| Summary: | [DOMJIT] Make getElementsByTagName Read/Write | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Yusuke Suzuki <ysuzuki> |
| Component: | JavaScriptCore | Assignee: | Yusuke Suzuki <ysuzuki> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | cdumez, fpizlo, rniwa, saam |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
> Drop annotation
It means, we still have DOMJIT::Signature (this can effectively drop type checks).
But it has the effect that reads(World), writes(Heap).
On the other hand, element.childNode case, currently we clear the cache. But ideally, we should keep it alive. And in that case, we can annotate it as Node_childNodes. |
Basically, it caches the results. But if GC happens, the cache can be cleared. The following can happen. var c1 = document.getElementsByTagName('div'); var c2 = document.getElementsByTagName('div'); c1 === c2; // true c1.hello = 42; c1 = null; c2 = null; gc(); var c3 = document.getElementsByTagName('div'); c3.hello; // undefined So, while getElementById always returns the same object while DOMState is not changed, getElementsByTagName can return some different thing even if DOMState is not changed. So, now, let's make it safe. Drop annotation and make it read(World), write(Heap) in the meantime.