Require that scope chain only contains Call/Block/With/DeclEnvClass or global object

NEW
Unassigned

Status

()

Core
JavaScript Engine
8 years ago
4 years ago

People

(Reporter: gal, Unassigned)

Tracking

Trunk
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
It seems the scope chain can contain non-global DOM objects (event handlers). That's ugly. It would be a nice invariant to have that the scope chain is purely native and only of Call/Block/With/DeclEnvClass until we hit the global object. The handler should be wrapped with a with object.
Blocking Jaeger on this because BINDNAME wants to track its value as an "object" type, and not have to peek at js_FunctionClass. Fat values requires this distinction, like tracing.
Blocks: 536277
(Reporter)

Comment 2

8 years ago
The parent of some functions is Function, which is js_FunctionClass. I am trying to make a shell test case that exposes that on the scope chain.
So how would the with-wrapping affect event handler performance?
(Reporter)

Comment 4

8 years ago
I think we should carefully scope this bug if JM blocks on it and strive for a minimal change. Long term I would like to sanitize the scope chain. Short term we might aim lower:
- all objects on the scope chain must be native (almost there)
- all objects on the scope chain must be objects (not functions)

If we end up doing the with trick, I don't expect a performance impact. The property caches the lookup using X/Y coordinates, so its just one proto over off the with object. Not a big deal.
I was more worried about tracing inside event handlers, but maybe that's not an issue.
(Reporter)

Comment 6

8 years ago
Yeah, I am treading carefully here. Still trying to understand what exactly we are doing right now.
(In reply to comment #5)
> I was more worried about tracing inside event handlers, but maybe that's not an
> issue.

We don't trace in any code that has non-native objects on the scope chain. See ScopeChainCheck in jstracer.cpp.

FWIW, v8 in chromium/chrome wraps event receiver and scope-ancestors in with somehow, at least from the decompilation results.

/be

Comment 8

8 years ago
(In reply to comment #5)
> I was more worried about tracing inside event handlers, but maybe that's not an
> issue.

This is only relevant for inline event handlers defined using onsomething="code". Only those code fragments would have DOM objects on the scope chain. I can imagine that those handlers could be bottleneck in some synthetic benchmarks, but in practice they are mostly one-liners calling some functions.

(In reply to comment #7)
> We don't trace in any code that has non-native objects on the scope chain. See
> ScopeChainCheck in jstracer.cpp.

That function uses js_IsCacheableNonGlobalScope. That means that only a scope chain with Block, Call and DeclEnv instances as non-globals is traced.
(Assignee)

Updated

4 years ago
Assignee: general → nobody
You need to log in before you can comment on or make changes to this bug.