- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Sat, 22 Dec 2012 11:12:47 -0800
- To: www-dom@w3.org
On 12/22/12 4:33 AM, James Ross wrote: > http://software.hixie.ch/utilities/js/live-dom-viewer/?saved=2044. IE 10 > produces the same results as Firefox 17: So a few more thoughts on this: 1) Exposing GC behavior is unfortunate, and if we allow JS reflections to be collected independent of the underlying node (which at least Gecko, WebKit+JSC, WebKit+V8 do, though in WebKit+V8 you have to trigger a major collection, which my testcase may not have managed) then not exposing it means either remembering the original JS proto forever in the node or changing proto on adopt. 2) If a script adopts a node from a subframe and then unloads the subframe or removes it from the DOM, remembering the proto means you leak the entire global object _and_ the entire DOM of the subframe, because HTMLElement is reachable from the adopted node (via .__proto__ and .constructor) and then you can call "new HTMLElement" from the now-unloaded subframe Window and now you have a node whose ownerDocument is the document that was in the subframe and you can reach its DOM, so the the UA has to keep all that stuff alive or has to make some of this stuff not work or something. That seems like a pretty serious footgun to me. I don't really like mutating proto chains either, but I'm not sure we have great options here. :( Do Opera and Chrome really never change the proto observably, or is their behavior like Safari's and I'm just failing to trigger a GC that collects the relevant object? Can someone who knows the relevant code speak up? -Boris
Received on Saturday, 22 December 2012 19:13:22 UTC