Bug 132872 - Getter on prototype is called even though property is also defined on instance
Summary: Getter on prototype is called even though property is also defined on instance
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (Intel) OS X 10.9
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-13 10:30 PDT by Sebastian Noack
Modified: 2014-10-28 14:49 PDT (History)
7 users (show)

See Also:

Attachments
test case (82 bytes, text/plain)
2014-05-13 10:31 PDT, Sebastian Noack 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Noack 2014-05-13 10:30:03 PDT 
If you define a getter on the prototype and cache its value by defining a property with the same name on the instance, sometimes the getter is called a second time, when the property is accessed. This can be reproduced on Safari 7.0.3 with the attached HTML page. A "TypeError: Attempting to change value of a readonly property" is thrown when the getter is called the second time and calls Object.defineProperty() again. The expected behavior would be that the getter is executed only once per instance.
Comment 1 Sebastian Noack 2014-05-13 10:31:01 PDT 
Created attachment 231392 [details]
test case
Comment 2 Wladimir Palant 2014-05-13 11:40:41 PDT 
Note that the issue only happens if there are at least 9 objects created (the testcase creates 1000 of them, just in case). It seems that the issue here is a wrong optimization when the JIT compiler processes method Class.bar() - it will call the getter on the prototype directly, without checking whether the same property exists on the object instance.

The issue is only reproducible in Safari, neither Firefox nor Chrome show this behavior.
Comment 3 Oliver Hunt 2014-05-13 12:30:30 PDT 
getter cache misoptimization?