Bug 26593

Summary: Enumeration of prototypes with more than 64 properties cache not invalidated
Product: WebKit Reporter: Sebastian Markbåge <sebastian>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: jankassens, john.david.dalton, oliver, sam
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://labs.calyptus.eu/WebKitPrototypeCache/
Attachments:
Description Flags
Test case none

Description Sebastian Markbåge 2009-06-21 16:31:50 PDT 
If object B inherits from prototype A and prototype A has more than 64 properties, it seems that the enumeration of properties of object B is cached.

However, if more properties are added to the prototype the cache is not invalidated.

So if an additional property is added to the prototype between enumerations, the new property is not enumerated over.

The linked example clearly illustrates this issue.
Comment 1 Sebastian Markbåge 2009-06-21 17:03:37 PDT 
Created attachment 31625 [details]
Test case
Comment 2 Sam Weinig 2009-06-21 21:49:14 PDT 
<rdar://problem/6992822>
Comment 3 Oliver Hunt 2009-06-23 19:48:32 PDT 
Committing to http://svn.webkit.org/repository/webkit/trunk ...
	M	JavaScriptCore/ChangeLog
	M	JavaScriptCore/interpreter/Interpreter.cpp
	M	JavaScriptCore/jit/JITStubs.cpp
	M	JavaScriptCore/runtime/Structure.cpp
	M	JavaScriptCore/runtime/StructureChain.cpp
	M	JavaScriptCore/runtime/StructureChain.h
	M	LayoutTests/ChangeLog
	A	LayoutTests/fast/js/dictionary-no-cache.html
	A	LayoutTests/fast/js/resources/dictionary-no-cache.js
Committed r45039

Please verify in the next nightly :D
Comment 4 John-David Dalton 2009-06-24 15:17:47 PDT 
In the attachment I noticed that performing something like

test2._x = 1; delete test2._x;

before the for-in loop seems to fix the issue.
Comment 5 Jan Kassens 2009-06-25 06:30:56 PDT 
Sebastian's test case works now here (nighly).