[webkit-dev] Odd behavior with instrumentation of WebKit

Tue, 15 Mar 2011 08:16:22 -0700 

We maintain an instrumented branch of WebKit to do various dynamic measurements 
of JavaScript. One of our changes which should have no semantic effect on the 
behavior of JS is actually causing a visible change in the behavior of (at 
least) http://about.com/ . The visible difference is that the menus don't work, 
and the underlying reason seems to be that Array.prototype.slice is (rather 
inexplicably) being rewritten to undefined, causing further code to fail. I've 
worked the issue down to a single line, namely

baseValue.toObject(callFrame)->hasOwnProperty(callFrame, property);

A patch is attached giving context. This is under a baseValue.isObject() check, 
and this is simply a hasOwnProperty check (not getting the value, which could 
call a getter, or even using prototypes), so to my knowledge this should not 
effect the behavior of the program in any way. This line is of course useless 
on its own, it's just the culprit expression I've extracted from the rest of 
the instrumentation.

Is there a WebKit guru who can enlighten us on this odd behavior?

The patch is against WebKit r80431, but the behavior is the same on older 
versions. I haven't tried newer versions simply because our branch is 
synchronized on a weekly basis, but I don't expect that anything relevant has 
changed this week.

 - Gregor Richards

diff -r 43f715bbfbbc WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp
--- a/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp	Sun Mar 06 00:06:07 2011 -0500
+++ b/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp	Fri Mar 11 13:54:37 2011 -0500
@@ -3323,6 +3323,8 @@
         } else {
             Identifier property(callFrame, subscript.toString(callFrame));
             if (!globalData->exception) { // Don't put to an object if toString threw an exception.
+                if (baseValue.isObject())
+                    baseValue.toObject(callFrame)->hasOwnProperty(callFrame, property);
                 PutPropertySlot slot(codeBlock->isStrictMode());
                 baseValue.put(callFrame, property, callFrame->r(value).jsValue(), slot);
             }
diff -r 43f715bbfbbc WebKit/Source/JavaScriptCore/wtf/Platform.h
--- a/WebKit/Source/JavaScriptCore/wtf/Platform.h	Sun Mar 06 00:06:07 2011 -0500
+++ b/WebKit/Source/JavaScriptCore/wtf/Platform.h	Fri Mar 11 13:54:37 2011 -0500
@@ -1004,6 +1004,8 @@
 #define ENABLE_JIT 0
 #endif
 
+#define ENABLE_JIT 0
+
 /* The JIT is enabled by default on all x86, x64-64, ARM & MIPS platforms. */
 #if !defined(ENABLE_JIT) \
     && (CPU(X86) || CPU(X86_64) || CPU(ARM) || CPU(MIPS)) \

_______________________________________________
webkit-dev mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

Reply via email to