Updates:
Cc: [email protected] [email protected]
Comment #1 on issue 3538 by [email protected]: DOM attributes on
prototype chains throw a TypeError when it shouldn't be thrown
https://code.google.com/p/v8/issues/detail?id=3538
I investigated this issue a bit more and noticed that V8 passes a wrong
holder object to HandleApiCallHelper. If I print the memory address of the
holder object and a receiver object in HandleApiCallHelper, I get the
following result:
e = document.createElement("div");
console.log(e.children.item(0)); // receiver=0xc3f7556d4a9,
holder=0x172f86029f09
console.log(e.children.length); // receiver=0xc3f7556d4a9
holder=0x172f860293b1
|receiver| points to |e.children|, and |holder| is expected to point to |
HTMLCollection.prototype|. In case of |e.children.item(0)|, the holder is
correctly point to the |HTMLCollection.prototype| (i.e., 0x172f86029f09),
but in case of e.children.length, the holder is pointing to a different
object (i.e., 0x172f860293b1).
I suspect that the holder lookup code in hydrogen.cc is wrong but I've not
succeeded in identifying what's wrong.
Since Dan is OOO for a while, I'd be happy if someone else could take a
look at the issue.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
