObject has 2 storage, vector and map. And map has 2 types, non-sparse and sparse (dictionary mode) 2. If the JSObject is the dictionary mode, there's no vector 3. If the map of the JSObject is non-sparse, there may be the vector. But the ranges of these storages are not overlapped. 4. And JSObject stores the accessor into the map that is not marked as the sparse. 5. But in the other place (like JSArray), they assume that the map does not contain the accessors if the map is not marked as the sparse. The simplest solution is, "when storing the indexed accessor, always make the object the dictionary mode". But one concern is the performance regression. |