Bug 23771

Summary: REGRESSION (r36016): JSObjectHasProperty freezes on global class without kJSClassAttributeNoAutomaticPrototype
Product: WebKit Reporter: laurent calburtin <laurent.calburtin>
Component: JavaScriptCoreAssignee: Cameron Zwarich (cpst) <zwarich>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, oliver
Priority: P2 Keywords: HasReduction, InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Proposed patch ggaren: review+

laurent calburtin
Reported 2009-02-05 14:08:01 PST
JSObjectHasProperty is stuck in an infinite loop with following code: static JSValueRef fn(JSContextRef ctx, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) { return 0; } static JSStaticFunction globalObject_staticFunctions[] = { { "fn", fn, kJSPropertyAttributeNone }, { 0, 0, 0 } }; static void freeze() { JSClassDefinition globalObjectClassDefinition = kJSClassDefinitionEmpty; globalObjectClassDefinition.staticFunctions = globalObject_staticFunctions; JSClassRef globalObjectClass = JSClassCreate( &globalObjectClassDefinition); JSGlobalContextRef context = JSGlobalContextCreateInGroup(NULL, globalObjectClass); JSStringRef propName = JSStringCreateWithUTF8CString("name"); JSObjectHasProperty( context, JSContextGetGlobalObject(context), propName); } Adding the attribute kJSClassAttributeNoAutomaticPrototype to the global class definition solves the problem. Note that JSObjectSetProperty is also stuck without the attribute because it internally calls the same code as JSObjectHasProperty. Also note that JSObjectHasProperty from MacOSX10.5 webkit framework doesn't get stuck.
Attachments
Proposed patch (697 bytes, patch)
2009-03-19 16:26 PDT, Cameron Zwarich (cpst) 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2009-02-05 14:50:51 PST
<rdar://problem/6561016>
Oliver Hunt
Comment 2 2009-02-09 23:16:19 PST
For some reason the global object's prototype gets itself as its prototype :-/
Cameron Zwarich (cpst)
Comment 3 2009-03-19 00:58:25 PDT
I'll take this bug.
Cameron Zwarich (cpst)
Comment 4 2009-03-19 04:09:35 PDT
This regressed with r36016, the first inline caching patch: http://trac.webkit.org/changeset/36016
Cameron Zwarich (cpst)
Comment 5 2009-03-19 16:26:32 PDT
Created attachment 28769 [details] Proposed patch Here's a fix. I'll add a test to testapi for this.
Geoffrey Garen
Comment 6 2009-03-19 16:48:02 PDT
Comment on attachment 28769 [details] Proposed patch r=me
Cameron Zwarich (cpst)
Comment 7 2009-03-19 17:04:38 PDT
Landed in r41846 with a test added to testapi.
Note You need to log in before you can comment on or make changes to this bug.