Closed
Bug 474888
Opened 16 years ago
Closed 16 years ago
TM: Incorrect use of the global object's identity
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gal, Assigned: gal)
Details
(Keywords: fixed1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
5.37 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Assignee | ||
Updated•16 years ago
|
Flags: blocking1.9.1?
Priority: -- → P2
Assignee | ||
Comment 1•16 years ago
|
||
Assignee: general → gal
Attachment #358314 -
Flags: review?(brendan)
Updated•16 years ago
|
Attachment #358314 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 2•16 years ago
|
||
Trees are only executed if the shape of the global object has not changed since recording time. We do not actually guarantee that the global object's identity is unchanged. We only guarantee the shape still matches. In the actual trace code we used the global object's identity to decide whether it aliases an object being used for direct property access. This might be wrong if we get a different global object with the same shape. Instead, this patch passes in the current global object's identity via InterpState. No measurable perf overhead. The patch also fixes an incorrect use of cx->globalObject in the oracle hashing and excludes the global object's identity from the hash (for the argument made above, we only care about the shape).
Assignee | ||
Comment 3•16 years ago
|
||
TM: http://hg.mozilla.org/tracemonkey/rev/29beb0928cfa
Whiteboard: fixed-in-tracemonkey
Comment 4•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/29beb0928cfa
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Resolution: --- → FIXED
Comment 5•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/b244bae60086
Keywords: fixed1.9.1
Updated•15 years ago
|
Flags: in-testsuite-
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•