W3C home > Mailing lists > Public > www-dom@w3.org > October to December 2012

Re: [dom] Need to describe the interaction of adoptNode with prototype chains

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Sat, 22 Dec 2012 11:12:47 -0800
Message-ID: <50D6062F.2020706@mit.edu>
To: www-dom@w3.org
On 12/22/12 4:33 AM, James Ross wrote:
> http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2044. IE 10
> produces the same results as Firefox 17:

So a few more thoughts on this:

1)  Exposing GC behavior is unfortunate, and if we allow JS reflections 
to be collected independent of the underlying node (which at least 
Gecko, WebKit+JSC, WebKit+V8 do, though in WebKit+V8 you have to trigger 
a major collection, which my testcase may not have managed) then not 
exposing it means either remembering the original JS proto forever in 
the node or changing proto on adopt.

2)  If a script adopts a node from a subframe and then unloads the 
subframe or removes it from the DOM, remembering the proto means you 
leak the entire global object _and_ the entire DOM of the subframe, 
because HTMLElement is reachable from the adopted node (via .__proto__ 
and .constructor) and then you can call "new HTMLElement" from the 
now-unloaded subframe Window and now you have a node whose ownerDocument 
is the document that was in the subframe and you can reach its DOM, so 
the the UA has to keep all that stuff alive or has to make some of this 
stuff not work or something.  That seems like a pretty serious footgun 
to me.

I don't really like mutating proto chains either, but I'm not sure we 
have great options here.  :(

Do Opera and Chrome really never change the proto observably, or is 
their behavior like Safari's and I'm just failing to trigger a GC that 
collects the relevant object?  Can someone who knows the relevant code 
speak up?

-Boris
Received on Saturday, 22 December 2012 19:13:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 22 December 2012 19:13:35 GMT