Trees are only executed if the shape of the global object has not changed since recording time. We do not actually guarantee that the global object's identity is unchanged. We only guarantee the shape still matches. In the actual trace code we used the global object's identity to decide whether it aliases an object being used for direct property access. This might be wrong if we get a different global object with the same shape. Instead, this patch passes in the current global object's identity via InterpState. No measurable perf overhead. The patch also fixes an incorrect use of cx->globalObject in the oracle hashing and excludes the global object's identity from the hash (for the argument made above, we only care about the shape).

Andreas Gal :gal

Assignee

Comment 3

•

16 years ago

TM: http://hg.mozilla.org/tracemonkey/rev/29beb0928cfa

Whiteboard: fixed-in-tracemonkey

Robert Sayre

Comment 4

•

16 years ago

http://hg.mozilla.org/mozilla-central/rev/29beb0928cfa

Status: NEW → RESOLVED

Closed: 16 years ago

Flags: blocking1.9.1? → blocking1.9.1+

Resolution: --- → FIXED

Robert Sayre

Comment 5

•

15 years ago

http://hg.mozilla.org/releases/mozilla-1.9.1/rev/b244bae60086

Keywords: fixed1.9.1

Bob Clary [:bc] (inactive)

Updated

•

15 years ago

Flags: in-testsuite-

Flags: in-litmus-

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

TM: Incorrect use of the global object's identity

Categories

(Core :: JavaScript Engine, defect, P2)

Tracking

()

People

(Reporter: gal, Assigned: gal)

References

Details

(Keywords: fixed1.9.1, Whiteboard: fixed-in-tracemonkey)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Updated

Attachment

General

Description

File Name

Content Type