Bug 23771

Summary: REGRESSION (r36016): JSObjectHasProperty freezes on global class without kJSClassAttributeNoAutomaticPrototype
Product: WebKit Reporter: laurent calburtin <laurent.calburtin>
Component: JavaScriptCoreAssignee: Cameron Zwarich (cpst) <zwarich>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren, oliver
Priority: P2 Keywords: HasReduction, InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Proposed patch ggaren: review+

Description laurent calburtin 2009-02-05 14:08:01 PST 
JSObjectHasProperty is stuck in an infinite loop with following code:

static JSValueRef fn(JSContextRef ctx, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception)
{
    return 0;
}

static JSStaticFunction globalObject_staticFunctions[] = {  { "fn", fn, kJSPropertyAttributeNone },  { 0, 0, 0 } };

static void freeze()
{
   JSClassDefinition globalObjectClassDefinition = kJSClassDefinitionEmpty;
   globalObjectClassDefinition.staticFunctions = globalObject_staticFunctions;
   JSClassRef globalObjectClass = JSClassCreate( &globalObjectClassDefinition);
   JSGlobalContextRef context = JSGlobalContextCreateInGroup(NULL, globalObjectClass);
   JSStringRef propName = JSStringCreateWithUTF8CString("name");
   JSObjectHasProperty( context, JSContextGetGlobalObject(context), propName);
}

Adding the attribute kJSClassAttributeNoAutomaticPrototype to the global class definition solves the problem.

Note that JSObjectSetProperty is also stuck without the attribute because it internally calls the same code as JSObjectHasProperty.
Also note that JSObjectHasProperty from MacOSX10.5 webkit framework doesn't get stuck.
Comment 1 Geoffrey Garen 2009-02-05 14:50:51 PST 
<rdar://problem/6561016>
Comment 2 Oliver Hunt 2009-02-09 23:16:19 PST 
For some reason the global object's prototype gets itself as its prototype :-/
Comment 3 Cameron Zwarich (cpst) 2009-03-19 00:58:25 PDT 
I'll take this bug.
Comment 4 Cameron Zwarich (cpst) 2009-03-19 04:09:35 PDT 
This regressed with r36016, the first inline caching patch:

http://trac.webkit.org/changeset/36016
Comment 5 Cameron Zwarich (cpst) 2009-03-19 16:26:32 PDT 
Created attachment 28769 [details]
Proposed patch

Here's a fix. I'll add a test to testapi for this.
Comment 6 Geoffrey Garen 2009-03-19 16:48:02 PDT 
Comment on attachment 28769 [details]
Proposed patch

r=me
Comment 7 Cameron Zwarich (cpst) 2009-03-19 17:04:38 PDT 
Landed in r41846 with a test added to testapi.