Closed
Bug 1516560
Opened 6 years ago
Closed 6 years ago
tryAttachDOMProxyUnshadowed assumes DOM proxies have static prototypes
Categories
(Core :: JavaScript Engine: JIT, enhancement)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla66
| Tracking | Status | |
|---|---|---|
| firefox66 | --- | fixed |
People
(Reporter: bzbarsky, Assigned: bzbarsky)
References
Details
Attachments
(1 file)
With changes that make Location not have a static prototype anymore (because it can change back and forth from null with document.domain changes), this testcase:
<script>
for (var i = 0; i < 10000; ++i) location.noSuchProp;
</script>
hits a fatal assert (Assertion failure: hasStaticPrototype()) with this stack:
#16 JSObject::staticPrototype()
#17 js::jit::GetPropIRGenerator::tryAttachDOMProxyUnshadowed
#18 js::jit::GetPropIRGenerator::tryAttachProxy
#19 js::jit::GetPropIRGenerator::tryAttachStub
#20 js::jit::IonGetPropertyIC::update
Maybe the simple solution is just to have IsCacheableDOMProxy return false if !hasStaticPrototype()? Or is there a better way to deal with this?
Flags: needinfo?(jdemooij)
|
||
Comment 1•6 years ago
|
||
(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #0)
> Maybe the simple solution is just to have IsCacheableDOMProxy return false
> if !hasStaticPrototype()?
Agreed.
> Or is there a better way to deal with this?
Not that I know of. Handling this efficiently seems pretty complicated..
Flags: needinfo?(jdemooij)
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → bzbarsky
|
|
Assignee | |
Comment 2•6 years ago
|
||
This only affects Location.
Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fda9de78ff7f
Stop trying to do DOM proxy caching for DOM proxies with dynamic prototypes. r=jandem
|
||
Comment 4•6 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in
before you can comment on or make changes to this bug.
Description
•