Closed Bug 1143269 Opened 7 years ago Closed 2 years ago

CloneObjectLiteral seems to be broken in the array case

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: bzbarsky, Unassigned)

References

Details

Flags: needinfo?(sstangl)
I'm confused: what information is needed from me here?
(In reply to Sean Stangl [:sstangl] from comment #1)
> I'm confused: what information is needed from me here?

Fixing it in order to fix the start-up cache.
Note that in general the fact that we're not hitting this code is just an accident of the way we treat singleton functions and lambdas inside them.  If we ever happen to expose anything that invokes CloneScript to the web, even by accident, we're screwed.
Also, if I _do_ make this code reachable; I totally get assertions because some of the values of some arrays are not tenured (they're strings, but not tenured).
Also, this codepath is totally reached during Firefox browser startup.  

For example, if I put this code in browser/components/places/content/browserPlacesViews.js:

  function func(v) { return v; }
  var arr = (_ => func`contents`)();

then I get a nice startup assertion failure in Firefox:

  Assertion failure: srcArray->denseElementsAreCopyOnWrite(), at ../../../mozilla/js/src/jsobj.cpp:2137

So the only reason this is not causing problems today is that apparently tagged templates are not being used in the right places in Firefox code yet...
So fwiw, this code does seem to work for array literals, I think.  I think...
Depends on: 1146949
Flags: needinfo?(sstangl)

CloneObjectLiteral got killed in bug 1172943.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.