Closed Bug 1516560 Opened 11 months ago Closed 11 months ago
Attach DOMProxy Unshadowed assumes DOM proxies have static prototypes
47 bytes, text/x-phabricator-request
|Details | Review|
With changes that make Location not have a static prototype anymore (because it can change back and forth from null with document.domain changes), this testcase: <script> for (var i = 0; i < 10000; ++i) location.noSuchProp; </script> hits a fatal assert (Assertion failure: hasStaticPrototype()) with this stack: #16 JSObject::staticPrototype() #17 js::jit::GetPropIRGenerator::tryAttachDOMProxyUnshadowed #18 js::jit::GetPropIRGenerator::tryAttachProxy #19 js::jit::GetPropIRGenerator::tryAttachStub #20 js::jit::IonGetPropertyIC::update Maybe the simple solution is just to have IsCacheableDOMProxy return false if !hasStaticPrototype()? Or is there a better way to deal with this?
(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #0) > Maybe the simple solution is just to have IsCacheableDOMProxy return false > if !hasStaticPrototype()? Agreed. > Or is there a better way to deal with this? Not that I know of. Handling this efficiently seems pretty complicated..
This only affects Location.
Pushed by email@example.com: https://hg.mozilla.org/integration/autoland/rev/fda9de78ff7f Stop trying to do DOM proxy caching for DOM proxies with dynamic prototypes. r=jandem
You need to log in before you can comment on or make changes to this bug.