Closed
Bug 1191570
Opened 9 years ago
Closed 9 years ago
Use ToPropertyKey everywhere the standard uses it
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla45
| Tracking | Status | |
|---|---|---|
| firefox45 | --- | fixed |
People
(Reporter: jorendorff, Assigned: jorendorff)
References
(Blocks 1 open bug)
Details
Attachments
(1 file, 1 obsolete file)
|
16.30 KB,
patch
|
jandem
:
review+
jorendorff
:
review+
|
Details | Diff | Splinter Review |
We have a few bugs where the behavior of `x[y]` is wrong when y is an object whose toString() method returns a symbol.
`x[{toString() { return sym; }}]`, where sym is a symbol, should behave like
`x[sym]`. Instead we treat it as `x["undefined"]`.
Maybe the right fix is to merge ValueToId and ToPropertyKey. Looking into it.
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → jorendorff
|
|
Assignee | |
Comment 1•9 years ago
|
||
Attachment #8678254 -
Flags: review?(jwalden+bmo)
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8678254 [details] [diff] [review] Use ToPropertyKey everywhere ES6 says to use it Review of attachment 8678254 [details] [diff] [review]: ----------------------------------------------------------------- I could have sworn somewhere today I saw evilpie comment on the badness that is JSOP_TOID/ToIdOperation also munging the object as well, in who-knows-whether-it's-the-correct-order. I guess that can be a followup, with just swapping things in-place okay here. (Oh, note how ToIdOperation *does not* ToObject the objval if the id isInt32(). Whaaaa?) I'm not wholly certain all the Ion JIT spots that might need updating here, have been updated. Might be worth running past jandem too, to be sure. ::: js/src/tests/ecma_6/Expressions/ToPropertyKey-symbols.js @@ +44,5 @@ > + [sym]() { return "X"; } > + } > + class Y extends X { > + [sym]() { return super[key]() + "Y"; } > + } Needs some classesEnabled(class with extends syntax) here.
Attachment #8678254 -
Flags: review?(jwalden+bmo) → review+
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8678254 [details] [diff] [review] Use ToPropertyKey everywhere ES6 says to use it Review of attachment 8678254 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/builtin/Object.cpp @@ +517,5 @@ > // we can safely retrieve the object's shape. > > /* Step 1, 2. */ > jsid id; > + if (args.thisv().isObject() && idValue.isString() && ValueToId<NoGC>(cx, idValue, &id)) { I don't understand why `&& idValue.isString()` was added here. 1. Doesn't that mean `obj.hasOwnProperty(0)` now takes the slow path? 2. Shouldn't obj_hasOwnProperty and obj_propertyIsEnumerable both use the same kind of optimization?
|
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8678254 [details] [diff] [review] Use ToPropertyKey everywhere ES6 says to use it Review of attachment 8678254 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/builtin/Object.cpp @@ +517,5 @@ > // we can safely retrieve the object's shape. > > /* Step 1, 2. */ > jsid id; > + if (args.thisv().isObject() && idValue.isString() && ValueToId<NoGC>(cx, idValue, &id)) { The optimization avoids something like half a dozen memory moves to root/unroot an id and an object, which strikes me as small fry enough to just remove it, honestly. But it's not an argument I feel the need to argue strongly. As for your questions, 1) yes, the "slow" path, and 2) maybe, but honestly all these operations are off the beaten path enough that no one will care if they have different perf (even assuming they have meaningfully different perf!).
|
|
Assignee | |
Comment 5•9 years ago
|
||
(In reply to Jeff Walden [:Waldo] (remove +bmo to email) from comment #2) > I could have sworn somewhere today I saw evilpie comment on the badness that > is JSOP_TOID/ToIdOperation also munging the object as well, in > who-knows-whether-it's-the-correct-order. I guess that can be a followup, > with just swapping things in-place okay here. I tried just deleting the badness in bug 1217945, but evilpie pointed out a bug. > (Oh, note how ToIdOperation *does not* ToObject the objval if the id > isInt32(). Whaaaa?) I know... > I'm not wholly certain all the Ion JIT spots that might need updating here, > have been updated. Might be worth running past jandem too, to be sure. Yep. > Needs some classesEnabled(class with extends syntax) here. Done locally.
|
|
Assignee | |
Comment 6•9 years ago
|
||
(In reply to André Bargull from comment #3) > > /* Step 1, 2. */ > > jsid id; > > + if (args.thisv().isObject() && idValue.isString() && ValueToId<NoGC>(cx, idValue, &id)) { > > I don't understand why `&& idValue.isString()` was added here. > 1. Doesn't that mean `obj.hasOwnProperty(0)` now takes the slow path? > 2. Shouldn't obj_hasOwnProperty and obj_propertyIsEnumerable both use the > same kind of optimization? Yes. I looked closer and it's fine as-is, since ValueToId<NoGC> bails out when idValue is an object. This is a little more precarious than I would like, but I have other things to work on...
|
|
Assignee | |
Comment 7•9 years ago
|
||
I also re-rewrote the comment on JSOP_ID in vm/Opcodes.h in light of the awful truth about what it does.
> /*
> - * Pops the top of stack value, converts it into a jsid (int, string, or
> - * symbol), and pushes it onto the stack.
> + * First, throw a TypeError if baseValue is null or undefined. Then,
> + * replace the top-of-stack value propertyNameValue with
> + * ToPropertyKey(propertyNameValue). This opcode implements ES6 12.3.2.1
> + * steps 7-10. It is also used to implement computed property names; in
> + * that case, baseValue is always an object, so the first step is a no-op.
> * Category: Literals
> * Type: Object
> * Operands:
> - * Stack: val => id
> + * Stack: baseValue, propertyNameValue => baseValue, propertyKey
> */ \
> macro(JSOP_TOID, 225, "toid", NULL, 1, 1, 1, JOF_BYTE) \|
|
Assignee | |
Comment 8•9 years ago
|
||
Attachment #8680384 -
Flags: review?(jdemooij)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8678254 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 9•9 years ago
|
||
Comment on attachment 8680384 [details] [diff] [review] Use ToPropertyKey everywhere ES6 says to use it Carrying forward Jeff's review. r?jandem for the JITs.
Attachment #8680384 -
Flags: review+
|
||
Comment 10•9 years ago
|
||
Comment on attachment 8680384 [details] [diff] [review] Use ToPropertyKey everywhere ES6 says to use it Review of attachment 8680384 [details] [diff] [review]: ----------------------------------------------------------------- The remaining ValueToId(Pure) calls in jit/ only take strings or symbols. I can't think of any other places where the JITs handle non-int32/string/symbol indexes.
Attachment #8680384 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 11•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4bccd2788f121ff7f5f7a963583b94e14b34f01e Bug 1191570 - Use ToPropertyKey everywhere ES6 says to use it. r=Waldo, r=jandem.
|
||
Comment 12•9 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/4bccd2788f12
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox45:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
|
|
||
Comment 13•9 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-b2g44_v2_5/rev/4bccd2788f12
status-b2g-v2.5:
--- → fixed
|
|
||
Comment 14•9 years ago
|
||
removing the b2g 2.5 flag since this commit has been reverted due to an incorrect merge, sorry for the confusion
status-b2g-v2.5:
fixed → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•