Bug 26593

Summary: Enumeration of prototypes with more than 64 properties cache not invalidated
Product: WebKit Reporter: Sebastian Markbåge <sebastian>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Major CC: jankassens, john.david.dalton, oliver, sam
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://labs.calyptus.eu/WebKitPrototypeCache/
Attachments:
Description Flags
Test case none

Sebastian Markbåge
Reported 2009-06-21 16:31:50 PDT
If object B inherits from prototype A and prototype A has more than 64 properties, it seems that the enumeration of properties of object B is cached. However, if more properties are added to the prototype the cache is not invalidated. So if an additional property is added to the prototype between enumerations, the new property is not enumerated over. The linked example clearly illustrates this issue.
Attachments
Test case (673 bytes, text/html)
2009-06-21 17:03 PDT, Sebastian Markbåge 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Sebastian Markbåge
Comment 1 2009-06-21 17:03:37 PDT
Created attachment 31625 [details] Test case
Sam Weinig
Comment 2 2009-06-21 21:49:14 PDT
<rdar://problem/6992822>
Oliver Hunt
Comment 3 2009-06-23 19:48:32 PDT
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/interpreter/Interpreter.cpp M JavaScriptCore/jit/JITStubs.cpp M JavaScriptCore/runtime/Structure.cpp M JavaScriptCore/runtime/StructureChain.cpp M JavaScriptCore/runtime/StructureChain.h M LayoutTests/ChangeLog A LayoutTests/fast/js/dictionary-no-cache.html A LayoutTests/fast/js/resources/dictionary-no-cache.js Committed r45039 Please verify in the next nightly :D
John-David Dalton
Comment 4 2009-06-24 15:17:47 PDT
In the attachment I noticed that performing something like test2._x = 1; delete test2._x; before the for-in loop seems to fix the issue.
Jan Kassens
Comment 5 2009-06-25 06:30:56 PDT
Sebastian's test case works now here (nighly).
Note You need to log in before you can comment on or make changes to this bug.