On 2012/11/20 17:30:42, Vyacheslav Egorov (Google) wrote:
sorry for the review delay, was travelling.
https://codereview.chromium.org/11377158/diff/11001/src/heap.cc
File src/heap.cc (right):
https://codereview.chromium.org/11377158/diff/11001/src/heap.cc#newcode7459
src/heap.cc:7459: if (!getter_fun->shared()->native()) continue;
I don't think this can guard you well enough. Here is an idea: I steal a
function that is known to be native and that has a very predictable
behavior
e.g. Array.prototype.pop and then I install my own getter on .length
because
pop
is known to access it. This way I can track when pop is called
(JavaScript is
fun).
What about using function IDs (that Crankshaft uses for optimization) to
detect
this case safely? You'll need to introduce %SetFunctionId thingy though or
something...
On 2012/11/20 17:30:42, Vyacheslav Egorov (Google) wrote:
sorry for the review delay, was travelling.
https://codereview.chromium.org/11377158/diff/11001/src/heap.cc
File src/heap.cc (right):
https://codereview.chromium.org/11377158/diff/11001/src/heap.cc#newcode7459
src/heap.cc:7459: if (!getter_fun->shared()->native()) continue;
I don't think this can guard you well enough. Here is an idea: I steal a
function that is known to be native and that has a very predictable
behavior
e.g. Array.prototype.pop and then I install my own getter on .length
because
pop
is known to access it. This way I can track when pop is called
(JavaScript is
fun).
What about using function IDs (that Crankshaft uses for optimization) to
detect
this case safely? You'll need to introduce %SetFunctionId thingy though or
something...
Please take yet another look...
- I use a IsBuiltin() check instead of native() to see whether the oneshot
getter is the expected one.
- I changed FormatRawStackTrace to use %_CallFunction instead of
Array.prototype.{push,join} so that you can't observe it being called
lazily by
overriding Array.prototype.{push,join}
- I changed FormatRawStackTrace so that the toString method of the error
object
is not called lazily, but at the time when the error object is created, so
that
the formatting the stack trace is not observable because of stringifying the
error.
https://codereview.chromium.org/11377158/
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
