Bug 164372 - [DOMJIT] Make getElementsByTagName Read/Write
Summary: [DOMJIT] Make getElementsByTagName Read/Write
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-03 11:25 PDT by Yusuke Suzuki
Modified: 2016-11-03 11:27 PDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yusuke Suzuki 2016-11-03 11:25:19 PDT 
Basically, it caches the results. But if GC happens, the cache can be cleared.

The following can happen.

var c1 = document.getElementsByTagName('div');
var c2 = document.getElementsByTagName('div');

c1 === c2;  // true
c1.hello = 42;
c1 = null;
c2 = null;
gc();
var c3 = document.getElementsByTagName('div');
c3.hello;  // undefined

So, while getElementById always returns the same object while DOMState is not changed,
getElementsByTagName can return some different thing even if DOMState is not changed.
So, now, let's make it safe. Drop annotation and make it read(World), write(Heap) in the meantime.
Comment 1 Yusuke Suzuki 2016-11-03 11:26:03 PDT 
> Drop annotation

It means, we still have DOMJIT::Signature (this can effectively drop type checks).
But it has the effect that reads(World), writes(Heap).
Comment 2 Yusuke Suzuki 2016-11-03 11:27:43 PDT 
On the other hand, element.childNode case, currently we clear the cache.
But ideally, we should keep it alive. And in that case, we can annotate it as Node_childNodes.